Ways to stop bots from attacking create account forms?

Community Feedback
1

I’m looking to add a reCaptcha to my form to stop bots but it seems like it’s not supported. I’ve looked into how to do it but it’s not working. Any suggestions. Heres the form code im talking about - Create account form.

{{ ‘customer.min.css’ | asset_url | stylesheet_tag }}

{%- form ‘create_customer’, novalidate: ‘novalidate’,class:‘bee-w-100’ -%}
{%- if form.errors -%}





{{ ‘customer.form.error_heading’ | t }}



{%- endif -%}


{{ ‘customer.register.first_name’ | t }}

<input class=“bee_frm_input”
type=“text”
name=“customer[first_name]”
id=“RegisterForm-FirstName”
{% if form.first_name %}value=“{{ form.first_name }}”{% endif %}
autocomplete=“given-name”
placeholder=“{{ ‘customer.register.first_name’ | t }}”
>



{{ ‘customer.register.last_name’ | t }}

<input class=“bee_frm_input”
type=“text”
name=“customer[last_name]”
id=“RegisterForm-LastName”
{% if form.last_name %}value=“{{ form.last_name }}”{% endif %}
autocomplete=“family-name”
placeholder=“{{ ‘customer.register.last_name’ | t }}”
>



{{ ‘customer.register.email’ | t }}

<input class=“bee_frm_input”
type=“email”
name=“customer[email]”
id=“RegisterForm-email”
{% if form.email %} value=“{{ form.email }}”{% endif %}
spellcheck=“false”
autocapitalize=“off”
autocomplete=“email”
aria-required=“true”
{% if form.errors contains ‘email’ %}
aria-invalid=“true”
aria-describedby=“RegisterForm-email-error”
{% endif %}
placeholder=“{{ ‘customer.register.email’ | t }}”
>

{%- if form.errors contains ‘email’ -%}




{{ form.errors.translated_fields[‘email’] | capitalize }} {{ form.errors.messages[‘email’] }}.

{%- endif -%}


{{ ‘customer.register.password’ | t }}

<input class=“bee_frm_input”
type=“password”
name=“customer[password]”
id=“RegisterForm-password”
aria-required=“true”
{% if form.errors contains ‘password’ %}
aria-invalid=“true”
aria-describedby=“RegisterForm-password-error”
{% endif %}
placeholder=“{{ ‘customer.register.password’ | t }}”
>

{%- if form.errors contains ‘password’ -%}




{{ form.errors.translated_fields[‘password’] | capitalize }} {{ form.errors.messages[‘password’] }}.

{%- endif -%}
{{ ‘customer.register.submit’ | t }}

<div class="bee-login-footer bee-login-btn bee-text-center"><span>{{ 'customer.register.have_account' | t }}</span><a class="bee-d-inline-block" href="{{ routes.account_login_url }}"> {{ 'customer.register.login_here' | t }}</a></div>

{%- endform -%}

{%- schema -%}
{
“name”: “Register”,
“tag”: “section”,
“class”: “bee-section bee-section-customers bee-container”,
“settings”: [
{
“type”: “range”,
“id”: “item_radius”,
“label”: “Button / input radius”,
“default”: 4,
“min”: 0,
“max”: 60,
“unit”: “px”
}
]
}
{% endschema %}

2

Do you have these settings enabled on the Online Store > Preferences page in Shopify admin?

image
image1133×288 42.4 KB

More info

3

I do, but yet it still won’t stop bots, any suggestions?

4

Not really - hCaptcha should be fine.

Try contacting Shopify support and see if they can do anything. Long shot. Maybe they can make the hCaptcha appear more frequently.

5

Just to play devils advocate - what’s the harm of these spam customer accounts?

Captchas can add friction to real good acting customers, is the cure worse than the disease?

If they’re trying to make test payments to test stolen credit card numbers, then you can switch to manual payment capture to remove this risk of chargebacks and the non-refundable transaction fees on fraudulent payments.

6

I just finished battling a bunch of bots on my store.

In my case, the only thing that actually worked was enforcing customer accounts at checkout. i.e. Require customers to sign in to their account before checkout.

image
image764×360 31.5 KB

We were getting bombarded with fake customers being created from the abandoned checkout flow built into Shopify.

And the harm for these customer accounts in my case was that certain apps charge you based on the number of subscribers in your store. So thousands of extra subscribers being added every month was pushing us into a new tier for these subscription plans.

Hopefully this helps someone else.

7

In my case, the only thing that actually worked was enforcing customer accounts at checkout. i.e. Require customers to sign in to their account before checkout.

And the harm for these customer accounts in my case was that certain apps charge you based on the number of subscribers in your store. So thousands of extra subscribers being added every month was pushing us into a new tier for these subscription plans.

I really hope the difference in loss of conversions is worth it vs these extra subscriptions.

Do these 3rd party apps only consider current active customers as part of their value metric to charge you more?

If so, you could potentially set up a Flow to automatically disable/delete these clearly spam accounts rather than adding additional friction to your real customers.