Fake Accounts / Abandoned Checkout Bots

Hey everyone,

I’m having an ongoing issue with bots on my Shopify Plus store, and I’d appreciate any advice from others who’ve dealt with this. Bots are generating fake abandoned checkouts by abusing the cart URL scheme. They use links /cart/{variant_id}:{quantity}

Bota are doing this

1. Add a product to cart
2. Immediately go to the checkout page
3. Fill in dummy customer info
4. Close the site

As a result, Shopify logs this as an abandoned checkout, which:

• Pollutes our checkout analytics
• Triggers automated abandoned cart emails
• Leads to fake accounts being created
• Send info to Klaviyo

THEY DO THAT EVERY MINUTE SO FOR LAST FEW WEEKS I HAVE THOUSANDS OF THOSE FACKE ACCOUNTS AND ABANDONDS, AND SHOPIFY JUST TELL ME THAT NOTHING IS POSSIBLE TO DO. As a PLUS member its veeery furtratin.

What I’ve Tried:

• Shopify Functions: Tried intercepting the checkout process, but it seems Shopify Functions only apply during checkout, not before it’s launched.
• Frontend JavaScript traps: Honeypot fields and hidden inputs, but bots still bypass them.
• Rate limiting / IP blocking: Looked into this via third-party tools but not easy to enforce reliably without affecting real users.
• Bot detection scripts: Some improvement, but not stopping the bots from hitting /cart/... URLs.
• Cart attribute flags like is_human, but it’s hard to verify at the right stage before checkout begins.
• Web pixels: Set up tracking to analyze these events, but still looking for a prevention method, not just detection.

What I’m Looking For:

• Is there any way to intercept or block requests to /cart/... or checkout from non-humans?
• Can we validate the cart before allowing someone to go to checkout (even if it’s not through the Shopify UI)?
• Has anyone used Cloudflare, custom apps, or Shopify Checkout Extensions to solve a similar issue?

Any workaround, clever hack, or suggestion would be appreciated!

Thanks in advance

Hi @Edgar_Petrosyan

We’re investigating causes and strategies for combatting increased bot traffic. DMing you for more details.

With Shopify Plus you also have the option to enable Shopify’s native Bot Protection
feature.

You can enable it in your Settings > Bot Protection section in your Shopify dashboard.

This method uses captcha verification on your checkout pages to help prevent credit card testing, automated purchasing or discount abandonment scraping.

60 minute limit is too short. They are attaching me for days.

Good day.
My store admin.shopify.com/store/minipresso
The thing is right now I have enabled Armex Firewall App and replaced DNS A record from Shopify to their one. So if you enter the app and go to

image.png1687×866 83 KB

By the way you can check how many abandoned checkouts I have, those all coming from bot attach. How did I know ? I have added some fingerprint, cart attribute when adding product to the cart, is_human: true. And adjusted the FLOW you can check to delete the fake accounts.

What is not okey right now that I am using some 3rd party app with its 3rd party configuration to check the bots which I expect Shopify to do. As I get it works as Proxy server / Forwarder.
And those guys did a really great job by catching those Bots and it works.

But what Shopify Could suggest ???
As much as I know you already use Cloudflare for that reason, right ? So I have to use something like this How Orange-to-Orange (O2O) works · Cloudflare for Platforms docs to have more possibility to add some rules or filter bots, etc. ??
Well I don’t know what to do. Hope you can help me.
I think you should be awear of this exact problem on https://community.shopify.com/c/shopify-discussions/shopify-bot-exploit-add-to-cart-abuse-is-corrupting-analytics/m-p/3054595

вт, 1 июл. 2025 г. в 15:03, Liam Griffin via Shopify Developer Community Forums <notifications@shopifycommunity.discoursemail.com>:

Is it okey to write here ? I dont really get where is DM ?

I’ve just sent you a DM - only admins of the forum can start a DM conversation.