This is a Danish multi-brand art supplies store and it’s not doing any ads in the US or anything that could account for traffic in the US so this bot traffic seems really strange. Any idea what could cause a store to get targeted like this?
Topic summary
Multiple Shopify store owners are experiencing sudden, unexplained spikes in bot traffic, primarily from US-based IP addresses and German Hetzner servers, despite not targeting these regions with advertising.
Key Issues Identified:
- Traffic spikes of 156%+ from locations like New York and “None - None” entries
- Bot activity distorts conversion rates and analytics
- Concerns about site scrapers, data theft, and potential cloning for criminal purposes
- Shopify’s default bot protection appears inadequate and support has been unhelpful
Recommended Solutions:
- Cloudflare integration for advanced filtering (requires DNS control, unavailable without Shopify Plus)
- Securify Block IP & Country app to track and block suspicious IPs
- Cross-reference abandoned cart timestamps with IP logs to identify bot patterns
- Block IP ranges showing repeated suspicious activity (e.g., 104.237.x.x, 104.252.x.x)
- Customize robots.txt, though this only stops well-behaved bots
Recent Update: One user reports the Armex app with DNS configuration successfully resolved their bot traffic issues after struggling since June 2025.
1 Like
Are you the store owner ? @tcardel
No I’m not the store owner @Launchscale_CBC but they asked me if I could ask on the forum
Yes, sudden unexplained traffic—especially from locations like the United States when you’re not targeting that region—can be a sign of bot traffic or non-human interactions. Based on your screenshot, here are some possible causes and insights:
These are the three signs that clarify the Bot traffic.
- Unusual Spikes in sessions from “None - None” or vague locations (like US - None - None).
- High session counts from unexpected places without corresponding marketing activity.
- Massive percentage increases like 156.4% from New york without clear triggers.
Here are the possible cause for the Bot traffic.
- Bot Crawlers or Scrapers: Automated tools scanning Shopify stores for content, prices, or vulnerabilities.
- Fake referral Bots: Bots visiting your site hoping their referrer URL shows up in your analytics to generate traffic to their own.
- Misconfigured Crawlers or Proxy Traffic: Some bots route traffic through U.S. based proxies, making it appear legitimate.
- Targeted Testing by Competitors or Scammers: Competitors or bad actors might be testing your site for vulnerabilities (e.g., open endpoints, cart manipulation).
What you can do.
- Check Shopify Analytics vs. Google Analytics.
- Block bad Bots via robots.txt or Shopify Bot protection.
By following these steps, you can identify your Bot traffic and analyze it.
Alright, actually, strange bot traffic like that is often caused by automated bots crawling their store to scrape data, test checkouts, or spam. Since Shopify sites have a predictable structure, they’re common targets.
Adding a robots.txt file can help by telling well-behaved bots which pages to avoid crawling, but it won’t stop malicious bots that ignore these rules.
Shopify automatically creates a default robots.txt, and you can customize it now to better control crawling.
For stronger protection, consider using services like Cloudflare to block suspicious traffic, security apps, or adding CAPTCHAs on forms.
Checking your analytics for referral patterns and blocking repeated IPs can also help reduce unwanted bot visits.
Hopefully that works..
Same here - just had 5 times more traffic than usual over the last 48 hours, all from various German Hetzner Online servers.
Told Shopify but they weren’t interested - well except for trying to push Apps of course. They are only interested in bot checkout issues, beyond that we’re on our own.
The lack of pro- and re-active action from Shopify is very annoying - this traffic distorts Conversion rate and many other analytics, and can sometimes be a site cloner - we have been copied for criminal intent a few times now.
To paper over Shopify’s inadequacies, I will now have to open a Cloudflare account, move name servers and set up more robust filtering rules.
2 Likes
I have seen this since June 1st 2025. A Massive spike in Bot traffic, all from the USA.
It is still an issue.
Cloudflare does not work since we can’t access the DNS Shopify controls. Unless we upgrade, Shopify Plus for 2K a month? Yeah Right!!!
I have an app that Logs the IPs but does not log the Page they hit.
I have GA which logs the pages but does not track the IP.
I have found no solution for briging this data together.
Another fun feature of GA, they have a real time page report.
But you cant sort it by last entry which seem like the most basic way to view that report.
So there is no way to match up the new real time page entry to the new ip that was just logged.
This would be good for the driect traffic bots.
My solution as of now.
-
I have the app Securify Block IP & Country. This tracks the IPS and Time they hit the site.
-
I then go to the abandonded cart report and filter all the BOT carts with their time created.
-
I look up the time created on the IP log and grab all those IPS.
-
I find dublicate IPs that hit those times and do a reverse IP lookup.
-
If there is no DNS, no Domain or the isp is colocrossing. I block them with the securify App.
Most the IPs i am blocking are all from the same /16 or /8 of ips. 104.237 - 104.252 - 104.168
Armex is the perfect app to get this taken care of. As soon as i did the DNS. everything was solved.