Hello,
My client’s store is being hammered with bot attacks resulting in over 200 fake accounts created daily. I have of course enabled captcha but clearly it’s not working to block the bots. I am looking for an alternative captcha which will work better for my client’s store.
Fake accounts are being created via pop-up forms, newsletter signup form, and via the create account form.
Thank you.
Hi @ClickWit
Bot attacks can be annoying. Since hCaptcha is not functioning, I would recommend enabling Google reCAPTCHA v3 that uses risk-based scoring to detect bots without inconveniencing users. You can enable it in Shopify at Settings → Customer accounts & checkouts and Online store → Preferences.
Also, attempt to limit account creation to post-checkout only if it’s not an absolute requirement before then. If bots are taking advantage of pop-ups and newsletter signups, try adding honeypot fields (fields hidden that real users won’t fill out) or install a third-party anti-bot app like Shop Protector or CleanTalk from the Shopify App Store
Hope this helps 
Hi @ClickWit
Thanks for reaching out to the Shopify Community. Shopify provides a built-in CAPTCHA for protection, but if it’s not enough, you can explore third-party apps like:
https://apps.shopify.com/bot-protection
https://apps.shopify.com/ellipsis-human-presence-technology
https://apps.shopify.com/ipblocker
I have the same issue. A BOT is creating dozens of Abandoned Carts each day and also hundreds of fake customers using spoofed names and emails.
The BOT is NOT USING NORMAL WORKFLOW so none of the blockers work. I have tried Blockify, Cart Block, & Flow.
I created a dummy product with a artifically low price and zero inventory. The BOT always picks the lowest cost item in my catalog and is able to create the Cart even though there is no inventory.
The support rep at Cart Block determined that the BOT is using a vulnerability of PERMALINK to go around the workflow.
There is no way to turn off or disable PERMALINK and so far Shopify Developers are not doing anything about it.
I don’t know how they are creating the dummy customers. Again, Shopify is not showing any interest in fixing the issue.
I run into this with clients all the time. The reason the Captcha isn’t working is almost certainly because these are ‘Headless Bots.’ They are sending POST requests directly to the API endpoints, bypassing the frontend forms (and the Captcha) entirely.
Finding a ‘better’ Captcha usually just annoys real customers without stopping the bots.
We switched strategies: instead of trying to block the door (which fails), we just automated the cleanup. I use a tool called NoBot (https://nobot.versoly.page/) that detects and deletes the fake accounts instantly. It keeps the client’s database clean without adding friction to the UX
Thanks for sharing the tool. It really helpful for Merchants those stuck with Bots account.