Malicious bots leaving hundreds of abondoned carts

Hi,

We are a UK business and have a real issue on our site with malicious bots testing credit cards from the USA on our site (shopify basic plan) and leaving abandoned checkouts for low value items. This has been going on for around 6 weeks and it looks like it is impacting out google ranking, therefore traffic and therefore sales have now significantly dropped. I have turned of automated abondoned cart emails as our mail is now getting identified as spam. I have tried a few things to combat this to no avail:

1. MIDA app - we didn’t see any impact from its bot protection
2. Melon minimum order quantity app - since they target low value items we set a minimum order value of £30 for all international orders, this seemed to pause activity for a while and then the abandoned carts started appearing again at sub £30 value.
3. Our current solution has been to put our low value items as out of stock, which stops the activity - but this is not a long term solution.

I have just been on the chat with shopify and am still none the wiser. I asked if i could add recaptcha to the checkout but this is not possible, though they said it would be possible to add recaptcha to the cart with some coding, then advised to come to the forum for help with this.

Have others been though this? / able to advise other solutions? / if coded recaptcha for cart themselves able advise if this helps and is worth doing? Please help

Simon

Hi Simon,

Really sorry to hear about this — what you’re describing is a classic card testing attack, and you’re right that it can quietly tank your search rankings (Google sees the bot spike, the bounce rate, the spam-flagged emails, and starts treating the site as low quality). Six weeks is a long time to be living with it.

A few thoughts on what you’ve already tried and what tends to actually work:

The reCAPTCHA-on-cart route Shopify suggested is hit-or-miss. Card testers often hit the checkout API directly and never load your cart page, so reCAPTCHA there can end up doing nothing while adding friction for real customers. I wouldn’t prioritise it.

A few things that tend to move the needle more:

1. In Settings > Checkout, consider enabling “Require the customer to log in to their account before checkout” (under Customer contact method). It often reduces low-effort bot attacks because it adds friction, but it won’t stop advanced attackers and may hurt conversion rates — so it’s a reasonable defensive move during an active attack rather than a permanent setting.

2. If you’re on Shopify Payments, the Fraud Control app lets you write checkout rules to block suspicious orders by IP, email, or address attributes before they become orders. Blunt but effective during an active attack. (If you’re not on Shopify Payments, this one won’t be available to you.

3. Check Google Search Console for any manual actions or security warnings. If your rankings have dropped, it’s worth confirming nothing’s been flagged there.

4. The pattern you described (low-value items, US traffic, abandoned checkouts) is exactly what IP intelligence catches — VPN/proxy detection plus repeat-offender tracking.

Now, the reason I’m writing; full disclosure, my team and I are building a Shopify store protection app called StoreGuard that’s specifically designed for this kind of attack (IP intelligence, VPN/proxy detection, customizable rules, checkout-time validation, manual review queue). We’re in development right now, working towards an App Store launch.

Your situation is exactly the kind of real-world case we want to learn from, and honestly your feedback would be incredibly valuable to us as we finalize the product. If you’d be open to it, we’d love to give you early access now and a lifetime-free Pro plan once we are ready to launch. No catch, no upsell, just our way of saying thanks for helping us build something that actually solves the problem you’re living with.

If that sounds useful, you can reach us through the contact form of our website or just reply here. Either way, hope the suggestions above help in the meantime.

Good luck — you’ll get past this.

Chris

Hi Chris,

Thanks for taking the time to reply. It seems that shopify help only goes so far and these forums are where the real problems get solved - I had wondered about what you mention re adding reCAPTCHA to the cart so thanks for clearing that up.

I’ll make sure to go through your other points and check those also.

From looking around the community forums I’d say there is a big demand for what you are offering - I’ll check out your website and carry on the conversation through your contact form.

Thank You

Simon