Why apps can't stop the new Shopify bot wave (and what does)

On the Shopify Community forum in May 2025 a merchant posted that their store had 1,000 bot-created abandoned checkouts a day. They'd already installed Blockify. They'd already restricted countries. They'd already turned on Shopify's own checkout bot protection. Bots kept getting through. The thread is still active a year later — 20+ replies, more merchants showing up every month, the same story.

Then someone ran a log analysis. The bots were rotating through over 18,000 unique IPs in a single 48-hour window. The user-agent string changed every request. The browser headers looked real. The script ran during checkout itself, not on the storefront.

If you're reading this because the same thing is happening to your store, the short answer is: there's a specific reason every app you've tried doesn't catch it, and there's a specific layer that does. We built SOptim because most of the existing apps run too late in the request. This is the long answer.

Why doesn't IP blocking work anymore?

IP blocking works when bots come from a handful of IPs. The new wave doesn't.

Here's what 18,000 IPs means in practice. A merchant blocks an IP, the bot sees the block, the bot rotates to a different IP from the pool, the bot tries again. By the time you've banned 200 IPs by hand, the bot has used 17,800 fresh ones. The pool comes from residential proxy networks — real ISP addresses sublet by malware-infected home computers — so individual IPs look indistinguishable from a real shopper in Ohio. You can't bulk-ban an ASN because the ASN belongs to Comcast.

This is the structural shift. Until about 2023, bot operators used cheap datacentre proxies — easy to detect because their ASN belongs to OVH or Hetzner. Residential proxy services like Bright Data, Smartproxy, and the cheaper variants that sit a layer down have changed the economics. A merchant paying $20/month for an anti-bot app is fighting an attacker renting 18,000 IPs for $300/month and getting paid by an upstream operation laundering stolen cards.

What about apps like Blockify?

Blockify is good at what it does. Country blocks, IP rules, VPN flags, proxy detection. We compared the two apps in detail in Blockify vs SOptim. For the rotating-IP wave, though, none of those layers help.

Here's why. When a request hits your Shopify store, the order is roughly:

1. DNS resolves and the connection hits Shopify's edge.
2. Shopify's infrastructure decides which app code (theme, script tags, etc.) runs.
3. Your theme renders, JavaScript loads, app embeds fire.
4. The visitor hits Add-to-Cart. Now they're on the checkout page.
5. Shopify's checkout (a protected area) runs server-side, accepts payment, creates an order.

Apps like Blockify, Blocky, MIDA — they all run at step 3. Storefront JavaScript. App embeds. Custom Liquid. They're fast and they're flexible, but they can't see step 5. Blockify's own support team has said this publicly on their App Store reviews: "On Shopify, the checkout page is a protected area, meaning no third-party app (including Blockify) can fully prevent visitors or bots from entering checkout."

That's not a knock on Blockify. It's an architectural fact about Shopify. For the bot wave we're talking about, the bot script doesn't bother with step 3 at all. It posts straight to the checkout endpoint. Storefront-level blocking never gets a turn.

The one layer that actually blocks them

In 2023 Shopify shipped a primitive called Functions. They're server-side WebAssembly modules that run inside Shopify's own infrastructure, with explicit hooks like cart.validations.generate.run that fire during checkout. A Validation Function can inspect the cart, the IP, the user agent, custom attributes set by your theme extension, shop metafields — and either allow the checkout or refuse it with a message the buyer sees.

This is step 5. The protected area. Third-party JavaScript can't touch it, but a Validation Function can, because the Function runs inside Shopify, not alongside it.

Why can't this be bypassed the same way? Because the Function doesn't depend on the bot loading any storefront resource. The bot can rotate IPs all it wants — the Function sees the request inside Shopify's request flow and decides. The bot can fake headers all it wants — the Function reads attributes set during the session by your theme extension, including a behaviour score and a fingerprint hash the bot can't fake without actually running a real browser.

What we built at SOptim

SOptim's checkout layer is a Validation Function paired with a theme extension that collects signals during the session. Three things it does that storefront-only apps can't:

Server-side checkout block. The Validation Function refuses the checkout based on the behaviour score, heavy fingerprint hash, custom rules, and a cross-shop reputation lookup. The buyer sees a message you control. No abandoned-checkout junk hits your funnel because the cart never reaches Shopify's order pipeline.

Klaviyo auto-strip. If a session looks like a bot, SOptim tags the customer record before Klaviyo's sync runs. Bot accounts never enter your welcome flow, abandoned-cart flow, or any other automation. We cover this end-to-end in how to protect Klaviyo from Shopify bot accounts.

Account auto-delete. Bots increasingly create real-looking Shopify accounts to bypass guest-checkout rules. Our customer-creation webhook scores each new account on the same signals — empty first name, suspicious address patterns, IP velocity — and deletes the obvious fakes within seconds, before Klaviyo or any other downstream sync notices. Several merchants in the bot crisis thread were doing this by hand with Shopify Flow; we automated it.

It's free up to 50 checkout blocks per month, 5 country rules, 10 IP rules, and unlimited storefront audits. Install on Shopify — no credit card.

What this won't fix

Two honest limits.

If the bot is hitting the homepage and the product page but never reaching checkout (a scraper, or a script padding session counts for ad-fraud reasons), the Validation Function doesn't fire. Storefront-level blocking still has its place there, and SOptim has it too — country, IP, VPN, proxy, TOR — but it's not the headline value. We cover the analytics-corruption side specifically in your Shopify analytics are lying to you.

If the attacker is using a real browser (Selenium-driven Chrome with a residential proxy and a paid CAPTCHA-solver), the behaviour score will be lower than a pure script but still flagged most of the time. No bot defence catches 100%; the realistic number is somewhere between 95% and 99% of the cheap stuff and a smaller fraction of bespoke campaigns. Anyone promising 100% is selling something.

FAQ

Can a VPN bypass SOptim?

VPN traffic still hits Shopify the same way regular traffic does. The Validation Function inspects the cart and the session signals at checkout regardless of where the IP routes through. The behaviour score and fingerprint hash catch a card-tester, not the IP. A real customer behind a corporate VPN passes; a scripted session over a residential proxy doesn't.

Does this work for card testing specifically?

Yes. Card-testing bots reach Shopify checkout with stolen card numbers, run thousands of tiny authorisations, and walk away. The Validation Function refuses the checkout before the auth request leaves Shopify. No failed-card noise in your orders, no chargebacks from the few that succeed.

What happens to my analytics data?

Sessions the Validation Function refuses are tagged in SOptim's dashboard. They still appear in Shopify's session count because Shopify counts the page load. To strip them from GA4 or Google Ads, route tagged sessions to a Bot Sessions audience and exclude. Scale tier handles this automatically for Klaviyo.

Is there a free plan?

Yes. 50 checkout blocks/month, 5 country rules, 10 IP rules, 500 visitor records, unlimited audits. No credit card. Most stores see the value within the first quota cycle and either stay on Free or upgrade to Grow at $19/month for 500 blocks and full VPN/Proxy/TOR detection.

Does it work with Klaviyo?

Klaviyo deep integration is on the Scale tier ($49/month). It auto-strips bot sessions from abandoned-cart flows and tags fake accounts so welcome flows skip them. Install Klaviyo, paste your API key, done.

Sources

• Shopify Community thread — "Shopify bot exploit: add-to-cart abuse is corrupting analytics", May 2025, 20+ replies, still active.
• Shopify Community thread — "Tons of bots creating and abandoning carts", 67 replies, 3,788 views as of 2026-05-22.
• Blockify support reply quoted from their App Store reviews page — "On Shopify, the checkout page is a protected area..." captured 2026-05-22.
• Shopify Functions overview — shopify.dev/docs/api/functions, the platform primitive SOptim's checkout block uses.
• Last review of this article: 2026-05-23.