Tons of bots creating and abandoning carts

Yep, we’ve now been getting up to 400 Bot Add to Cart hits a Day! Including the House Number 43 one. Most seem to be from Bellevue, WA, but filtering for this is just silly. Upgrading to a $2,300/month Plus plan to protect our customers is NOT an appropriate answer from Shopify. This clearly seems to be a way to test Stolen Credit Cards since they seem to stop at the checkout page. Thanks a lot for showing us how important we are to you after years of being faithful customers who recommend you to everyone else, Shopify. This is NOT acceptable for a mature platform of your size and will only drive us to have to put more of our efforts into the evil Bezos beast instead. 😢

What are they attempting to do by adding products to their carts? My company sells fairly high value product ($1000) and what the bots add are accessories usually in the $100 range.

Guessing testing Stolen Credit Cards? Apparently that’s not important enough for Shopify to try to protect us and save our analytics and ability to market to real customers who are considering Completing the Check Out Process.

Yeah, once again Shopify is really showing how on top of things they are. Bot traffic corrupting analytics, inflating marketing spend, and interfering with storefronts — and the best their tech support can offer is “try an app” or “use checkout rules” (for bots that never even reach checkout). Brilliant.

Even escalating through Plus support and asking for help from management leads to radio silence. Really builds confidence in that “enterprise-level service,” doesn’t it?

Anyway, we’re currently setting up an external WAF solution since Shopify clearly isn’t stepping up. I’ll report back here once it’s running and let you all know how it goes.

One thing our email provider helped us do is separate abandon cart from abandon checkout email automations. A user exists from abandoned cart automation if they a) start checkout, or b) place an order. Since the bots are going direct to checkout, you can still capture people are are abandoning cart prior to checkout. 

We then created a BOT segment in our email provider with rules - a) have not opened any message, b) have not placed an order, c) have not visited any URL on our website where URL does not contain 'checkout.' So now we filter out BOT segment from all sends. 

For the new abandon checkout automation, we then also created an exit rule where user exits the automation if a) places order, or b) enters segment 'BOT' 

This is not ideal, but it's allowed us to resume more or less normal email marketing. There may be a few legit users that get swept up in the BOT segment but i think it's very few if any.

We seem to have successfully blocked the cart and checkout exploits by setting up a third party WAF. We are still in testing mode, so I will not share the details yet, but the solution seems to be in sight. Stay tuned and i'll share once solution is fully confirmed.

Please let us know.  Very weak on Shopify's part tha we would need to do this.

@JanVeroti do you have a 3rd party team set up the WAF for your store? If yes, can you recommend them to us, it's hard to find trusted 3rd party security engineers online now. Thank you!

Hi. Yes, I’ve been working with a third-party team on a custom setup to deal with this.

The solution we’ve integrated is essentially an O2O (origin-to-origin) CDN-layer addition that sits in front of Shopify — similar in concept to how Cloudflare works. Our WAF (Web Application Firewall) runs on Akamai and is specifically designed for bot mitigation. Since implementing it, we haven’t had a single bot-related issue.

That said, it’s important to understand the trade-offs. Once you adopt this type of solution, you can’t run another CDN in parallel — which means you lose out on services like asset delivery optimization, page speed boosts, DDoS protection, etc. So your site must be cleanly coded and optimized to pass Core Web Vitals without the help of a traditional CDN before going down this path.

There are some SEO considerations too. Since the checkout domain becomes custom (via DNS), clicking back to the site from checkout keeps the checkout. subdomain in the URL — which has on-site SEO implications. A fix via Checkout Extensibility is in the works, but for now, you can patch it by replacing the native logo with a custom image link, adjusting your robots.txt, and using proper rel attributes.

Also worth noting: since the WAF performs deep bot detection (evaluating IP, ASN, ISP, headers, device info, etc.), you might occasionally hit a frontend verification check if you’re doing lots of refreshes while working on the site. It’s not messy, just something to be aware of.

I’d love to share the contact info for the company behind this, but they’ve asked me not to for now. They’re planning to launch a Shopify app soon (mostly a UI for DNS onboarding + traffic reporting). I’ll update here when I get the green light to share more.

Thank you so much, @JanVeroti this is going to be helpful for all of us here. Appreciate it! Please keep us updated, curious about this app they're launching!

Keep us posted on whether this is indeed getting better. We’ve had false hopes as well as they seem to pause and come back fairly quickly in waves. We had a few (10-ish) after midnight last night (less than usual) but yesterday we still had a fair amount.

We have successfully blocked bots. Now we’re in cleanup mode (all theirs party integrations need to be checked and updated if needed, these still some unknown seo implications, URLs structure of Shopify nav links needs to be manually updated,…). I need few more days to finalize this then I’ll post what I’ve done (to make sure I don’t give anyone wrong directions )

Thank you Jan, looking forward to your update. We've been hit by 1000s of bots adding to cart and opening accounts.