Cordon

Shopify Bot Traffic: How to Spot It and Stop It

Bot traffic on Shopify looks like a spike with zero extra sales and a collapsing conversion rate. How to recognize it in your reports and stop the bad bots.

Bas Lefeber6 min read
Diagram: a Shopify traffic chart with a sudden spike, broken down into real shoppers and bot traffic from datacenters and headless browsers
On this page

TL;DR: Bot traffic on Shopify shows up as a traffic spike with no matching sales, sessions from countries you never sell to, near-zero visit durations, and traffic from hosting providers instead of consumer ISPs. Even harmless bots cost you money by skewing conversion data, polluting ad audiences, and inflating visitor-based app bills. Stop the bad ones with layered detection (headless markers, request velocity, datacenter ASN blocks) while keeping verified search and AI crawlers allowed.

Your traffic chart jumps 40 percent overnight. Orders: exactly the same as last week. Conversion rate: suddenly terrible. Nothing about your store changed. If that sounds familiar, you are almost certainly looking at bot traffic, and this post shows you how to confirm it in your own reports and what to do about it.

The classic symptom: a spike with nothing behind it

Real traffic surges have a cause you can point to: an ad campaign, an email send, a product going viral, a press mention. They also convert at something resembling your normal rate, because they are made of people.

Bot surges have neither. Sessions climb, sales do not move, and every ratio in your analytics quietly breaks, because the denominator inflated while the numerator stayed put. A store converting at 2 percent that suddenly reports 1.2 percent with flat orders did not get worse at selling. It got a few thousand visitors that were never going to buy anything because they are scripts.

That broken denominator is the real damage. You do not just get noise in a chart; you get wrong answers from every metric that divides by sessions.

How to recognize bot traffic in your reports

No single signal is proof. Several together are close to it:

  • Countries you never sell to. Hundreds of sessions from markets where you do not ship, do not advertise, and have never had a customer. This is often the first thing merchants notice, and it is why country blocking is many stores' first rule.
  • Near-zero session duration. Real shoppers linger, scroll, and click. Bot sessions last a second or two: load the page, extract the data, leave.
  • Product pages in rapid sequence. A scraper walks your catalog methodically: page 1, page 2, page 3, at machine speed. Landing pages, blog posts, and your about page get ignored. Humans do not browse 300 products in 10 minutes.
  • Traffic from hosting providers, not consumer ISPs. Real shoppers connect from home and mobile networks like Comcast or Vodafone. Nobody shops from a rented server on AWS or Alibaba Cloud. Network origin (the ASN) is the strongest single tell; here is how ASNs work.
  • Conversion rate collapse with flat orders. The arithmetic signature described above. If orders held steady while conversion halved, the new "visitors" were not visitors.

What bots cost you even when they behave

It is tempting to shrug at bot traffic that is not attacking anything. That is a mistake, because passive bots still bill you in four ways:

CostHow it happens
Bad decisions from skewed dataConversion rate, bounce rate, and per-page metrics all divide by sessions. Inflate sessions and every one of them lies. You "fix" pages that were never broken and kill campaigns that were working
Wasted ad spendBots that execute JavaScript land in your retargeting audiences. You then pay real money to show ads to scripts, and your lookalike audiences learn from machine behavior
Higher app billsMany Shopify apps, traffic blockers included, price by visitor count. Bot sessions push you into tiers you should not need
Server and speed dragIn extreme cases, aggressive crawling adds load and slows the store for the humans you actually want there

Not every bot is bad

Blocking all bots is the wrong goal, and any tool that promises it should worry you. Sort them into three buckets:

CategoryExamplesWhat to do
Good botsGooglebot, Bingbot, GPTBot, ClaudeBot, PerplexityBot, AhrefsKeep them. They are how you get found in search and recommended by AI assistants
Gray botsPrice monitors, inventory checkers, uptime toolsYour call. Mostly harmless, but they add up; block them if they bring you nothing
Bad botsScrapers, carders testing stolen cards, checkout and inventory-hoarding botsBlock them before the page renders

The good bots matter more than ever now that AI assistants answer shopping questions. Blocking GPTBot or ClaudeBot removes you from those answers. We covered the SEO side in detail in do bot blockers hurt SEO; the short version is that a well-built blocker protects good crawlers instead of endangering them.

How to stop the bad bots properly

One-signal detection fails. User-agent strings are self-reported, so a scraper can call itself Googlebot in one line of code. This is why user-agent allowlists alone are worse than useless: they wave through anyone willing to lie, which is every bad bot. Detection has to be layered:

  • User-agent fingerprinting catches lazy bots that announce themselves or ship inconsistent headers.
  • Headless browser markers catch automation frameworks (Puppeteer, Playwright, Selenium) that render pages like a real browser but leave detectable traces.
  • Request velocity catches anything hitting pages faster than a human can, whatever it claims to be.
  • Datacenter ASN blocking catches traffic from cloud networks like AWS, Alibaba, Tencent, and Huawei Cloud where shoppers never live (Cordon Pro and up).
  • Network-level verification of good bots. Cordon verifies claimed crawlers with reverse DNS: real Googlebot resolves back to Google's network, and a scraper spoofing the name does not. Verified search engines and good bots are always allowed and cannot be blocked, so an aggressive setup can never cost you your rankings or AI visibility.

Layered like this, each check covers the others' blind spots, and the decision happens in under 50 milliseconds before the page renders. If you are comparing tools, our rundown of Shopify bot blocker apps goes through what to look for.

Diagnose it in 15 minutes

You can confirm or rule out bot traffic with your Shopify reports plus a visitor log. Cordon's log shows the country, the network (ASN), and the rule that fired for every visit, with IPs stored as SHA-256 hashes (daily-rotating salt) so the log stays GDPR-safe.

  1. Find the spike. In Shopify analytics, note the day sessions jumped and compare orders for the same day. Flat orders plus a spike means proceed.
  2. Check countries. Break sessions down by country. Rank the spike-day countries against your actual customer countries. Anything large and unfamiliar is a lead.
  3. Check the networks. Open the visitor log and look at the ASN column for the suspicious window. Consumer ISPs are normal. Hosting providers (AWS, Alibaba Cloud, Tencent, Hetzner and similar) in volume are your confirmation.
  4. Check the pattern. Look at what the suspicious visits requested. A methodical walk through product pages at fixed intervals is a scraper, not a shopper.
  5. Apply the narrowest fix that covers it. One network responsible: block that ASN. Traffic concentrated in a country you never sell to: block the country, or start from Cordon's presets (Block China, Anti-scraper, or Strict mode) and adjust. Mixed and rotating: turn on bot detection and let the layered checks handle it.
  6. Verify tomorrow. Recheck the visitor log: blocked visits now show which rule fired, and your session counts should drop back toward reality while orders stay unchanged. That last part is the proof the traffic was worthless.

Frequently asked questions

Why did my Shopify traffic spike with no extra sales?

A sudden traffic spike with zero matching sales is the classic signature of bot traffic. Bots generate sessions but never buy, so visitors climb while orders stay flat and your conversion rate collapses. Check where the sessions came from: countries you never sell to and hosting-provider networks are the giveaway.

Does Shopify filter bot traffic out of analytics automatically?

Shopify excludes some known crawlers from reports, but a lot of automated traffic still lands in your numbers. Scrapers running headless browsers and bots on cloud servers execute JavaScript like real visitors, so analytics counts them as sessions unless something blocks them before the page loads.

How can I tell bot traffic from real visitors?

Look at network origin and behavior together. Real shoppers come from consumer ISPs, browse a few pages, and linger. Bots come from hosting providers like AWS or Alibaba Cloud, hit hundreds of product pages in rapid sequence with near-zero session duration, and often visit from countries you never sell to.

Will blocking bots hurt my SEO or AI search visibility?

Not if verified good bots stay allowed. Cordon verifies Googlebot, Bingbot, and AI crawlers like GPTBot, ClaudeBot, and PerplexityBot at the network level and always lets them through; they cannot be blocked. The verification uses reverse DNS, so a scraper faking Googlebot's user agent fails the check and gets caught.

Do bots cost me money even if they never attack?

Yes. Bots inflate your session counts, which skews conversion data and leads to bad decisions. They pollute retargeting audiences so ad spend goes to machines, and they push your visitor counts into higher pricing tiers on visitor-billed apps. You pay for them even when they do nothing malicious.


If your chart has a spike you cannot explain, the fastest way to get an answer is to watch the traffic with the log open. Install Cordon from the Shopify App Store, run the 15-minute diagnosis above, and block what you find. Basic bot and country blocking is free, and paid plans come with a 7-day trial.

Related guides