Bot Blocker

The Bot Blocker detects and blocks automated traffic including scrapers, spam bots, and other non-human visitors. It is configured within the VPN & Bot Blocker page alongside VPN blocking.

What Bots Do

Bots visiting your store can cause several problems:

• Add items to cart without purchasing, creating abandoned cart spam.
• Scrape prices and inventory for competitor monitoring.
• Initiate fake checkouts that skew your analytics and may affect ad performance.
• Test for vulnerabilities in your store.
• Credit card testing by placing small fraudulent orders to validate stolen card numbers.

Enabling Bot Protection

1. Go to VPN & Bot Blocker from your dashboard.
2. Enable the Bot Protection toggle.
3. Optionally enable strict blocking for more aggressive detection.
4. Click Save.

Protection Levels

Regular Mode (Default)

Standard detection thresholds that balance security with accessibility. This mode allows more borderline traffic through to minimize the chance of blocking real customers.

Strict Mode

Lower thresholds that catch more threats but may affect some legitimate users, particularly those on shared networks, mobile carriers, or networks with poor reputation.

Enable strict mode if you are experiencing a high volume of bot traffic and regular mode is not catching enough threats.

How Bot Detection Works

Bot detection uses a two-layer approach:

Layer 1: Cloudflare Bot Scoring

Cloudflare assigns a bot score to every request based on behavioral signals. This handles the majority of traffic:

• Bot score 75+ with low threat — Definitely human, allowed through.
• Bot score 50-74 with low threat — Likely human, allowed through.
• Bot score 15-49 — Uncertain, passed to Layer 2 for deeper analysis.
• Bot score under 15 — Likely bot, blocked without further checks.

Layer 2: ProxyCheck.io Analysis

For uncertain traffic, the app calls ProxyCheck.io to get a detailed risk assessment:

• Risk score (0-100) — How likely the visitor is a threat.
• Confidence (0-100) — How confident the service is in its assessment.
• Type classification — VPN, Proxy, Hosting, Scraper, Compromised, or Residential.
• Attack history — Whether the IP has been involved in previous attacks.

The risk score is compared against thresholds based on your protection level, with adjustments for detection confidence.

What Gets Blocked Immediately

Certain threats are blocked immediately regardless of your protection level:

• Compromised servers — IPs identified as part of botnets.
• Known scrapers with risk score 75 or higher.
• IPs with attack history and confidence above 60%.

Free Plan Limits

The Free plan allows up to 10 bot blocks. After the limit is reached, new bots will no longer be blocked. Previously blocked bots remain blocked.

Pro plans provide unlimited bot blocking.

Limitations

Ghost Sessions in Analytics

Bot visits may still appear in Shopify Analytics and Google Analytics, even when blocked. The session is recorded the moment the bot accesses your URL, before Kedra Shield can evaluate and block it. See How Blocking Works for a full explanation.

Fake Add-to-Carts and Initiated Checkouts

Kedra Shield intercepts cart and checkout requests and blocks them for detected bots. However, some sophisticated bots may trigger cart events before the security check completes (within the 3-second timeout window). This is a trade-off of the fail-open design that ensures legitimate customers are never locked out.

Rotating IPs

Some bots use rotating IP addresses or VPNs, making them appear as different visitors on each request. Enabling both bot blocking and VPN blocking together provides the best coverage against these threats.

Recommended Complementary Setup

For maximum bot protection, combine the bot blocker with:

Next Steps

• VPN & Proxy Blocker — Full VPN blocking configuration.
• ASN Blocker — Block traffic from specific network providers.
• IP Blocker — Manually block individual IPs.