Cordon

How to Stop Discount Code Abuse on Shopify

Discount code abuse on Shopify: how one buyer farms welcome codes behind rotating proxies, why email limits fail, and how to block the anonymizing layer.

Bas Lefeber7 min read
Diagram: one abuser behind three rotating proxy identities redeeming the same welcome code repeatedly until Cordon blocks the proxy network
On this page

TL;DR: Discount code abuse on Shopify is mostly one person pretending to be many people. Shopify's native limits are keyed to the customer account and email, so a fresh email defeats them, and IP blocks fail because VPNs rotate IPs in seconds. The fix that actually holds is layered: tighten code scope natively first, then block the anonymizing layer (VPN, proxy, Tor) that makes identity rotation cheap. That raises the effort of farming a code above the value of the discount.

A welcome code is a bet: give up margin once, gain a customer who comes back at full price. Discount abuse breaks the bet. The margin goes out repeatedly, the "new customers" are the same person, and your acquisition math quietly stops being true. This post covers the abuse patterns, what Shopify gives you natively and where it stops, and how to close the gap at the network level.

The four abuse patterns

Welcome code farming

The classic. Your store offers WELCOME10 to first-time buyers. One person creates account after account, each with a throwaway email, and redeems the code on every order. From Shopify's point of view these are distinct customers, because Shopify keys identity to the account and email. From your P&L's point of view it is one buyer who never pays full price.

Codes leaking to coupon sites and extensions

Any code that reaches a browser eventually reaches everyone. Coupon aggregator sites index codes, and coupon browser extensions auto-apply every known code at checkout. A code you created for one influencer campaign or one email segment ends up applied to orders from shoppers who were already committed to buying. This is the quietest form of abuse because every individual redemption looks legitimate.

Referral self-referrals

Refer-a-friend programs pay out twice: a reward for the referrer and a discount for the friend. When both people are the same person on two accounts, you pay both sides of the transaction to a single buyer. Rings of "friends" referring each other in a loop are the scaled version of the same trick.

Affiliates abusing their own codes

An affiliate with a personal code and a commission has an incentive to apply that code to purchases that would have happened without them: their own orders, orders from family, or orders driven through coupon sites where the affiliate posted their code. You pay a commission plus a discount for demand you already had.

What it actually costs

The direct margin hit is only part of the damage.

CostMechanism
Stacked discount on existing demandThe order would have happened at full price; the code turns real margin into a rebate
Repeated first-order marginA one-time acquisition cost paid many times to the same person
Referral payouts to loopsBoth sides of a self-referral are the same wallet
Affiliate commission leakageCommission plus discount paid on orders you did not need help winning
Poisoned cohort data"New customer" counts, repeat rates, and CAC all read wrong when new customers are recycled identities

The last row is the expensive one long-term. If a chunk of your first-order cohort is one person on rotating emails, every decision you base on cohort behavior (ad spend, LTV models, retention targets) is built on bad data.

What Shopify offers natively, and where it stops

Shopify's discount settings give you real controls, and you should use all of them. You can limit a code to one use per customer, cap the total number of redemptions, set a start and end date, require a minimum order amount, and restrict a code to specific customer segments. The Shopify Help Center documents each option.

The limits are structural, not bugs:

  • One use per customer is keyed to the customer account and email. A new email is a new customer. Deliberate farmers cycle emails faster than you can read this paragraph.
  • Capping total uses punishes legitimate buyers too. If you cap WELCOME10 at 500 uses and a farmer takes 200 of them, you spent the budget and starved real customers.
  • Segment restrictions inherit the same identity problem. A "new customers" segment contains whoever just made a new account.

Native controls narrow the blast radius. They do not answer the core question: is this "new customer" actually a new person?

Why IP-based limits alone fail

The obvious next step is to key limits to IP address instead of email. It fails for the same reason email limits fail: the identifier is cheap to rotate. A consumer VPN switches exit servers in one click. A residential proxy pool hands out a fresh IP per request. Blocking the IP you saw yesterday does nothing about the IP the same person is using today.

There is also a false-positive problem in the other direction: mobile carriers and universities put thousands of real people behind shared IPs, so a strict one-redemption-per-IP rule blocks legitimate customers who happen to share an address.

Chasing individual IPs is the wrong altitude. The useful observation is one level up.

The network-level answer: catch the rotation tool

The person cycling emails can mint a new inbox in ten seconds. What they usually cannot do as easily is cycle networks. The email rotation is manual and free; the IP rotation runs through a tool: a VPN, a proxy service, or Tor. That tool is detectable, and it is the same anonymizing layer that checkout fraud rides on.

Three detection layers combine here:

  • VPN, proxy, and Tor detection identifies the anonymizing service itself using live commercial data, not a stale IP list. Instead of blocking the thousandth fresh IP, you block the category of connection the farmer depends on. In Cordon this is included on Growth ($19/mo) and up.
  • Request-velocity detection catches the tempo of abuse. Cordon watches request patterns, not your discount codes, but scripted farming has a request signature: creating an account, applying a code, and checking out four times in ten minutes produces a burst of page loads no human shopper generates. The automated version of code farming trips it; a slow manual abuser does not.
  • The visitor log makes the pattern visible. Cordon's live visitor log shows each visitor's country, network (ASN), and the rule that fired, with IPs stored as SHA-256 hashes under a daily-rotating salt so the log stays GDPR-safe. When one ASN keeps hitting your discount landing page, you are looking at one network wearing many faces. If the network is a hosting provider or a known proxy carrier, blocking the whole ASN ends the run in one rule.

Because allow rules always win over block rules in Cordon, you can protect known-good customers (your own office, a VIP who uses a VPN) explicitly and then be aggressive with the block side.

The practical playbook

Work from cheapest to strongest. Steps 1 through 4 cost nothing and use only native Shopify features.

  1. Tighten code scope natively. One use per customer, an expiry date, and a minimum order amount on every promotional code. A code with no expiry is a permanent liability on coupon sites.
  2. Keep codes out of URLs. Auto-apply discount links are convenient, but a code embedded in a shareable URL is a code published to the internet. Extensions and aggregators harvest them. Prefer codes delivered inside email or post-purchase flows, and rotate any code that leaks.
  3. Use unique single-use codes for high-value offers. Generated one-per-recipient codes cannot be farmed or aggregated. Save the shared evergreen code for low-value offers only.
  4. Audit referral and affiliate payouts monthly. Same shipping address on both sides of a referral, or an affiliate whose conversions all carry their own code with no traffic source, are ten-minute checks that catch loops early.
  5. Block the anonymizing layer. Turn on VPN, proxy, and Tor blocking (Cordon Growth and up) so identity rotation requires more than a browser extension. This is the step that changes the economics; see the VPN checkout fraud use case for how the same control stops card abuse.
  6. Watch the visitor log during promotions. During a code launch, check which ASNs are hitting the landing page. A hosting network or proxy carrier showing up repeatedly is a farm; block the ASN and move on.

The feature overview covers what each detection layer contributes, and pricing shows which plan carries which layer.

Honest limits

A patient abuser on real residential connections, redeeming at a human pace with plausible addresses, is hard to fully stop, because at the network level they look like a genuine new customer. The goal is not perfection. The goal is making the farm cost more than the discount pays: when redeeming a 10 percent code requires clean residential connections, fresh identities, and human pacing, almost everyone doing it at scale stops, because the margin is not worth the effort. The casual majority, running a free VPN and a burner inbox, gets caught at step 5.

Frequently asked questions

How do people abuse discount codes on Shopify?

The common patterns are one person creating endless accounts to reuse a first-order welcome code, codes leaking to coupon sites and browser extensions, customers referring themselves through referral programs, and affiliates applying their own codes to orders that were happening anyway.

Does Shopify's one-use-per-customer limit stop welcome code abuse?

Only partially. The limit is keyed to the customer account and its email address, so an abuser defeats it by signing up again with a fresh email. It stops accidental double redemptions, not deliberate farming.

Can I stop discount abuse by blocking IP addresses?

Not on its own. VPNs and proxy services hand out a fresh IP in seconds, so blocking individual addresses is an endless chase. Blocking the anonymizing layer itself, meaning VPN, proxy, and Tor traffic, removes the rotation tool instead of chasing its output.

Which Cordon plan helps against discount code abuse?

VPN, proxy, and Tor detection starts on the Growth plan at $19 per month. Bot and velocity detection plus the visitor log are part of the core product, and every paid plan has a 7-day free trial.

Will blocking VPNs also block honest customers who use one?

Cordon uses a fraud-score threshold backed by live commercial data, so low-risk privacy services like iCloud Private Relay pass through. Allow rules always beat block rules, so you can allowlist any known customer explicitly.


If welcome codes keep getting farmed and your "new customer" numbers feel off, tightening native limits is the first hour of work and blocking the anonymizing layer is the second. Cordon is on the Shopify App Store with a 7-day free trial on paid plans, so you can watch the visitor log during your next promotion and see who is actually redeeming.

Related guides