How can I turn the bot protection on
Topic summary
Issue: Merchant reports up to 50 daily bot add‑to‑cart events, escalating over 3–4 months. Recommended apps haven’t helped because bots aren’t detectable as active shoppers.
Possible cause: A participant suggests abandoned carts with generic names (e.g., “John Smith”) may be Google Shopping’s crawler testing carts to validate pricing, linking to an external explainer.
Shopify clarification: Plus “Bot Protection” targets automated checkout bots during flash sales/high‑demand drops, not general crawling or analytics noise. Regular bot traffic is common and not considered an attack; true attacks (traffic floods) are mitigated by Shopify’s security.
Broader impact: Another merchant reports hundreds–thousands of fake customers and abandoned carts daily, corrupting analytics and HubSpot CRM, requiring manual cleanup.
Mitigation limits: Many anti‑fraud apps require access to checkouts.liquid (available only on Shopify Plus), blocking non‑Plus stores from using them or adding a honeypot. IP/country blocking was suggested, but Shopify does not expose IP/country for non‑order events.
Status: Support acknowledges a known issue under developer review; no fix or timeline provided. Open questions remain on enabling protection and practical defenses for non‑Plus stores.