We’ve been dealing with an incredibly frustrating issue that appears to be a significant security flaw in Shopify itself at a broader scale that can affect any store without even noticing until its too late— and I’m hoping someone here has real answers or a solution because we tried everything, None of the apps are effective, shopify Captcha and Cloudflaire are not doing anything, nothing
Since early 2025, we’ve been targeted by bots that manage to bypass our storefront and directly access the cart and checkout pages to attempt fraudulent credit card payments, creating abandoned carts, and fake email signups. There are hundreds of abandoned checkouts per day, mostly with the same address in Bellevue, WA, and nothing we’ve done has been able to stop them.
The problem is that Shopify hosts the cart and checkout pages on a closed system, and merchants like us have no access to implement measures to protect against and filter bots. We can’t add scripts, firewalls, or any sort of verification to those endpoints.
Shopify Support has acknowledged this issue by giving me generic answers and useless advice. I can’t believe Shopify is knowingly allowing this; it’s a major security flaw that can have a significant negative impact on the affected store.
Screwing up analytics and conversion data and pixels, which ends up wasting ad budget
Filling up the email list with fake email sign-ups
Slowing down the site significantly
Might get you flagged as spam and maybe even banned from sending emails
Making it harder to identify real customers
Why is Shopify not doing more to protect the most sensitive part of the store — the cart and checkout?
If anyone else is going through this — or has found a way to stop it — I’d love to hear from you.
Bot blocking apps from the Shopify app store do not help with this. Reason being, they gather the IP address of the bot using javascript - the bot must have JS enabled, that JS has to run to get the bot’s IP. Once ‘blocked’, the apps can only enforce the block if the bot returns and runs the same javascript. Point being, it is trivial for any bot to bypass these apps (in fact, it’s easier for a bot to NOT run JS, than it is to actually run it). This is a limitation of Shopify - they don’t allow you to easily detect an IP and they give you no access to any abilities to block anyone outside of using client-side Javascript. You only get an IP for a customer from shopify once they actually place an order - which these bots are not doing. Even then, you can’t easily use that IP to effectively block that bot from visiting your site altogether.
Further to this, these abandoned cart bots use a URL which you as a merchant have no control over - you cannot even run any Javascript on this URL or choose what it does - hence the bot blocking apps in the app store offering zero protection against this. Not their fault, again this is Shopify not allowing you to protect your own store effectively. This is the exploit the bots are using. The URL the bots are using is https://your-store.com/cart/:1
Replace your-store.com with your actual store URL, and add in a variant id of one of your products, and this URL will add it directly to cart and take you to checkout. They don’t need to pass any Captcha, visit any other page on your site, even.
There are three ways to deal with these bots.
If you’re on Plus, a Flow that runs on a Customer Created trigger, detects the address (it’s almost always the same 2 or 3 addresses). This doesn’t help with the fake traffic in analytics, but it does help with preventing you sending out abandoned cart emails to these fake addresses. You can also add in a step to block them from your email provider (e.g. Klayvio) , using the HTTP Request action in Shopify Flow. There are some details of this in the post I linked above.
Use Cloudflare in an ‘Orange to Orange’ configuration. Shopify do not support it, but Cloudflare can help here. Cloudflare offer a firewall and other bot protections that sit in front of Shopify and allow you to control who visits your site using rules. You will need to install it, gather some data over time and create some rules to block the bots. Even though, Shopify itself is already on Cloudflare, it is choosing not to use this feature.
Turn on the setting that Customers must login/create an account in order to checkout. It will effect your conversion rate most likley, but it does stop the abandoned cart bots by removing the ability to go directly to checkout via the URL I mentioned above.
Please also complain to Shopify, more voices means more chance they will actually do something about this.
I am having the same problem, I have tried to get help from many different companies. Negate app on shopify didnt touch it. Email provider Klaviyo acknowledged it but unable to offer any advice apart from turn off your flows. Shopify said activate CAPTCHA - it was already activated. I went to CloudFlare and they said they could help but I needed to subscribe to the $20,000 a year program to get the help, but they might not be able to solve the problem. A company called fingerprint which apparently specialises in this sort of problem wanted be to sign up for a 14 day free trial, but I would probably need a developer to help install it and it might not work. What I really dont understand is - this is their jobs right? Cloudflare, shopify, google, fingerprint etc etc - but none of them could ensure that the problem would be resolved once I’d installed their software and paid a developer. I mean honestly who is to say its not Cloudflare doing this to get us all to sign up to a $20k solution!!
Apologies about the rant - I am extremely frustrated as I see my business failing because of things like this and I have little or know control over it.
It’s definitely not Cloudlflare doing this! The only company who actually has a responsibility to do something is Shopify - if they are to restrict their platform, they need to also manage security on that platform.
I went through a similar process - Captcha will not work here, because the URL the bot uses completely bypasses it. Other third parties will also not be able to stop this - whatever fingerprint can tell you. They cannot block bots on Shopify that are using this method because the Shopify do not give anyone access to the necessary APIs or network layer to do so. Fingerprint can detect bots, but no company can block an IP on Shopify without using JS (which is easy for a bot to bypass). This is all down to Shopify’s approach to privacy.
Thank you for your detailed input. I see from the other thread that people have been talking about this since early 2023. Yikes! This is very discouraging to see Shopify playing catch-up for the last 2 years instead of finding an actual solution that’s hard to get around.
Unfortunately, I’m not on the plus, and the CloudFlaire setup you described sounds very complicated and a workaround rather than a permanent fix but I will share it with my developer and let you know if we ended implementing.
I have already complained to Shopify, and they are aware of the issue. However, they are refusing to provide a specific response, instead offering general, standard, and useless advice. I’m pushing until I receive a serious response that assures me it’s a priority for them, but unfortunately, it doesn’t seem like it.