Hello, it’s been like three months since our store has been getting botted or scrapped by AI agents at these URLs. We tried to block them directly into Cloudflare, but nothing seems to work properly. Sessions keep coming from different IP adress china, USA, Vietnam, Brazil, etc. Here are the URL. Does someone else have trouble recently with new AI agents scrappers etc? They are affecting our store in terms of load, they are inactive but still logged into our store.
| /collections/vendors also this url /.well-known/shopify/monorail/unstable/produce_batch |
| I already contacted the Shopify support, but they didn’t or couldn’t help me either way. |
How many sessions in number ? Possible ddos ? Have you tried under attack mode on cloudeflare?
Hello, almost 3.2 million sessions, all coming from desktop, first from the US and now China, and others localization, they literally have 0 add to carts and 0 payments, literally zombie sessions.
I have noticed this pattern in open-source e-commerce platforms, where attackers attempt to exploit known and unknown vulnerabilities in the code. However, I am not entirely sure why this is happening on a Shopify store it could be that the attackers know something, or it may have been triggered by mistake.
One effective response is to enable “Under Attack Mode”, which enforces CAPTCHA for suspicious requests. Additionally, blocking traffic from all countries where you do not ship is a strong defensive measure. In my opinion, these two steps combined are the most reliable way to survive such an attack.
@theoveinte07 .. Most merchants have same issues. Simply try it.
1- try any shopify app for ip blocker, May it will worked.
2- connect with shopify support team along with real data.
3- Use CAPTCHA in user login page
4- Also update the robots.txt file and
User-agent: *
Disallow: /collections/vendors
If you don’t want to rank this page on google SERP.., simply block it or password protected.
Hi, thank you for your help, already tried most of these recommendations, but still, traffic is coming from China and other countries where we don’t sell any, and I don’t want to restrict AI crawlers from discovering my store, too, so I can’t be too restrictive on the access to my store.
Hopefully, it will work.. Then
•Go to Settings → Markets and restrict which countries can access your store or see prices
• Use Shopify Markets Pro for more granular geo-routing
Other wise, you will completely block the China county ( with any app or custom solution )
You do not need to do anything on the Shopify level, as Cloudflare is more efficient for this because it blocks requests and IPs on the DNS level, which is technically the correct way to handle this. So do not implement CAPTCHA on login only. Cloudflare blocks each suspicious request with CAPTCHA, not just login requests.
Do not pay anything extra to Shopify or any third-party app to block requests.
Enable Under Attack Mode in Cloudflare and disable countries in Cloudflare, as it blocks the requests on the DNS level, which prevents attackers from even hitting your site.
I have implemented this on 10+ compromised eCommerce stores (not Shopify), and it works well.