HelpWithWebGet Help Now
← Back to Blog
Security7 min read

Why Bots Are Bombarding Your Shopify Store (And How to Block Them)

Suddenly seeing thousands of fake checkout attempts, login tries, or junk traffic on your Shopify store? Here's what's actually happening and the exact fixes to stop it — Cloudflare, JavaScript bot detection, reCAPTCHA, and Shopify's own tools.

ByDino Bartolome

If your Shopify analytics suddenly look like this — thousands of sessions with 0% conversion, hundreds of failed checkout attempts, login pages getting hammered, fake account signups, weird referrer traffic from countries you don't ship to — you're being hit by bots.

This isn't paranoia. It's incredibly common. Shopify stores are public targets that bots scrape, scan, and abuse for everything from credit card testing to inventory hoarding to competitor price scraping. Some of it is harmless noise. Some of it costs you money — every fake checkout that triggers Shopify Payments fraud-checks, every junk order that ties up real inventory, every customer support ticket from someone whose card got tested on your storefront.

Here's what's actually going on and the exact fixes that work.

The Most Common Bot Attacks on Shopify

1. Card Testing (Carding)

The big one. A bot makes hundreds or thousands of small checkout attempts ($1-5 product, often digital) using stolen card numbers from a list. They're not trying to actually steal from *you* — they're using your store as a free way to validate which stolen cards still work, then take the working ones to a real attack.

Symptoms: spike in failed payments, lots of declined transactions, your Shopify Payments fraud filters firing, sudden dip in your Shopify risk score across legit orders.

2. Inventory / Drop Hoarding

Bots that add limited-edition products (sneakers, collectibles, restocks) to cart the moment they're listed, holding them for resale. Your real customers see "out of stock" within seconds of a drop.

3. Login / Account Stuffing

Bots try lists of leaked username+password combinations against your customer login form, looking for accounts they can take over.

4. Scraping

Competitors scraping your prices, product descriptions, and inventory levels every few minutes. Not directly harmful but eats your bandwidth and skews your analytics.

5. Form Spam

Junk submissions to your contact form, newsletter signup, product reviews. Cheap and constant.

How to Tell If It's Bots vs Real Traffic

Quick signals:

  • Sessions with 0:00 average time-on-page — humans don't bounce in zero seconds
  • High traffic from countries you don't ship to — especially Vietnam, Indonesia, Russia, certain US datacenter ASNs
  • User agents like "Mozilla/5.0" with no version, or curl/python-requests/headless — easy to spot in server logs
  • Spikes that hit at consistent intervals (every 30 sec, every hour) — bots run on schedules
  • All sessions hitting the same handful of pages (cart, checkout, login) and nothing else
  • Failed checkout rate above 30-40% — normal stores see 5-15%

If any of these match what you're seeing, you have a bot problem.

The Fixes (In Order of Bang-for-Buck)

Fix 1: Turn on Cloudflare in Front of Your Store

This is the biggest single move. Cloudflare's free tier blocks the majority of obvious bot traffic before it ever reaches Shopify, and the paid Bot Management add-on stops the sophisticated stuff.

Setup:

  1. Sign up at cloudflare.com (free)
  2. Add your custom domain to Cloudflare. (Note: Cloudflare proxies your *custom domain* — for the yourstore.myshopify.com URL itself, you can't proxy that. You need to be using a custom domain like shop.yourbrand.com.)
  3. Change your domain's nameservers at your registrar (GoDaddy, Namecheap, etc.) to the Cloudflare ones they give you.
  4. In Cloudflare dashboard → Security → Bots → enable Bot Fight Mode (free).
  5. In Security → WAF → enable the Free Managed Ruleset.
  6. Optional but recommended: turn on Under Attack Mode during an active incident.

What this stops: 80-90% of automated traffic, all known-bad IP ranges, browser-impersonating headless scrapers, datacenter ASN traffic.

What it doesn't stop: bots that solve real JavaScript challenges (the modern professional bot networks). For that you need the next layer.

Fix 2: Add Shopify's Built-In Bot Protection

Shopify itself has tools that aren't on by default:

  • Settings → Checkout → "Use bot protection" (turns on a hidden challenge for checkout — won't show captcha to humans, will trip up most bots)
  • Settings → Customer accounts → Require email verification (kills stuffing attacks dead)
  • Apps → install "Shop Pay's fraud filter" if you're on Shopify Payments
  • Settings → Notifications → Set up risk-score email alerts so you see attack waves as they happen

These are 10 minutes of clicking and free.

Fix 3: Add reCAPTCHA or Cloudflare Turnstile to Forms

For contact forms, newsletter signups, account creation, and product reviews:

  • Google reCAPTCHA v3 — invisible, scores each request 0.0-1.0 based on how human-like it looks. Reject anything under 0.5. Free.
  • Cloudflare Turnstile — Cloudflare's privacy-respecting alternative. No tracking cookies. Free. Easier setup if you're already on Cloudflare.
  • hCaptcha — paid alternative, similar UX to reCAPTCHA v2.

Shopify lets you inject these into your theme via the {{ form }} block in Liquid templates. Apps in the Shopify App Store wrap this if you don't want to touch code:

  • "Captcha for Forms" by Hextom
  • "Smart reCAPTCHA" by HelpfulCrowd
  • "BotProtect 360"

Fix 4: Custom JavaScript Bot Detection

For the bots that get past Cloudflare + reCAPTCHA — usually the carding bots that have invested real engineering effort to look human — you need server-side fingerprinting. The pattern:

  1. On every page, set a JavaScript-only cookie with a random token.
  2. On checkout, verify that cookie exists (bots that don't run JS won't have it).
  3. Log canvas fingerprint, WebGL renderer, timezone, screen resolution. Real browsers have consistent profiles. Bots tend to have inconsistencies (Linux + iPhone screen + headless WebGL = bot).
  4. Rate-limit by fingerprint, not just IP. (Modern bots rotate IPs every request but reuse the same fingerprint across many.)

This is the level where you usually want either a third-party service (DataDome, Kasada, PerimeterX) or a developer to build a custom solution. Cost: $200-2000/month for the services, or a one-time dev project starting around $1500.

Fix 5: Block Datacenter ASN Traffic

If you sell only to humans buying for themselves, you can simply block all traffic from major cloud providers — AWS, Google Cloud, Azure, DigitalOcean, OVH, Hetzner. Almost no legitimate retail customer browses your store from a datacenter. This blocks ~80% of programmatic traffic in one rule.

In Cloudflare: Security → WAF → Custom Rules → create a rule like:

`` (ip.src.asnum in {16509 14618 8075 14061 16276}) → Block ``

Those ASNs cover AWS, Google, Azure, DigitalOcean, OVH. Add more as you find them in your logs.

Fix 6: Hide Your Real Origin IP

After you turn on Cloudflare proxying, attackers who know what they're doing can sometimes still find your underlying Shopify origin and bypass your protections by hitting it directly. Less of a concern on Shopify than on self-hosted (Shopify's origin is shared infrastructure) but worth knowing about.

When to Call Someone

DIY caps out around Fix 3 for most store owners. If you've turned on Cloudflare + Shopify bot protection + reCAPTCHA and you're still getting hammered, you probably need either:

  • A managed bot-mitigation service (DataDome, Kasada, PerimeterX) — these cost real money but handle the hard cases automatically.
  • A developer to investigate and write custom rules — what's the bot's fingerprint? What request pattern can we reject? Sometimes a single 5-line rule kills 90% of an active wave once you know what to look for.

What Not to Do

  • Don't block by IP alone. Modern bots cycle through tens of thousands of residential proxies. You'll never block them all and you'll catch real customers in the crossfire.
  • Don't rely on Shopify's default risk scoring. It's good for fraud-screening *successful* orders but doesn't stop the *attempts*.
  • Don't disable checkout entirely during an attack unless you have to — you're doing the bots' job for them. Try Cloudflare's Under Attack Mode first.
  • Don't ignore form spam thinking it's harmless. Bots that find an unprotected form one week start hitting your checkout the next.

Quick Audit: Are You Protected Right Now?

Run through this list:

  1. Is your custom domain proxied through Cloudflare? (DNS check: dig yourdomain.com should show Cloudflare IPs.)
  2. Is "Bot Fight Mode" on in Cloudflare? (Free toggle.)
  3. Is "Use bot protection" on in Shopify Checkout settings?
  4. Does your contact form have reCAPTCHA or Turnstile?
  5. Is your customer account creation requiring email verification?
  6. Have you reviewed your Shopify analytics in the last week for bot signals?

If you got "no" on more than two of those, you have low-hanging fruit to grab today.

Need Help Locking This Down?

If you're seeing an active attack and need someone to triage it fast, or you want a one-time hardening pass on your Shopify store so this stops being a recurring fire-drill, that's something I do. Most stores can be locked down in a single afternoon — Cloudflare config + Shopify settings + form captchas + a custom WAF rule for whatever pattern your specific bots are using. Reach out via the contact form.

Need Help With Your Website?

I fix these problems every day. Send me a message and I'll take a look.

Get Help Now