Severe automated bot sessions (~15k/day) are inflating store analytics; prior attempts with Shopify apps have not worked. The domain is purchased through Shopify, and the traffic pattern is repetitive, indicating non-human visits.
Attack is likely at the DNS layer, where Shopify domains don’t allow custom server-side rules, limiting native mitigation options. This constraint suggests the need for protection before traffic reaches Shopify.
Recommended mitigation: place Cloudflare (or similar proxy/CDN) in front of the store. Enable bot filtering, rate limiting, and challenge pages (e.g., CAPTCHA) to deter repetitive automated hits.
Further tuning: optionally limit traffic by country or block suspicious user-agent strings (the identifier a browser/bot sends) to reduce analytics noise while preserving legitimate visitors.
Technical notes: DNS layer refers to domain-level routing; a proxy like Cloudflare sits between visitors and the store to inspect and filter requests.
Status: No confirmed resolution reported. Action items are to configure an external proxy with security features; discussion remains open.
Hi everyone,
I’m currently dealing with a large wave of automated bot sessions (around 15k per day). These are not real visitors — the traffic repeats constantly and is inflating my sessions and damaging my analytics.
My domain was purchased directly through Shopify. Has anyone faced a similar bot attack before? I’ve tried multiple Shopify apps, but none of them have worked.
If yes, how were you able to solve it?
Any advice or shared experience would be greatly appreciated. Thank you.
Hi @user2984
This is standard problem when bot attack on shopify stores straight at the dns layer. Because Shopify domains don’t support custom server rules, the best workaround is to put a Cloudflare or similar proxy in front of your store. Turn on bot filtering, rate limiting, and challenge pages to mitigate repetitive automated traffic. You may also limit traffic by country or user-agent strings to clean analytics data from noise without blocking actual visitor.