Block Checkout URL to be re-used

Shopify Discussion
1

We have a problem that some people are re-using the aborted checkout URL to create a fake order every time.
We know the IP Range they are coming from and tried to block the traffic but as soon as they use VPN they can open the checkout URL again.

After we decided to add the app “Blockify” where we were also able to block VPN access but unfortunately, the VPN blocker allows direct access to the checkout URL.

ErwinN_0-1739460458716.png
ErwinN_0-1739460458716.png1635×205 33.5 KB

Does anyone have any idea how to block these aborted checkout URL to be used again and prevent those people to create lots of aborted checkouts.

When we try to connect to our website through VPN we get the error, because VPN not allowed:

ErwinN_1-1739461152899.png
ErwinN_1-1739461152899.png1010×667 41.2 KB

But when adding the direct checkout URL it allow us to connect?

ErwinN_2-1739461297702.png
ErwinN_2-1739461297702.png1176×527 29.2 KB

Thanks in advance for the support.

2

The reason direct checkout URLs bypass Blockify (and honestly, any storefront-based blocking app) comes down to how Shopify’s architecture works. Apps like Blockify inject their logic into your storefront theme - so they can intercept traffic on your homepage, product pages, collection pages, etc. But the /checkouts/ URL is served directly by Shopify’s infrastructure, not your theme. Your theme’s JavaScript doesn’t load there, which means no app running in the storefront layer can gate it.

So this isn’t really a gap in Blockify specifically - it’s a platform-level constraint that affects all similar tools.

For your situation, a few things worth looking at:

Shopify doesn’t currently provide a native way for merchants to invalidate or expire abandoned checkout tokens on standard plans. Once that URL is generated, it stays accessible. Shopify Support might be worth contacting directly - they occasionally have backend options or can flag accounts involved in coordinated abuse, especially if you can document the pattern.

If you’re on Shopify Plus, Checkout Extensibility and Shopify Functions let you add server-side logic that actually runs within Shopify’s checkout flow, which is the only real way to enforce rules at that layer.

For everyone else, the more practical approach is usually to shift focus from blocking checkout access to making the abuse less impactful - things like enabling Shopify’s fraud analysis, requiring manual review for orders that hit certain risk thresholds, and making sure you’re not triggering email automations or inventory holds on abandoned checkouts from flagged patterns.

The fake abandoned checkout problem is pretty widespread (there are some long threads on this forum about bots doing exactly this), and the consensus is generally that if they’re not completing payment, the direct financial risk is limited - though it’s genuinely annoying to deal with