Re: Tons of bots creating and abandoning carts

Yep, we’ve now been getting up to 400 Bot Add to Cart hits a Day! Including the House Number 43 one. Most seem to be from Bellevue, WA, but filtering for this is just silly. Upgrading to a $2,300/month Plus plan to protect our customers is NOT an appropriate answer from Shopify. This clearly seems to be a way to test Stolen Credit Cards since they seem to stop at the checkout page. Thanks a lot for showing us how important we are to you after years of being faithful customers who recommend you to everyone else, Shopify. This is NOT acceptable for a mature platform of your size and will only drive us to have to put more of our efforts into the evil Bezos beast instead. 😢

We are seeing EXACTLY the same issue.
More than 1000 bot customers added per day. Every day, since November 2024.
Our Shopify store (not plus) is tightly integrated with Klaviyo, and in Klaviyo we are seeing bot events that begin in checkout without any page visits (added to cart, checkout started), as well as "fake" form events (from Shopify).

The bots are not adding payment info or trying to run credit cards...
Can't figure out WHY they are here.
 
99% of the bots do not have a first or last name, so my methods have included adding filters to Klaviyo flows to trap no-FirstName-set profiles to its own list, then a flow that deletes the profiles via webhook.
We also have a Shopify FLOW workflow that deletes Shopify customers with 0 orders.
BUT THIS does not help us avoid corrupting the Klaviyo metrics with BOUNCES for checkout started flows and browse abandon flows.
And this does not circumvent or solve for the bots who use a name and look like they complete a klaviyo form and checkout started. these are the profiles that can't be solved by automation.

Klaviyo has been as helpful as they can be, but this is NOT their problem.
But as long as we are syncing Shopify to Klaviyo (backfill checkout form content) - it is corrupting the Klaviyo metrics AND ALL RELATED merchant -created customer lists for advertising.

Shopify refuses to accept any responsibility for this. I have opened cases going back to November.
I added "Negate Bot Protection" app. But it does not do anything in checkout. Where this is all happening.

They appear to have entirely disappeared as of Friday 09-MAY-2025, approx 11:30am EDT -- but that was short lived, and a few days later, then came back with a vengeance! 


I have tried everything.

@JanVeroti the WAF technique in my opinion is tossing the baby out with the bathwater. ESPECIALLY if using a backfill to Klaviyo.

Now, we COULD disable the backfill to Klaviyo, and that would probably eliminate the risk of bounces and bad data in Klaviyo. BUT - we lose the real customer metrics.

I am also part of a global group of merchants that are also experiencing this. We are all seeing similar issues.
Where is Shopify Engineering?

I can share my Klaviyo flows and filters... but this REALLY needs to be solved at the source.
HOW can Shopify permit this traffic to infiltrate and contaminate the servers and all the merchant data?
HEEEEEEELLLLLPPPPP us Shopify?

Hi Jeremy.

You needto push a custom “bot” metric into Klaviyo and create a segment of those profiles (you can do that using shopify flow). Be sure to exclude this segment from all automated flows. The reason is that the sync delay between Shopify/Flow automation and Shopify-to-Klaviyo can still cause bot profiles to be pushed into your email lists. This is critical because maintaining your email sending reputation is key — if it drops, you’ll need to re-warm your list, which is a slow and painful process.

See my full reply that has this part as well on this thread: https://community.shopify.com/c/shopify-discussions/shopify-bot-exploit-add-to-cart-abuse-is-corrupt...

Hey all, we have had the same issue for almost 2 months. We have finally resolved it by setting up an O2O proxy with CloudFlare to Shopify's CloudFlare instance and configuring just 1 simple WAF rule. Feel free to contact me with questions, or contract my services to quickly get it set up for you!

If you'd like to contact me, my email address is max@maxintegrations.net

Same here, 

We noticed an abnormal growth in traffic/subscribers. Which consequently increase our Mailchimp bill because they charge per tier on the amount of contacts. I doubt Mailchimp has anything to do with it, but bringing it up just in case it ends up being the common link among everyone... to increase our monthly bill.

What are they attempting to do by adding products to their carts? My company sells fairly high value product ($1000) and what the bots add are accessories usually in the $100 range.

Guessing testing Stolen Credit Cards? Apparently that’s not important enough for Shopify to try to protect us and save our analytics and ability to market to real customers who are considering Completing the Check Out Process.

Yeah, once again Shopify is really showing how on top of things they are. Bot traffic corrupting analytics, inflating marketing spend, and interfering with storefronts — and the best their tech support can offer is “try an app” or “use checkout rules” (for bots that never even reach checkout). Brilliant.

Even escalating through Plus support and asking for help from management leads to radio silence. Really builds confidence in that “enterprise-level service,” doesn’t it?

Anyway, we’re currently setting up an external WAF solution since Shopify clearly isn’t stepping up. I’ll report back here once it’s running and let you all know how it goes.

One thing our email provider helped us do is separate abandon cart from abandon checkout email automations. A user exists from abandoned cart automation if they a) start checkout, or b) place an order. Since the bots are going direct to checkout, you can still capture people are are abandoning cart prior to checkout. 

We then created a BOT segment in our email provider with rules - a) have not opened any message, b) have not placed an order, c) have not visited any URL on our website where URL does not contain 'checkout.' So now we filter out BOT segment from all sends. 

For the new abandon checkout automation, we then also created an exit rule where user exits the automation if a) places order, or b) enters segment 'BOT' 

This is not ideal, but it's allowed us to resume more or less normal email marketing. There may be a few legit users that get swept up in the BOT segment but i think it's very few if any.

We seem to have successfully blocked the cart and checkout exploits by setting up a third party WAF. We are still in testing mode, so I will not share the details yet, but the solution seems to be in sight. Stay tuned and i'll share once solution is fully confirmed.

Please let us know.  Very weak on Shopify's part tha we would need to do this.

@JanVeroti do you have a 3rd party team set up the WAF for your store? If yes, can you recommend them to us, it's hard to find trusted 3rd party security engineers online now. Thank you!

Hi. Yes, I’ve been working with a third-party team on a custom setup to deal with this.

The solution we’ve integrated is essentially an O2O (origin-to-origin) CDN-layer addition that sits in front of Shopify — similar in concept to how Cloudflare works. Our WAF (Web Application Firewall) runs on Akamai and is specifically designed for bot mitigation. Since implementing it, we haven’t had a single bot-related issue.

That said, it’s important to understand the trade-offs. Once you adopt this type of solution, you can’t run another CDN in parallel — which means you lose out on services like asset delivery optimization, page speed boosts, DDoS protection, etc. So your site must be cleanly coded and optimized to pass Core Web Vitals without the help of a traditional CDN before going down this path.

There are some SEO considerations too. Since the checkout domain becomes custom (via DNS), clicking back to the site from checkout keeps the checkout. subdomain in the URL — which has on-site SEO implications. A fix via Checkout Extensibility is in the works, but for now, you can patch it by replacing the native logo with a custom image link, adjusting your robots.txt, and using proper rel attributes.

Also worth noting: since the WAF performs deep bot detection (evaluating IP, ASN, ISP, headers, device info, etc.), you might occasionally hit a frontend verification check if you’re doing lots of refreshes while working on the site. It’s not messy, just something to be aware of.

I’d love to share the contact info for the company behind this, but they’ve asked me not to for now. They’re planning to launch a Shopify app soon (mostly a UI for DNS onboarding + traffic reporting). I’ll update here when I get the green light to share more.

Thank you so much, @JanVeroti this is going to be helpful for all of us here. Appreciate it! Please keep us updated, curious about this app they're launching!

Been following you closely @JanVeroti hoping to hear that you’ve got the answer that will save us. We’ve been dead in the water with this chaos and really disappointed in Shopify for not doing anything about it. Kudos to your team for finding a solution. Crossing my fingers that it’s something we can afford in order to get our shop and marketing rolling again. Frustrated as heck that Shopify isn’t making this a priority for the customers that put their trust in them.

Keep us posted on whether this is indeed getting better. We’ve had false hopes as well as they seem to pause and come back fairly quickly in waves. We had a few (10-ish) after midnight last night (less than usual) but yesterday we still had a fair amount.

We have successfully blocked bots. Now we’re in cleanup mode (all theirs party integrations need to be checked and updated if needed, these still some unknown seo implications, URLs structure of Shopify nav links needs to be manually updated,…). I need few more days to finalize this then I’ll post what I’ve done (to make sure I don’t give anyone wrong directions )

Thank you Jan, looking forward to your update. We've been hit by 1000s of bots adding to cart and opening accounts. 

EXACT same issue @Robert_Behnke  --and I noticed the same disappearance about 09-MAY-2025, then it all came back with a vengeance about 5 days later. Please see my reply to @JanVeroti above.

I'm still getting some but it looks like, at least for now, the pace is 1 every 3 minutes or so instead of like 5 per minute.

---

@Robert_Behnke wrote:

I know best practice is to unsubscribe instead of delete

---

Yes, but... the bot emails are useless, and there is no redeeming or future value of the profile as suppressed or unsubscribed.
An unsub or suppressed profile can feed retargeting or custom audiences. But bot profiles have no value.
Make them go away.

That's what i'm doing now. Thanks for the validation.

Thanks for posting this.  What do we know about this app or the developer.  It has been out since November of 2023 and only has 1 review.  How are they able to do what all other apps say they do not have access to?

I agree with Barry_Berhoff’s question. Their app has been around since 2023. Where is the info that this was updated recently to target this? Would love to see some more information from others that this is working and not causing any unforeseen issues.

Anyone else tried this solution?  I am at my wits end with these bots, but messing around with our DNS doesn't make me very comfortable. 

I'd like to update y'all on our CloudFlare WAF solution. We have since seen a reduction of 99.9% in bot activity, and are still seeing steady human user activity! It has been non-blocking to the user experience, other than a "Please wait a few seconds while we make sure you're human" page when the user first hits the site. It has been extremely effective against these bots, down to only one to three abandoned checkouts a day. It seems the CDN (CloudFlare, AWS, whatever you use) is the only layer of the application at which this activity can truly be stopped.

Did it and it works. 

---

@JanVeroti wrote:

The solution is here.

Install this app and follow the instructions. This is as close to a plug-and-play fix as it gets — and it actually works.

 

App link: https://apps.shopify.com/bora-ip-blocker-country-block

---

It Sure Is!

Working PERFECTLY.
And... support has been quick to answer any quesitons.

I am not removing my klaviyo flows or filters, and I am keeping the N8N server too -- but Armex app with the firewall and script is the missing element to say goodbye to the bots.
This SHOULD have been a Shopify solution.
But... Thank you!!

Installed and issue fixed within hours. Congrats and a huge thank you for creating a real deal fix for this issue. I can sleep now. 

Anyone else quite suspicious of this "solution"? I got these emails from "Boostymark" the "BM: Country blocker IP Blocker" that was also supposedly a secret solution, and started in 2023. Then they recommended going over to the new "Armex" app, which if you look at the privacy policy is generic and clicking into the app owner profile of Bora App, the privacy policy looks generic and similar to Boostymark, but their website is restricted. As I read these reviews for this Bora App "Armex" they seem suspicious. Anyone not affiliated with either app seeing any signs of this working, but also not being something that could potentially be a phishing scam? 

https://static.bora-app.com/private-policy.html

https://rbn.boostymark.com/private-policy.html

---

@SP_MT wrote:

Anyone else quite suspicious of this "solution"? 

---

No.

It works.
And they are transparent in the support -- they tell you how to solve this without using their app (if you are on Shopify Plus).

I posted a 5-star review.

Armex is owned by BM. They created Armex because the BM app does not solve this issue. We were getting blasted by bots, thankfully only recently. We installed BM and then complained when it did not solve the issue...so BM recommend Armex.

We installed Armex and within 24 hours our bot traffic stopped. We were nervous about messing with the DNS as well but Armex support was super helpful and quick with replies in walking through the set up. (We also used our Server Support Chat to assist with the DNS changes.)

We left one of the reviews for Armex and it is legit. The app is not "public" yet on Shopify search because Armex doesn't want everyone downloading without getting the tech support to properly set it up. (at least that's what they told us). I specifically asked Armex if Shopify is cool with this app since Shopify has done nothing to fix the issue, they said "yes" they have worked with Shopify in the development process to make sure it works properly. 

We have been using it for less than a week and zero bot abandoned carts and zero new customer sign ups. You can see the traffic that is getting blocked...and sales are still coming in as they should. We have not seen any issues with the app interfering in a way that would negatively impact our shop. Try it. It works 

Hey all, we have had the same issue for almost 2 months. We have finally resolved it by setting up an O2O proxy with CloudFlare to Shopify's CloudFlare instance and configuring just 1 simple WAF rule. Feel free to contact me with questions, or contract my services to quickly get it set up for you!

If you'd like to contact me, my email address is max@maxintegrations.net