Massive surge of bot traffic (especially from China/Asia) is inflating sessions with 100% bounce, corrupting Shopify analytics, and degrading Meta Pixel ad learning—small/midsize merchants are hit hardest.
Participants say the root is architectural: Shopify terminates storefront traffic at its own edge, so Cloudflare cannot proxy requests. Apps run after HTML is served, so they cannot block IPs, countries, ASNs, GET requests, scraping, or apply pre‑delivery WAF/rate limits.
Requested actions for Shopify: publicly acknowledge the issue; implement native, server‑side protections (IP/country filtering, server‑side CAPTCHA, real WAF); and provide a clear mitigation timeline.
Alternatives raised: use country‑blocker apps as a stopgap; others rebut that these don’t fix the core problem. One participant cites that 37% of internet traffic is malicious, questioning costs and responsibility.
Process notes: a moderator directed the OP to larger existing threads per guidelines. Another participant expects end‑of‑year AMAs to share progress, with further reductions potentially into 2026.
Status: no official Shopify response in this thread; issue remains open. Key question: will Shopify add native server‑side filtering/WAF, and when?
Terms: WAF = Web Application Firewall; ASN = Autonomous System Number; Meta Pixel = Facebook ads tracking/optimization tool.
Summarized with AI on December 11.
AI used: gpt-5.
For several months, countless merchants — myself included — have been facing a massive surge of fake traffic from China and other regions in Asia.
These bots generate thousands of sessions with a 100% bounce rate, corrupt Shopify analytics, and completely destroy Meta Pixel learning and ad performance.
This issue is not marginal — it is hitting small and mid-sized stores the hardest, those without the technical access or financial means to deploy a real firewall upstream.
Shopify’s current response has been silence or redirection to third-party apps, which are technically incapable of solving the root of the problem.
This negligence puts thousands of independent businesses at risk.
We are asking Shopify to:
– Acknowledge the issue publicly.
– Implement native server-side protection (country/IP filtering, server-side captcha, real WAF).
– Communicate a clear timeline for mitigation.
If Shopify wants to remain the platform for creators and small business owners, it must provide basic protection against non-human traffic.
Hello there Nick @NickHM The bots invasion issue has been a problem for a while now and I’m sure the team are working on it. I think it’s difficult given the spread of AI agents now plus the reach of Shopify stores generally that’s making the wait that long. I think the end of the year AMAs on here would help to reveal a lot of new information with regards to how solutions have been coming about and steps to help reduce it much more in 2026.
Hi @Maximus3, thanks for trying to help. However, recommending a country-blocking app doesn’t address the root issue. The bots exploit a structural flaw in Shopify’s infrastructure and pollute our analytics. Paying for a country blocker to bypass a global problem is not acceptable. Shopify, as the platform provider, should implement server-side protections (IP/country filtering, server-side captchas, WAF) rather than pushing merchants to pay for a workaround.
I agree. But…a free country blocker that you set a blacklist for, say, all non us countries, would take care of most of the bots. And it’s not just an issue in Shopify. 37% of all internet traffic is malicious bots. You trust them to secure your store? I imagine the fees would skyrocket cause they sure as h3ll ain’t gonna pay for server-side protections like a waf. 2 billion dollar net income last year, they don’t even have a functional service department…
You are 100% correct NickHM! No Shopify app can block China bots.
Apps run AFTER Shopify has already served the full HTML, so bots still get every page they request.
Apps cannot:
Block IPs
Block countries
Block ASNs
Stop GET requests
Stop direct URL scraping
Intercept traffic before Shopify delivers content
They can only show overlays or redirects to humansafter the bot already received the HTML.
→ So you go and try to fix this at the Cloudflare level and…
Shopify does NOT allow Cloudflare to sit in front of the storefront.
Your DNS points to Cloudflare, but Cloudflare is NOT the proxy! (WHAT!?! -that’s right)
→ Shopify forces all traffic to terminate at Shopify’s own edge, not Cloudflare’s ←
Because of that: Cloudflare never sees the request! → Cloudflare then CANNOT:
block China
block an IP
challenge a bot
run a WAF rule
rate-limit
stop scraping
detect bot behavior
Every request goes directly to Shopify’s servers, and the content is returned before Cloudflare can do anything. Cloudflare can only manage DNS, not traffic, for a Shopify storefront….
Since Cloudflare never intercepts the request, it cannot block China bots — or any bots!
NickHM - Shopify NEEDS to find a quick solution for us asap!
Yeah not being able to block foreign countries, weather that’s USA or China is a fundamental problem. If Shopify had merchants best interest at heart, they would address this and implement some extra controls for the merchant.
SEARCH first per guidelines