Why Blocked Visitors Still Appear in Analytics
This is the single most frequently asked question by Kedra Shield users. This page provides a full explanation.
The Short Answer
Shopify Analytics and Google Analytics record a session the moment someone accesses your store URL. Kedra Shield blocks the visitor immediately after, but the session has already been counted. The visitor was blocked and never actually browsed your store.
The Detailed Explanation
Here is what happens in order when a blocked visitor arrives:
- Visitor requests your store URL — The browser sends a request to Shopify’s servers.
- Shopify records the session — Shopify Analytics counts the visit. If Google Analytics is installed, it also fires and records the visit.
- Your store page begins loading — Shopify starts sending the page HTML, CSS, and JavaScript to the visitor’s browser.
- Kedra Shield scripts load — The app’s security scripts initialize as part of the page load.
- Visitor is evaluated — Kedra Shield checks the visitor’s IP, country, VPN status, and other signals.
- Visitor is blocked — A full-screen overlay replaces the page content. The visitor sees the block page and cannot interact with your store.
The key point is that steps 2 and 3 happen before steps 4, 5, and 6. By the time Kedra Shield can act, the analytics platforms have already counted the session.
What Blocked Visitors Can and Cannot Do
| Action | Blocked Visitor |
|---|---|
| Appear in Shopify Analytics | Yes — session is recorded before blocking |
| Appear in Google Analytics | Yes — same reason |
| View your products | No |
| Browse your store pages | No |
| Add items to cart | No — cart requests are intercepted and rejected |
| Complete a checkout | No — checkout requests are intercepted and rejected |
| See your product images | No |
| Copy your content | No |
The Security Guard Analogy
Think of it like a security guard at the entrance of a building. Security cameras record everyone who walks up to the door. The guard checks credentials and turns away unauthorized visitors. The camera logged their presence, but they never entered the building.
Kedra Shield is the guard — it stops unauthorized visitors. Shopify and Google Analytics are the cameras — they record everyone who shows up, including those who were turned away.
Can This Be Prevented?
Not by any Shopify storefront app. Completely preventing blocked sessions from being recorded would require blocking at the server level or network edge — before Shopify’s servers respond to the request. This is outside the control of any app that runs within Shopify’s storefront.
Server-level blocking is only possible with dedicated firewall services that sit between the visitor and Shopify’s servers, which is a fundamentally different architecture than a Shopify app.
How to Work Around It
Use Kedra Shield Analytics Instead
The Analytics page in your Kedra Shield dashboard provides accurate data that distinguishes between blocked and allowed visitors. Check the Blocked IPs tab for blocked visitor statistics and the Visitor Analytics tab for complete traffic data.
Filter in Google Analytics
In GA4, you can create segments or filters to exclude suspicious traffic based on country, referral source, or behavior patterns. This helps reduce the reporting impact of ghost sessions.
Focus on Conversion Metrics
Since blocked visitors cannot add to cart or complete a checkout, your conversion rates, add-to-cart rates, and revenue figures remain accurate. The inflated metric is primarily session count.
Next Steps
- Storefront vs Server Blocking — Understand the technical difference.
- Bot Detection Limits — What bots can and cannot be caught.
- Blocking Doesn’t Seem to Be Working — How to verify blocking is working.