Protect your shop from unwelcome shoppers Magento

Who are they and what they want?

They won’t buy anything. That’s for sure!

From time to time our clients are reporting that their shop has new customers with pretty unusual names (Chinese, Indian letters or even random characters), so they keep asking us “what’s the deal?”. If your shop sells internationally that would be pretty normal, but if your shop sells only in the Netherlands –  then you have a reason and right to ask.

Why should we care?

  1. Technical and security reasons: remember, bots are not real shoppers, they are probably just trying to degrade speed and integrity of your shop; they also may start DDoS if they “smell” no protection and/or look for a potential hole to infect your shop. The situation is pretty similar if you have a physical store where you have 3 real buyers and 300 of “we are just looking around” ones.
  2. Marketing: think about accuracy of data in your Google Analytics. Think about potentially high bounce rate of your domain that negatively impacts your reputation as email sender.
  3. Competition: Before Younify I worked in PC & hardware shop and my job was maintaining their online shop. One day, “the big boss” came with “brilliant” idea how to increase sales: scrape prices from competitors’ shops so he’s sure he has lower prices than them. Of course, the other side’s “handymen” easily detected our activities and blocked us.

Enough with theories, Shone, tell me how to protect!?

Server-side

The first line of defence would be regional blocking. Blocking single IP (or range) is pretty useless. If we block, we block entire region/country. But, if your shop is internationally oriented this is no way to go.

As example, we will use countries that have most spammers: China, Russia, India, Vietnam;

If your server is running on NGINX, settings are pretty simple:

 

map $geoip_country_code $block_country {

   default no;

   CN yes;

   RU yes;

   IND yes;

   VNM yes;

}

if ($block_country = yes) {

   return 403;

}

 

If your server is running on Apache:

First make sure that your server has mod_geoip2 installed. If it doesn’t have it, please ask your hosting provider to install it for you. After that, place this snippet into your .htaccess:

GeoIPEnable On

SetEnvIf GEOIP_COUNTRY_CODE CN DenyCountry

SetEnvIf GEOIP_COUNTRY_CODE RU DenyCountry

SetEnvIf GEOIP_COUNTRY_CODE IND DenyCountry

SetEnvIf GEOIP_COUNTRY_CODE VNM DenyCountry

 

Allow from all

Deny from env=DenyCountry

These examples are for blacklisting. To achieve whitelisting, you just need to switch the logic.

It’s up to you which way you would go.

Software-side

Through Magento settings:

  1. Allow trusted countries only in Backend → System → Configuration → General → Allow Countries
  2. Enable the option that whoever registers to the shop has to confirm his identity in Backend → System → Configuration → Customer Configuration → Require Emails Confirmation

If you can code: implement little firewall using GeoIP:

  1. Load GeoIP library
  2. Ask GeoIP for visitor’s country by his IP
  3. If visitor’s country in your blacklist: http_response_code(503);

Easy as that!

reCAPTCHA (Google’s free service)

You can choose how you will bring reCAPTCHA to your store: manually (if you like to code) or with some extension (there are free ones). Personally, for Magento, I’d recommend Google Invisible reCAPTCHA – it’s free and it does its job. Whatever you choose, reCAPTCHA adds an invisible layer of protection to any form we want and doesn’t allow submitting the form (clicking the button to submit/register) if something is suspicious…

Bro tip: how you test if reCAPTCHA works on your page? Try in incognito mode.

Other ideas:

  1. Old-school trick – an invisible <input /> with some general id/name (name, firstname, lastname, email). This will be a little trap where the bot can easily make a mistake – fill that input. If input filled – form shouldn’t be submitted. Easy as that.
  2. Usage of Akismet integrations

The best protection strategy is to use combination of the few recommended methods!

And don’t forget: sooner you do something about this, the better. Otherwise, you would have to delete thousands of fake accounts.

Too late, the unwelcome “shoppers” are already there?

We’ve prepared a few scripts for both Magento 1 & 2 that may help cleaning your webshop. Just ping us at support@younify.nl and we will be glad to help!

 

Author: Nebojša Stojilković

Web developer @ Younify