Stop Bot Fraud and Fake Checkouts

If your store is experiencing fake add-to-carts, initiated checkouts that never complete, or credit card testing from bots, this guide walks you through the recommended setup.

Understanding the Problem

Bots targeting Shopify stores commonly:

Add items to cart repeatedly without purchasing, inflating abandoned cart metrics.
Initiate checkouts to test stolen credit card numbers.
Create fake sessions that skew your analytics and may affect ad performance.
Use rotating IPs and VPNs to avoid simple IP-based blocking.

These bots often originate from cloud hosting providers (AWS, Google Cloud) or specific ISPs, and frequently appear under VPN or proxy connections.

Step 1: Enable Bot and VPN Blocking

Go to VPN & Bot Blocker from your dashboard.
Enable VPN & Proxy Blocking.
Enable Bot Protection.
Keep “Allow business VPNs” on to avoid blocking corporate users.
If regular mode is not catching enough threats, enable “Enable strict blocking” for more aggressive detection.
Click Save.

Step 2: Enable Content Protection

Content protection makes it harder for scrapers and bots to extract data from your store.

Go to Content Protection from your dashboard.
Enable these toggles:
- Protect images
- Protect text content
- Disable right-click
- Disable copy
- Block developer tools
- Disable keyboard shortcuts

These settings take effect immediately.

Step 3: Enable Auto-Block Fraud IPs (Pro)

If you are on a Pro plan, you can automatically block IPs associated with high-risk fraud orders.

Go to Analytics > Fraud Orders.
Enable the Auto-Block Fraud IPs toggle.
Set the risk threshold — the default is 70%, which blocks IPs from orders scored as Critical or High risk. Lower the threshold to be more aggressive.

Step 4: Block Suspicious Network Providers (Pro)

If you identify specific network providers sending bot traffic (visible in your Analytics), you can block their entire network.

Go to ASN Blocker from your dashboard.
Click Add ASN Block.
Enter the ASN number (e.g., AS16509 for Amazon AWS, AS9009 for M247 Europe SRL).
Click Save.

Common ASNs associated with bot traffic:

ASN	Provider	Notes
AS16509	Amazon Web Services	Frequently used by bots and scrapers
AS15169	Google Cloud	Cloud-hosted automation
AS9009	M247 Europe SRL	Commonly flagged for bot activity
AS14061	DigitalOcean	Cloud hosting often used by bots

Step 5: Manually Block Known IPs

If you have identified specific IP addresses causing problems (from your Analytics or external tools like Microsoft Clarity):

Go to IP Blocker from your dashboard.
Click Create IP block.
Set Block type to Blacklist.
Enter the IP address(es).
For maximum coverage, use the IP range (CIDR) match condition to block an entire IP range instead of individual addresses.
Click Save.

Limitations to Be Aware Of

Ghost sessions in analytics

Bot visits may still appear in Shopify Analytics and Google Analytics even when blocked. The session is recorded before the block takes effect. See Blocking Doesn’t Seem to Be Working.

Fake add-to-carts during the timeout window

Kedra Shield intercepts cart and checkout requests, but uses a 3-second timeout to avoid locking out legitimate customers. Sophisticated bots may trigger cart events within this window. Combining bot blocking with VPN blocking and ASN blocking reduces this risk.

Rotating IPs

Some bots use rotating IP addresses, appearing as a new visitor each time. Bot detection and VPN detection are more effective than IP blocking for these cases, since they evaluate the connection type rather than the specific IP.

Recommended Configuration Summary

Feature	Setting
VPN & Proxy Blocking	Enabled
Bot Protection	Enabled (strict mode if needed)
Allow business VPNs	On
Content Protection	Enable all key toggles
Auto-Block Fraud IPs	Enabled, 70% threshold (Pro)
ASN Blocker	Block known bot providers (Pro)
IP Blocker	Block identified problem IPs

Next Steps

Bot Blocker — Full bot blocking documentation.
ASN Blocker — Block entire network providers.
Fraud Orders — Review and act on flagged orders.