How to Block an IP Address on Shopify (2026 Guide)
Shopify has no built-in visitor-level IP blocking. What Shopify can do natively, why theme hacks fail, and how to block IPs, ranges, and networks properly.
On this page
TL;DR: Shopify has no built-in way to block an IP address from visiting your store, on any plan. Native tools can cancel orders and restrict known customer accounts at checkout, but the visitor can still browse freely. To actually block an IP you need an app that intercepts the visit before the page renders; with Cordon you can block single IPs, CIDR ranges, and whole networks, with allow rules always taking priority.
Someone keeps hammering your store from the same address. Maybe it is a harassing visitor, a serial refunder, a competitor pulling your prices every hour, or repeated fraud attempts that all trace back to one IP. The obvious fix is "just block the IP." This guide covers how to do that on Shopify, what Shopify itself can and cannot do, and, just as important, when an IP block is the wrong tool.
Why merchants want to block a single IP
The request usually comes from one of four situations:
- A harassing visitor. Someone abusing your contact forms, spamming chat, or placing fake orders repeatedly.
- Repeated fraud from one address. Multiple stolen-card attempts or chargebacks that all originate from the same IP.
- A competitor scraping you. Your prices or product copy showing up elsewhere hours after you change them, with a server address appearing in your logs at machine-like intervals.
- A serial refunder or policy abuser. A "customer" who games returns, discount codes, or free-shipping thresholds again and again under new email addresses.
In each case you know exactly who the problem is at the network level. That is the scenario IP blocking was made for.
The hard truth: Shopify has no built-in IP blocking
Search Shopify's admin for an IP blocklist and you will not find one. There is no visitor-level IP blocking on any Shopify plan, including Plus. What Shopify can do natively:
- Cancel and refund orders, and flag them as fraudulent so Shopify's own fraud analysis learns from them.
- Restrict a known customer account so a specific logged-in customer cannot complete checkout.
- Shopify Plus checkout controls, such as validation rules that reject orders matching certain conditions at checkout time.
Notice what all three have in common: they act at the order or account stage. None of them stop the visitor from browsing. The scraper still loads every product page. The harasser still uses your contact form. The fraudster still probes your checkout with the next stolen card. Native tools clean up after the visit; they do not prevent it. Shopify's own documentation at help.shopify.com is upfront that traffic filtering is app territory.
Workarounds people try, and why they fail
Before installing an app, most merchants try one of these. Here is how each holds up:
| Workaround | The idea | Why it fails |
|---|---|---|
| Theme Liquid hacks | Read a request header in theme.liquid and render a blank page for a bad IP | Liquid has no reliable access to the visitor's real IP, pages are cached so the wrong visitor can get the blocked version, and the hack silently disappears on the next theme update |
| Hiding content with JavaScript | Detect the IP client-side and hide the page | The full HTML already arrived at the browser. A scraper reads the source directly and never runs your hiding script. Nothing was blocked, only decorated |
| Password-protecting the store | Lock everyone out | Blocks all your customers along with the one bad actor. Not a fix, a shutdown |
| Blocking at checkout only | Cancel their orders as they come in | The browsing, scraping, and form abuse continue untouched, and each fraud attempt still costs you time |
The pattern: anything that runs inside the theme happens after the page was served, or breaks the moment your theme changes. Blocking has to happen before the page renders.
How IP blocking works properly
An app like Cordon integrates through a theme app extension (no script tag injection) and checks each visitor before your store content renders. The decision takes under 50 milliseconds, and if the detection service is ever unreachable it fails open, so your store never goes down because of your blocker.
Three levels of IP rule, from narrow to wide:
- Single IP.
203.0.113.7blocks exactly one address. Right for one known troublemaker on a stable connection. - CIDR range.
198.51.100.0/24blocks all 256 addresses in that block with one rule. Right when abuse comes from a small pool, like one office or one server cluster. - ASN (whole network). Blocks every IP announced by one network operator, such as a hosting provider your scraper rents servers from. IPs inside a network rotate; the network itself does not. We cover this in depth in what an ASN is and why blocking one stops thousands of bots.
Two properties matter as much as the rules themselves:
- Allow rules always win. If you allowlist your own office IP or a wholesale customer's address, no block rule, range, or ASN rule can ever catch them. This makes wide rules safe to use.
- Blocked visitors see a block screen you control, not a broken page. You choose the message.
Cordon layers this with country blocking, VPN and proxy detection for checkout fraud, and bot detection, so IP rules are one tool in the set rather than your only defense.
Block an IP with Cordon, step by step
- Install Cordon from the Shopify App Store and enable the app embed in your theme (the app walks you through it, no code edits).
- Find the IP you want to block. Cordon's live visitor log shows each visit with its country, network (ASN), and which rule fired, with IPs stored as SHA-256 hashes for GDPR safety. If the address came from an abuse report or a fraud notice, you already have it.
- Open Rules, add a block rule, and enter the single IP or a CIDR range like
198.51.100.0/24. - Check the ASN shown for that visitor before saving. If it is a mobile carrier, stop and read the CGNAT warning below. If it is a hosting provider, consider blocking the ASN instead of the IP.
- Add allow rules for addresses that must never be blocked: your office, your VA, key wholesale customers. Allow rules take priority over everything.
- Save. The rule is enforced on the next visit, before any page renders.
The honest limits of IP blocking
IP blocking is precise, and that precision is also its weakness. An IP address identifies a connection, not a person, and connections change.
- VPNs hand out fresh IPs in seconds. A blocked adversary reconnects and comes back from a different address, often a different country. If they do this, you are no longer fighting an IP, you are fighting a behavior, and you need VPN/proxy detection rather than a longer blocklist.
- Cloud servers rotate addresses on demand. A scraper on AWS can cycle addresses faster than you can add rules. Block the network (the ASN), not the addresses.
- CGNAT: never block a mobile carrier range casually. Mobile carriers put thousands of subscribers behind one shared public IP using carrier-grade NAT. Block that one address and you may have blocked thousands of real people, including customers mid-checkout, to stop one bad actor who will simply toggle airplane mode and get a new address anyway. Always check the ASN first: if it belongs to a mobile or residential ISP, prefer a narrower response (restrict the customer account, tighten fraud rules) over an IP block.
A practical escalation ladder:
| Situation | Right tool |
|---|---|
| One known troublemaker, stable home or office connection | Single IP block |
| Abuse from one office or one server cluster | CIDR range block |
| Scraper rotating IPs inside one hosting provider | ASN block |
| Traffic from cloud networks in general (AWS, Alibaba, Tencent, Huawei Cloud) | Datacenter blocking (Cordon Pro and up) |
| Adversary hopping VPNs and networks | VPN/proxy/Tor detection plus behavior-based bot detection |
IP rules are the scalpel. Keep them for the cases where you genuinely know the address, and let network-level and behavior-based detection handle everything that moves. See the full feature list for how the layers fit together.
Frequently asked questions
Can Shopify block an IP address without an app?
No. Shopify has no built-in visitor-level IP blocking on any plan. You can cancel orders, restrict a known customer account from checkout, and on Shopify Plus add checkout validation rules, but none of these stop a visitor from browsing your store. Blocking an IP before the page loads requires an app.
Can I block a whole range of IP addresses on Shopify?
Yes, with an app that supports CIDR notation. A rule like 198.51.100.0/24 blocks all 256 addresses in that range at once. For traffic that rotates across an entire provider, blocking the ASN (the network operator itself) is more durable than any list of ranges.
Will blocking an IP address stop a determined scraper?
On its own, no. IPs are cheap and a scraper on a VPN or cloud provider gets a fresh address in seconds. IP rules work best against a specific known troublemaker on a stable address. Against rotating traffic, escalate to ASN or datacenter blocking and behavior-based bot detection.
Is it safe to block an IP that belongs to a mobile carrier?
Be very careful. Mobile carriers use carrier-grade NAT (CGNAT), which means one public IP address can be shared by thousands of real people at the same time. Blocking a single troublemaker on mobile data can block every other customer behind that same address. Check the ASN before you block.
Does blocking IP addresses hurt my SEO?
Not with a properly built blocker. Cordon verifies search engine crawlers like Googlebot and Bingbot at the network level and always allows them, no matter what block rules you create. A crawler faking Googlebot's user agent fails that verification and gets caught.
If you have a specific IP causing trouble right now, you can have a block rule live in a few minutes. Install Cordon from the Shopify App Store, block the address, allowlist the people who matter, and check the visitor log tomorrow to confirm it worked. The free plan covers the basics, and paid plans start at $9/mo with a 7-day trial.