I’ve had almost 300 sessions today and 220 yesterday all from China and have never had this happen before. This is very odd as I do not sell in China. Our checkout does not allow checkout outside of the US. I reached out to Shopify support and they said nothing to worry about and everything is secure. They recommended installing Blockify, which I did and set it to block China but I maxed out the free plan in less than a day. Is this a “bot attack” and how long does it generally last? Do I really have nothing to worry about, like Shopify support advised?
Hi, yes this likely typical scraping activity from bots. For the most part, its unavoidable. A blocking app will cut down some of the traffic but there are ways around it. It’s not a direct threat, and your best defence is just making sure your store is secured in all areas.
If you’re interested in a free trial, check out our app (https://www.securecommerce.io/). We provide all-in-one security for merchants
Qualify what is their to actually worry about.
Your not paying extra hosting fees for more traffic
Your not paying more in advertising and if you are that is an off platform issue
If they are not placing orders this should not even occupy your time if your not making serious money already this is so low on the priority list.
etc etc etc
Unless you pay for an expensive WAF solution, bots are pretty unavoidable. Just make sure they’re not getting through checkout and you should be fine.
Yes, that traffic spike is almost certainly the result of bots—common lately from crawler networks based in China. They generally boost session counts without causing any damage to your store. It usually subsides in a couple of days. You can just ignore it, but if it’s still going let it traffic by country with Cloudflare rules, or just block it with a firewall app automatically filtering non US visits.
It’s not helping since the bots can go through the shopify domain. You can’t set up anything with shopify domain unless they’d like to do something for you. Unfortunately, normally they won’t do anything. My store has been under massive bots (more than 20,000 bots) for more than 3 months. They always only say some friendly words but won’t do anything. Im considering to move out of Shopify. They are doing nothing for the security.
that’s very true. Im experiencing this for more than 3 months. They don’t care…
Oh I know it sucks, but have you been on the other platforms? They are much worse for security… It’s not a Shopify platform issue, it’s an internet issue. Only 49% of all internet traffic came from humans last year, and 37% were malicious bots. It’s everywhere, in everything. APIs are inherently vulnerable to bots and data scraping, attacks on which account for 44% of all advanced bot traffic. They’rein the financial market mostly. But for ecommerce, Black Friday traffic is a frenzy of bots, with an annual average of 35% being data scraping bots.
I know everyone want to sync their products to tiktok, but little do they know that their web crawler, ByteSpider, makes up 54% of all blocked bot traffic for some bot blockers.
Hey,
This sounds like a bot attack on your store. They can last anywhere from a few hours to several days.
Shopify support is correct that your store’s security is likely not at risk, as these bots typically aim to inflate traffic or test for vulnerabilities rather than compromise data directly.
To manage this, you can:
- Cloudflare: Provides robust DDoS protection and traffic filtering.
- Shop Protector: Blocks suspicious traffic and bots based on various criteria.
- Bot Blocker: Identifies and blocks malicious bots and unwanted traffic.
Best,
Daniel Smith
Yes, almost certainly bot scraping. The pattern you’re describing - sudden spike from a country you don’t sell to, sessions that don’t convert or even reach checkout - matches standard crawler behavior. These networks cycle through stores systematically, usually looking to harvest product data, pricing, or just test endpoints.
Duration is honestly hard to predict. Some waves clear in a few days once your store falls out of whatever rotation they’re running. Others stick around for weeks or longer if your store ends up on a recurring scrape list - the related thread about this going on for three months is a real scenario, not an edge case.
On whether to worry: for actual store security and order data, Shopify support isn’t wrong. These bots aren’t trying to steal customer records or place fraudulent orders. But there’s one impact worth monitoring that doesn’t come up much in these threads - if you’re running any paid ads on Meta or Google, bot traffic can meaningfully corrupt your pixel data. Inflated sessions with near-zero engagement mess with audience signals, which can quietly degrade your ad targeting over time. Worth checking your campaign metrics against this period to see if anything shifted.
Because you’re already using Blockify and hit the free limit that quickly, upgrading to a paid tier is can be the path of least resistance given your volume. The free plan is designed for lighter use, and 300 sessions a day from a single country will burn through it fast. The paid tier handles higher volumes without you having to manually manage it.
One thing to be aware of that Nancy88 raised: if the bots are hitting your .myshopify.com URL directly rather than your custom domain, country-blocking apps can’t catch all of it - that domain sits on Shopify’s infrastructure outside of your control. Routing your custom domain through Cloudflare adds protection at the DNS level and helps with that gap. But for most standard scraping waves, country blocking still significantly reduces what shows up in your analytics and puts less noise in your data.