hCaptcha is ineffective against bot attacks. Looking for a replacement.

Technical Q&A

Topic summary

A Shopify store is experiencing severe bot attacks, with over 200 fake accounts created daily through pop-up forms, newsletter signups, and account creation forms. hCaptcha has proven ineffective at blocking these bots.

Suggested Solutions:

  • Enable Google reCAPTCHA v3, which uses risk-based scoring and works without user interaction
  • Configure via Shopify Settings → Customer accounts & checkouts and Online store → Preferences
  • Implement honeypot fields (hidden form fields that bots fill but humans don’t)
  • Install third-party apps: Shop Protector, CleanTalk, Bot Protection, Ellipsis Human Presence Technology, or IP Blocker
  • Restrict account creation to post-checkout only if feasible

Related Issue:
Another user reports bots exploiting PERMALINK vulnerabilities to bypass normal workflow protections, creating abandoned carts and fake customers even with zero inventory. Standard blockers (Blockify, Cart Block, Flow) have failed. Shopify currently offers no way to disable PERMALINK, and developers haven’t addressed this vulnerability.

The discussion remains open with no confirmed resolution.

Summarized with AI on October 26. AI used: claude-sonnet-4-5-20250929.
1

Hello,

My client’s store is being hammered with bot attacks resulting in over 200 fake accounts created daily. I have of course enabled captcha but clearly it’s not working to block the bots. I am looking for an alternative captcha which will work better for my client’s store.

Fake accounts are being created via pop-up forms, newsletter signup form, and via the create account form.

Thank you.

2

Hi @ClickWit

Bot attacks can be annoying. Since hCaptcha is not functioning, I would recommend enabling Google reCAPTCHA v3 that uses risk-based scoring to detect bots without inconveniencing users. You can enable it in Shopify at Settings → Customer accounts & checkouts and Online store → Preferences.

Also, attempt to limit account creation to post-checkout only if it’s not an absolute requirement before then. If bots are taking advantage of pop-ups and newsletter signups, try adding honeypot fields (fields hidden that real users won’t fill out) or install a third-party anti-bot app like Shop Protector or CleanTalk from the Shopify App Store

Hope this helps :slightly_smiling_face:

3

Hi @ClickWit

Thanks for reaching out to the Shopify Community. Shopify provides a built-in CAPTCHA for protection, but if it’s not enough, you can explore third-party apps like:

https://apps.shopify.com/bot-protection
https://apps.shopify.com/ellipsis-human-presence-technology
https://apps.shopify.com/ipblocker

4

I have the same issue. A BOT is creating dozens of Abandoned Carts each day and also hundreds of fake customers using spoofed names and emails.
The BOT is NOT USING NORMAL WORKFLOW so none of the blockers work. I have tried Blockify, Cart Block, & Flow.
I created a dummy product with a artifically low price and zero inventory. The BOT always picks the lowest cost item in my catalog and is able to create the Cart even though there is no inventory.
The support rep at Cart Block determined that the BOT is using a vulnerability of PERMALINK to go around the workflow.
There is no way to turn off or disable PERMALINK and so far Shopify Developers are not doing anything about it.
I don’t know how they are creating the dummy customers. Again, Shopify is not showing any interest in fixing the issue.