How to Block Checkout Bots on Shopify Drops
Checkout bots empty Shopify drops in seconds. What Shopify covers natively, how bots actually work, and how to block datacenter ASNs and headless browsers.
On this page
TL;DR: Checkout bots win drops with rented datacenter servers, product monitors polling every few seconds, and proxy pools that make one operator look like hundreds of buyers. Shopify's strongest native bot protections at checkout are a Plus feature, so most merchants have little platform-level control. A traffic-level blocker works earlier in the funnel: block datacenter ASNs, catch polling velocity and headless browsers, and (on the edge tier) refuse raw HTTP clients that never run JavaScript. That removes the casual bot majority before checkout even loads.
If you run limited releases, you have watched this happen: the drop goes live, inventory reads zero within a minute, and the orders belong to a handful of operators, not the community you built the release for. This post explains how checkout bots actually work, what Shopify covers natively, and what you can enforce yourself at the traffic level before the next drop.
What a botted drop looks like
The damage from a botted drop is bigger than lost sales, because the sales were not lost. The units sold. Everything else broke:
- Inventory is gone in seconds, often before real customers finish typing a shipping address.
- Real fans get nothing. The people who follow your releases, joined the email list, and set alarms walk away empty-handed, again.
- The support inbox melts. "Was the drop real?" "Did you hold stock back?" "Why do bots always win?" Every botted release generates a wave of tickets and public accusations.
- Resellers flip your product at markup, and your brand absorbs the resentment for a price you never set. The customer's relationship shifts from your store to an aftermarket you do not control.
One botted drop is annoying. A pattern of them trains your actual customers to stop showing up.
How checkout bots work
Knowing the machinery matters, because each component is a thing you can detect. A drop bot is not one program; it is a pipeline.
| Component | What it does | Detectable signal |
|---|---|---|
| Product monitor | Polls endpoints like /products.json every few seconds to spot the drop the instant it is live | Request velocity far above human browsing |
| Automation engine | Headless browser or raw HTTP requests that add to cart and fill checkout without rendering a page | Headless markers, or no JavaScript execution at all |
| Datacenter servers | Rented compute (often hosted close to Shopify's own infrastructure) for minimum latency | Hosting-provider ASN instead of a consumer ISP |
| Proxy pool | Thousands of rotating IPs so one operator looks like many independent buyers | Proxy and VPN detection, shared network fingerprints |
| Spoofed identity | User agents claiming to be a normal browser, or even Googlebot, to slip past naive filters | Network-level verification the spoof cannot pass |
Two things follow from this table. First, speed is the bot's whole advantage, which is why they pay for datacenter hosting instead of running from home. Second, every speed optimization leaves a network-level fingerprint. The same infrastructure shows up when scrapers clone your product catalog, because monitors and scrapers are often the same tools.
What Shopify provides natively
Shopify is not blind to this. The platform applies rate limiting and standard throttling to abusive request patterns, and Shopify has built platform-level bot protections for checkout. The accurate but uncomfortable detail: most of the anti-bot capability at checkout itself is a Shopify Plus feature. Plus merchants can enable stronger protections on the checkout surface; merchants on standard plans mostly cannot, and checkout is not a surface apps are allowed to modify directly.
That is not a criticism of the platform. Checkout is the most sensitive path in commerce and Shopify guards who can touch it (the developer docs at shopify.dev describe how constrained that surface is). But it means a standard-plan merchant running hyped releases has close to no native control over bots at the moment of purchase. Whatever you do has to happen earlier.
What a traffic-level blocker adds before checkout
The good news: earlier is a better place to fight. A bot that never reaches your product page never races your customers at checkout. This is where a traffic-level blocker like Cordon operates, and each layer maps to a component from the table above.
Datacenter ASN blocking kills the servers. Bots rent speed from hosting providers, and hosting providers own identifiable network ranges. Blocking datacenter networks like AWS, Alibaba, Tencent, and Huawei Cloud (Cordon Pro, $49/mo and up) removes the entire hosting advantage in one rule. If you have never blocked by network before, here is how ASN blocking works. You can also block any specific ASN you see misbehaving, on any paid plan.
Request-velocity detection catches the monitors. A human checks a product page a few times an hour. A monitor polls it every few seconds for days. Velocity detection flags that cadence regardless of how well the bot disguises its user agent.
Headless markers catch browser automation. Automation frameworks driving headless browsers leave fingerprints that real browsers do not. Cordon's bot detection combines user-agent fingerprinting with those headless markers and blocks only confirmed automation, so in-app browsers and unusual real devices pass. More on separating bot traffic from human traffic in our guide to spotting bot traffic on Shopify.
Spoofed-crawler detection closes the Googlebot costume trick. Some bots present themselves as Googlebot, betting that no merchant dares block Google. Cordon verifies search engines at the network level with reverse DNS, so real Google and Bing crawlers are always allowed (they cannot be blocked at all), and impostors claiming the name from a proxy IP fail verification and get treated as the bots they are.
The edge worker refuses clients that never run JavaScript. The fastest bots skip the browser entirely and speak raw HTTP. Any detection that depends on a script loading in a page cannot see them. On the Plus plan ($99/mo), Cordon's Cloudflare edge worker enforces decisions at the network edge before your store responds, which is the only place raw HTTP bots are catchable. Plus also includes an anti-scraping decoy mode that feeds detected scrapers fake data instead of a block page, so monitors mapping your catalog stop trusting what they collect.
All of this runs in the request path at sub-50ms per decision and fails open if anything is down, so a detection outage can never take your drop down with it.
Prepare your next drop: a checklist
Do this in the days before the release, not the morning of.
- Enable the Anti-scraper preset several days early. Cordon ships quick presets (Block China, Anti-scraper, Strict mode); Anti-scraper turns on the velocity and automation layers. Enabling early means monitors watching your store get identified before drop day, and you have time to review what got flagged.
- Turn on datacenter blocking (Pro and up). This is the single highest-value rule for a drop. Legitimate buyers do not shop from an AWS instance.
- Allowlist your own tools. Your fulfillment software, agency monitors, uptime checks, and any launch tooling may run from datacenter IPs. Add them as allow rules; allow rules always win over block rules, so aggressive blocking stays safe.
- Watch the visitor log during the drop. Cordon's live visitor log shows country, ASN, and the rule that fired for every visitor (IPs are SHA-256 hashed with a daily-rotating salt, so the log is GDPR-safe). If one network keeps appearing at the perimeter, block that ASN on the spot.
- Review after the drop. Check which rules fired most, tighten what leaked through, and keep the configuration for next time. Drop defense compounds: the second protected release is smoother than the first.
Plan details for each layer are on the pricing page.
Honest limits: this is an arms race
Top-tier bots exist that run full real browsers on clean residential proxies, solve challenges, type at human speed, and randomize their behavior. Against a well-funded operator using those, network-level detection alone will not catch every attempt, and any vendor claiming 100 percent is selling something. Two things are still true. First, that tier is expensive to run, so it targets high-resale releases; raising the cost per checkout shrinks how many operators bother with your store. Second, the majority of bot pressure on most drops is not that tier. It is rented scripts on datacenter IPs with default settings, and that majority is exactly what the layers above remove. The realistic goal is not zero bots. It is a drop where most of the inventory lands with humans.
Frequently asked questions
Can regular Shopify stores block checkout bots without Shopify Plus?
Yes, at the traffic level. Most of Shopify's own anti-bot capability at checkout is a Plus feature, but any store can block the infrastructure bots run on before they reach checkout: datacenter networks, headless browsers, proxy services, and high-velocity request patterns.
How do sneaker bots buy out a drop so fast?
They monitor product endpoints like /products.json every few seconds, run from rented datacenter servers close to Shopify's infrastructure for low latency, and check out through pools of proxies so each purchase looks like a different buyer. The whole path is automated, so they finish in seconds.
Will blocking datacenter traffic hurt Google crawling or SEO?
No. Cordon always allows verified search engines like Google and Bing, and verification is network-level using reverse DNS, so they cannot be blocked even by a strict configuration. Bots pretending to be Googlebot fail that verification and get caught.
What does the Cloudflare edge worker on the Plus plan add for drops?
It enforces blocking at the network edge before your store responds, which stops raw HTTP bots that never load a page or run JavaScript at all. Storefront-level detection cannot see those clients; the edge can.
Will a bot blocker stop every sneaker bot?
No. Top-tier bots on residential proxies mimicking human behavior are an arms race, and no vendor honestly claims 100 percent. Layered detection removes the casual majority and raises the cost of the rest, which is what shifts inventory back to real customers.
If your last release was gone before real customers loaded the page, set up the perimeter before the next one. Cordon is on the Shopify App Store with a 7-day free trial on paid plans, which is enough time to run a protected drop and watch in the visitor log who got stopped at the door.