Cordon

How to Block a Country on Shopify (2026 Guide)

Shopify has no built-in visitor-level country block. Here are three ways to block a country on Shopify, from liquid hacks to edge-level blocking apps.

Bas Lefeber7 min read
Diagram: visitors from China and Russia stop at the Cordon perimeter while a Dutch customer passes through to the storefront
On this page

TL;DR: Shopify has no built-in way to block visitors from a country. Shopify Markets controls where you sell and ship, not who can browse. To actually block a country you need either a fragile theme-level liquid hack or a traffic-blocking app like Cordon, which makes the decision before the page renders and never blocks verified search engines like Google.

Every week merchants search for "how to block a country on Shopify" and land on forum threads full of half-working liquid snippets. This guide covers why merchants block countries, what Shopify actually offers natively (less than you think), and the three realistic options in 2026.

Why merchants block countries

Country blocking sounds heavy-handed until you have run a store for a year and looked at where your problems come from:

  • Fraud hotspots. Chargeback rates are not evenly distributed. They cluster in a handful of countries, and if you have eaten three chargebacks from orders you could never fulfill anyway, blocking the source is a rational move.
  • Scraper origins. A large share of catalog scraping and price-monitoring traffic originates from specific regions and from datacenter networks headquartered there. If your competitors clone your catalog, the requests often come from a predictable set of countries. (More on that in our guide to stopping content scraping.)
  • No-ship regions. If you will never ship to a country, every visitor from it is either a lost cause, a bot, or a fraud attempt using a stolen card with a mismatched region. Serving them pages costs you bandwidth and pollutes your analytics.
  • Carding and gift card testing. Automated card-testing runs tend to originate from a small set of regions, often routed through VPNs. Blocking the country plus blocking VPN checkout fraud closes both the front door and the side door.

None of this is about disliking a country. It is about the traffic quality you actually observe in your own logs.

What Shopify offers natively (and what it does not)

This is the part most guides get wrong, so let's be precise.

Shopify Markets controls where you sell. You can define which countries appear in your market settings, which currencies you support, and where you ship. If a country is not in any market, customers there cannot complete checkout with a shipping address in that country.

Shopify Markets does not block visitors. A visitor from an excluded country can still load every page of your store, read every product description, download every image, add items to cart, and scrape your entire catalog through /products.json. Markets is a selling configuration, not a traffic filter.

There is no built-in visitor-level country block. Nothing in the Shopify admin lets you say "do not serve pages to visitors from country X." Shopify's own documentation on international selling (see help.shopify.com) covers markets, duties, and shipping zones; visitor blocking is out of scope for the platform. If your goal is "people from country X should not be able to browse my store at all," you need to add something. There are three ways to do it.

Your three options compared

OptionBlocks before page loadSurvives theme updatesBypassableSetup effortCost
Liquid/JS theme hackNo, runs after renderNoTrivially (disable JS)High, per themeFree
Traffic-blocking app (Cordon)Yes, edge decisionYesVPN only, and that is detectableMinutesFree plan available
Cloudflare/firewall (headless)YesN/AVPN onlyHigh, needs proxy controlInfra dependent

Option 1: manual .liquid or JavaScript hacks

The forum-thread classic: paste a snippet into theme.liquid that reads a geolocation value and redirects or hides the page. It sort of works, and here is why it is a bad primary mechanism:

  • It runs after the page loads. The visitor's browser has already received your full HTML, your product data, and your images before the script decides to redirect. A scraper does not execute your redirect. It already has everything it came for.
  • It is trivially bypassable. Disable JavaScript, or just request the page with curl, and the block never runs.
  • It is theme-dependent and breaks on updates. Every theme update can wipe or conflict with the snippet. Every theme switch means redoing the work.
  • Geolocation quality is poor. Most snippets rely on free geo lookups that are rate-limited, inaccurate, or both.

It is a screen door, not a lock.

Option 2: a traffic-blocking app

This is the right answer for almost every merchant on a standard Shopify theme. A purpose-built app like Cordon makes the allow-or-block decision at the edge, before your page renders, so a blocked visitor never receives your content in the first place. What that looks like in practice:

  • 200+ countries with a one-click flag picker. Tick the flag, save, done.
  • Quick presets like "Block China" for the most common single-country request, plus "Anti-scraper" and "Strict mode" presets for broader policies.
  • A customizable block screen so blocked visitors see your message and branding, not a raw error.
  • An allowlist for exceptions. Blocking a country almost always comes with "except my supplier" or "except this one wholesale customer." Allowlist entries win over every rule.
  • Sub-50ms decisions, and it fails open. If the detection service ever hiccups, real customers shop normally. Your store never goes down because your blocker did.

It also stacks with the rest of a traffic policy: VPN and proxy blocking to close the obvious bypass, datacenter network blocking, and bot detection, all from one rule set. See the full feature list and how it compares to the incumbent apps in Cordon vs Blockify.

Option 3: firewall rules for headless stores

If you run a headless storefront (Hydrogen or a custom Next.js front end) behind Cloudflare or another CDN you control, you can write country-blocking rules at the CDN level. This is genuinely the strongest position: the request dies at the edge and your origin never sees it.

The catch is that it is out of reach for most merchants. On a standard Shopify theme you do not control the proxy in front of your store, so there is nowhere to put the rule. This option is for the small minority who run their own edge, and even they usually want the app layer too for the visitor log, presets, and block screen.

Block a country with Cordon in under 2 minutes

Here is the whole flow, timed generously.

  1. Install Cordon from the Shopify App Store. It installs as a theme app extension, no code edits, no script tags.
  2. Open the country rules in the embedded admin and either pick a preset (for example "Block China") or open the flag picker.
  3. Click the flags of the countries you want to block. All 200+ countries are one click each.
  4. Optionally customize the block screen with your own message, so a blocked visitor understands why rather than assuming your store is broken.
  5. Add allowlist exceptions if you have suppliers, agencies, or customers in a blocked country who should get through.
  6. Save. The rules are live immediately. Open the live visitor log to watch decisions happen in real time (IPs are SHA-256 hashed with a daily-rotating salt, so the log is GDPR-safe).

That is it. No theme edits, nothing to redo after a theme change.

The big fear: "will this block Google?"

This is the question that stops most merchants from blocking anything, and it deserves a direct answer.

Blocking a country in Cordon can never block Google, Bing, or any other verified search engine. Crawler verification runs before country rules: a request claiming to be Googlebot is checked against Google's actual network, and verified crawlers are always allowed, unconditionally. There is no toggle that can block them, so there is no misconfiguration that tanks your SEO. The same applies to the good bots that feed AI search (GPTBot, ClaudeBot, PerplexityBot) and SEO tools like Ahrefs.

The flip side is just as useful: a fake Googlebot, meaning a scraper spoofing the Googlebot user agent from a non-Google network, fails verification and gets blocked. Country blocking plus crawler verification is strictly safer than a naive block. We covered the mechanics in depth in do bot blockers hurt SEO?

Frequently asked questions

Can Shopify block visitors from a specific country natively?

No. Shopify Markets controls where you sell and ship, and checkout will reject shipping addresses in countries you do not serve, but nothing in Shopify stops a visitor from any country from browsing your store, adding to cart, or scraping your catalog. Visitor-level country blocking requires an app or your own edge infrastructure in front of the store.

Will blocking a country hurt my Google rankings?

Not if the blocker verifies crawlers. Cordon always allows verified search engines like Googlebot and Bingbot regardless of which countries you block. Verification happens before any country rule is evaluated, so your store stays fully crawlable and indexable no matter how aggressive your country list is.

Can a blocked visitor just use a VPN to get around a country block?

With a plain country block, yes, connecting through a VPN endpoint in an allowed country is the standard bypass. That is why country blocking pairs naturally with VPN and proxy detection. Cordon detects VPN, proxy, and Tor traffic using live commercial detection data rather than stale IP lists, so on Growth plans and above the bypass route is closed too.

How do I block a country but allow one specific customer there?

Use an allowlist. In Cordon you add the customer's IP address to the allowlist and it takes priority over every blocking rule. The country stays blocked for everyone else while that supplier, agency, or wholesale customer shops normally.

Does a country blocking app slow down my store?

A well-built one does not. Cordon makes its allow-or-block decision in under 50 milliseconds, and it is installed as a theme app extension rather than an injected script tag, so it is Lighthouse-friendly and does not drag your page speed. It also fails open: if the detection service ever has a problem, real customers shop normally instead of hitting errors.

Wrapping up

Shopify gives you tools to decide where you sell. Deciding who gets to browse is on you. If you want country blocking that happens before the page renders, survives theme updates, and can never touch Google, try Cordon on the Shopify App Store. There is a free plan with basic country and bot blocking, and every paid plan has a 7-day free trial. Full plan details are on the pricing page.

Related guides