How to stop bots from adding products to cart on Shopify

If you’re running a Shopify store, you’ve likely noticed suspicious abandoned checkouts or unusual spikes in cart activity. While some cart abandonment is natural, a growing number of merchants are reporting waves of fake carts caused not by hesitant customers but by bots. 

In this article, we explain how bots work, why common tools often fail, and how to create a working bot prevention solution for your Shopify store. 

Shopify bot problem: fake add-to-cart actions corrupt analytics 

Across Shopify forums, merchants are raising concerns about bots that generate dozens or even hundreds of abandoned carts. These automated scripts mimic human behavior to interact with your site — from product pages to checkout. The result? Corrupt analytics, misfired email campaigns, and wasted time analyzing fake leads. 

If your abandoned cart rate has spiked without an obvious reason, or if you’re seeing a surge in new sessions with no conversions, you may be under a bot attack. In some cases, reviewing your ecommerce web design and user flow helps identify where to apply Shopify bot protection most effectively. 

How bots imitate real users and bypass basic Shopify protections 

Modern bots are designed to act like real users, not just in how they click and navigate, but in how they structure their requests. This makes it difficult to detect and block them using basic protection tools. They spoof browser headers, use realistic referrer links, and even rotate IP addresses to avoid blacklisting. Worse, they can exploit open Shopify endpoints to interact with your storefront programmatically.

If you’re unsure what is bot protection beyond basic CAPTCHA or IP blocking, think of it as a layered approach: filtering suspicious behavior at both frontend and backend levels, including request frequency, user-agent anomalies, and API abuse. 

Fake headers, referrers, and user agents 

Bots often use realistic headers and referrers to trick detection systems. For instance, they’ll send a request with a browser-like user agent such as: 

 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 ` 

They even spoof traffic sources using referrer URLs like real product pages. This makes it difficult for Shopify’s built-in systems or traditional filters to detect them. 

This is where proper website bot protection comes in — it needs to analyze more than just headers. 

Auto-generated emails from popular providers 

These bots don’t just interact with your frontend. They often go as far as creating fake checkout events with synthetic emails like: 

• adams.127@gmail.com
• martinez198davis@outlook.com
• lewis193moore@yahoo.com
• adams.135@aol.com 

These fake entries make your abandoned cart emails useless and damage your sender reputation. If you’ve been wondering how to stop spam bots on my website, this is one of the most harmful consequences.

IP rotation and abuse of Shopify APIs 

Sophisticated bots rotate IP addresses using proxy networks and abuse Shopify’s public APIs like: 

• /cart/add.js
• /checkout
• /cart/change

They simulate real shopping actions at scale, which allows them to bypass most shop protector apps.  

Why built-In Shopify bot protection tools were not enough 

One of the most common solution is to install one of the applications for bot detection that can be foud in the marketplace, however they didn’t help in this case for our client. These tools couldn’t detect the deeper API-level abuse. Despite multiple installations and trials, fake abandoned carts continued. This is a common issue: many apps only work on the visible front-end (not API endpoints), and can’t handle bots that rotate user agents or operate from cloud server farms.

If your store runs on custom flows or third-party scripts, you’ll need a more tailored fix. That’s where Shopify app development helps, adding backend logic to block bots effectively. 

Case study: custom Shopify bot protection setup using Cloudflare WAF 

When app-based solutions failed, we set up Cloudflare Web Application Firewall (WAF) for our client. While Shopify already uses Cloudflare on a platform level, you’ll need a full external setup to gain control over traffic filtering. 

Step 1 – Enabling “Under Attack” mode (short-term relief) 

Then we decided to use Cloudflare as Web Application Firewall, Shopify already using Cloudflare to provide users with performance and security benefits, but for WAF full Cloudflare setup is required, reach us if you need help with it. 

To mitigate this issue we have setup Cloudlfare account for our client and enabled Under attack mode, this helped and eliminated activity, but also affected other parts of the site like Google Ads and user experience. 

Step 2 – Creating custom rules to allow only known bots 

After the initial traffic filtering, we needed a more selective approach. The goal was to let legitimate bots, like Googlebot and Bingbot, continue crawling the site while blocking malicious automation. 

Inside Cloudflare, we created a Security Rule that targets verified bot categories. Here’s how to configure it: 

• Go to Security → WAF → Custom Rules
• Choose Known Bot Categories from the filter options
• Set the action to Skip
• Apply this rule to All Remaining Rules 

This configuration helps prevent overblocking and ensures that SEO bots don’t get caught in your bot protection solutions. It’s one of the most important block ideas to implement early on, especially if your traffic depends on search engines or affiliate crawlers.

Step 3 – Using managed challenge for remaining traffic 

The second rule that was set up enables Managed challenge for all site pages (one can adjust it in the way that only certain pages are protected). 

Combination of these two rules allows known bots to access the site and eliminates bots producing Shopify abandoned carts. 

Drawback is that real users may experience intermedial Clouldflare check while accessing site pages. 

Conclusion: Shopify bot protection best practices 

If you’re dealing with fake carts, corrupted analytics, and email spam, it’s time to act. Here are our key tips: 

• Use Cloudflare WAF with custom rules, not just Shopify plugins. 
• Allow known bots and challenge unknown traffic. 
• Monitor email patterns for signs of automation. 
• Protect critical endpoints like /cart/add.js and /checkout. 
• Avoid blocking all bots, SEO still matters. 

Not sure where to start? At Deveit, we’ve helped multiple Shopify stores stop bot activity, clean up their analytics, and get back on track. Our Shopify web developers are here to help you implement real solutions. Let’s chat, we’ll help you build a long-term strategy.