Hi, I’m really hoping someone can help me with this. So, I have a product page set up in my store that no one (or so I thought) should be able to access unless they have the direct URL. Somehow people have been finding it and placing orders (the page is for an off site order and the charge is $0 since they would have paid another way). I have changed the URL a couple of times thinking this would take care of the issue, I have also blocked it from the search engines so it won’t be indexed. None of this has helped. The other strange thing is that in order to “process” the order, you’re supposed to have uploaded pictures but none of the fraudulent orders coming through have pictures attached. I’ve gone to the page myself and tried to put an order through without uploading pics and it won’t let me. How are these people doing this? It’s driving me crazy because what’s even the point, the order can’t be fulfilled without pics. I’ve had a couple “orders” from the same people, like why? The put in all their info, name, address, email etc. As soon as I get the order, I cancel it and mark it fraudulent and it sends them an email stating it’s been cancelled. I don’t know how to stop these orders from happening. Please help! Thank you.
Missy,
there are more ways to discover and add your product to cart then you may think.
One way is to crawl you /sitemap.xml which has addresses for all of your products listed (unless you’ve used seo.hidden metafield to hide product from search engines – did you use it when 'noindex’ing your product?).
Then the bot can fetch data about product and use it to add product to cart without interacting with your theme, via shopify cart API.
However, the fact that these orders are missing vital data – image in your case – is good: you can use an app like Flow to automatically cancel these orders.
Hello @missy7222
I totally understand how frustrating and confusing this must be, especially when you’ve taken steps to keep the page hidden and it’s still getting unwanted orders. You’re not alone in this; I’ve seen similar cases pop up in the past, so let me try to help.
It sounds like there might be a few things going on here:
-
Even though you’ve changed the URL and blocked indexing, if the page was ever live or linked somewhere (even just briefly), bots or spammy scripts might have picked it up. Some bots are designed to crawl sites looking for checkout links or free items, which could explain why you’re getting fake orders with no images uploaded.
-
If users (or bots) are bypassing your image upload requirement, it’s possible they’re interacting with your backend directly — for example, using a custom script or tool to POST data to your cart/checkout without ever seeing the front-end validation.
-
If it’s the same people placing orders multiple times, it could be someone testing the system (sometimes even for malicious purposes), or they might think they’re getting something free.
Here are a few things you could try to mitigate the issue:
-
Instead of relying on an unlisted URL, try password-protecting that specific product page or even the whole product. You can do this with some custom code or by using Shopify apps that restrict access based on customer tags or login status. For example, shoplock
-
Make sure the image upload requirement is being enforced server-side as well, not just via JavaScript or theme logic. This way, even if someone tries to bypass the front end, the order won’t go through without the required files.
-
Make sure the product isn’t part of any automated collection, search results, or sitemap. You can also remove it from your online store sales channel altogether if it’s only meant for very specific use.
-
If you’re on Shopify Plus, you can create rules to automatically cancel or flag these orders before you even get notified.
You’re doing the right thing by canceling and flagging those orders — and hopefully, with a few extra steps, you can lock this down even tighter. If you want to help review your current setup or theme code to see how it’s being accessed, feel free to share a little more (without revealing sensitive info), and I or someone else in the community can take a closer look.
Did you have someone handling this store for you in the past, so that it might not be that they are creating a draft orders that seems real to your store. i received this many time one time like that and i have to change the store details from the person. let me know if you fall under this