How can I limit newsletter signups and add security measures to my online store?

Shopify Discussion

Topic summary

Multiple store owners are experiencing a surge of fake newsletter signups and customer account creations—one reporting over 100 fake signups daily despite minimal legitimate traffic (under 10 sessions/day). These fake entries bypass normal analytics, leaving no trace in traffic data, cart activity, or checkout metrics, appearing only in customer lists.

Key Issues:

  • Shopify’s native newsletter signup form lacks built-in security options (no CAPTCHA, no rate limiting per session/visit)
  • Third-party solutions attempted (Negate bot protection, Google reCAPTCHA) have proven ineffective
  • Disabling newsletter signup, Shop features, and adding custom fields did not stop the attacks
  • Fake accounts show random names with legitimate-looking email addresses but no actual engagement

Suspected Cause:
One support representative suggests a script may be injected into the theme itself, as bots are creating accounts without registering as site traffic.

Recommended Actions:

  • Contact theme developer to investigate potential code injection
  • For Shopify-developed themes, escalate to Shopify’s theme department
  • Multiple users report the same problem across different stores, indicating a broader platform vulnerability

The issue remains unresolved and is significantly impacting marketing efforts and data integrity.

Summarized with AI on November 15. AI used: claude-sonnet-4-5-20250929.
5

I had already modified newsletter.liquid (which modifies footer.liquid) to add first and last name fields for better emailing ID (something users have been requesting from Shopify for some time), but it turns out that’s irrelevant.

I went ahead and installed Negate early this morning and set protection at Very Aggressive. It says it has blocked 9 bots already but I’ve deleted over 40 new fake “customers” in the past 3 hours, so apparently not aggressive enough (or it’s not a bot). Most of the bots listed are from India but India has never shown up in my analytics. None of them came in through the home page. My analytics, as well as Negate’s, show 2 legit-looking visits so far today.

The only place in my website other than the newsletter signup that collects customer info is at checkout (no separate customer registration). The only info in these fake customer profiles is a clearly fake (often random characters) name and a legit looking email address. No indication of anything put in the cart. Interesting thing about this latest round of attacks, all of their profiles show that they have a classic account. Accounts are hidden (no login), but I do have Shop turned on.