OK - this just started happening and I know it’s been a problem for Shopify for many years.
I need a find a fix to stop these attacks. I have recaptcha enabled, BoostMark for blocking IPS, monitoring IP’s etc. The issue is this - the bot is bypassing all pages so our app can’t block them and the bots continually uses the same url to directly access the checkout page where our security can’t scan for bots due to Shopify restricting this.
I have many abandoned checkouts and credit card attempts that were denied. I can tell the countries this bot is using range from Italy, Russia, U.S. Japan, Israel, Mexico. The billing address they use are all different. Now our typical security software does not allow foreign IPS to even have access to our site. But these foreign bots are able freely to be on our checkout.
This bot is going directly into the checkout area where security software apps aren’t allowed to monitor. We need a solution from Shopify as this is a huge issue and something that should not be allowed to continue on Shopify.
It began when the bot was able to add a product to our shop which we did not authorize as we don’t have any admin access besides me. I went in and deleted and removed that product that they were using - they named it "
_Additional Price" and even placed a icon as the picture.
So not only do we have all these fraudulent orders trying to be placed - we had a checkout bot able to add a product to our website and an image - how does that even happen??? Once I deleted and removed this they then started using a $2.00 product to add to the cart.
Any help would be appreciated and this is a security issue for Shopify as I’ve read folks have been deaking with this same issue for years. How to stop bots from our checkout page???
Here’s more info - working directly with our shopify app folks at BoostMark as they are extremely helpful as a security app. After I completely deleted one product and all variants of that product and completely deleted that product from our admin - now it’s completely gone - guess what happened? The bot was able to add this product back into our shop along with all variant quantities and then add this same variant back into the checkout page as they use the same url to simply enter the checkout page allowing it to bypass and and all security features on our website.
Shopify needs to take this extremely serious as these bots are able to not only bypass any and all security blocks you may have on your shop. These bots stay within the checkout page but are NOW also able to manipulate products, add new products into your admin that you’ve never had and also to add generic image product pictures to your shop.
The app I use BoostMark is in the stages of developing software that they are hoping will stop this - we shall see as they can now use our shop to test things as having bots that should not even be allowed on your website and then be able to freely roam your Shopify shop backend is not good!!!
If bots are still getting through, it usually means they are bypassing the normal storefront flow, using rotating IPs, and going straight into checkout behavior that is harder to catch from the storefront side.
At this point, I’d focus on:
- limiting shipping/selling countries to the ones you actually serve
- using Shopify Flow to tag or cancel suspicious orders automatically
- reviewing low-value and repeated attempts for clear patterns
- adding another filtering layer before the traffic turns into cart or checkout activity
The product they added is the part I’d treat as most serious though. That feels more like something to review from the admin, app, or access side too, not only as a bot problem.
Card testing has been getting worse and worse recently. Storefront Sentry was the only app that worked for me to stop those types of bots
Limit the allowed shipping and selling countries to only those the business actively serves. Investigate admin, app, and access permissions, as the unauthorized creation of products points to a potential backend vulnerability rather than just a checkout bot. Consider specialised apps like Sensfrx for bot mitigation