Can I block an IP address on Shopify?

Not natively. Shopify does not include IP blocking in admin. You need a security app like ShopFence (Premium plan from $3.99/mo) or a CDN-level setup like Cloudflare in front of your store.

How do I see visitor IP addresses on Shopify?

Order pages show the customer IP under customer details. For storefront visitor IPs you need a security app or CDN. ShopFence's dashboard shows every visitor IP, country, user agent, and behavior pattern.

Can I block an entire IP range on Shopify?

Yes, with ShopFence you can block CIDR ranges like 185.177.72.0/24 to catch entire scraper subnets. Be cautious with ISP ranges that include real customers.

Will IP blocking hurt my SEO?

Only if you block search engine crawler IPs. Whitelist Googlebot and Bingbot IP ranges. ShopFence does this by default.

What is the difference between IP and country blocking?

Country blocking is broad — every visitor from a country is blocked. IP blocking is surgical — only specific addresses. Use them together: country for bulk regions, IP for individual bad actors.

Published in: Shopify Security

How to Block IP Addresses on Shopify (Step-by-Step 2026)

Author Triapps

Published on: May 21, 2026

You have a specific IP address that has tried to brute-force your customer logins for the last six hours. Or a scraper that hit 8,000 of your product pages in 30 minutes. Or a chargeback fraudster whose IP keeps reappearing across multiple fake accounts. Shopify does not let you block IP addresses natively — but with the right app, blocking a specific IP or IP range takes under 30 seconds. This guide covers when to block IPs, how to find the bad ones, and the easy way to block them on Shopify in 2026.

Why IP blocking matters on Shopify

Country blocking handles broad regional fraud. IP blocking handles specific bad actors. They complement each other — country block stops the bulk noise, IP block stops the targeted attacks. Common reasons to block an IP:

Scraper detected. A single IP hit 5,000+ pages in an hour — clearly automated, definitely not a customer.
Repeated checkout failures. A bot is testing stolen cards on your checkout. The same IP is the source.
Chargeback origin. Multiple chargebacks trace back to the same IP using different identities.
Competitor monitoring. A specific data-center IP is checking your prices every 15 minutes — useful for them, not for you.
Brute-force login attempts. One IP is testing credential dumps against your customer accounts.
DDoS / abuse traffic. A small subset of IPs accounting for an outsized share of requests.

Each of these has a different signal in your analytics, but the response is the same: block the IP and move on.

How to find the IP you want to block

Shopify’s native analytics show some IP information, but you typically need a security app or your storefront server logs to identify the right IPs to block:

From Shopify orders. Click a suspicious order → see the customer’s IP address listed under the customer details.
From Shopify analytics → Live View. See current visitors and their countries (full IP not always visible).
From a security app’s traffic log. ShopFence dashboards show every visitor IP, country, user agent, and behavior pattern. Sort by request count, status code, or country to find the bad ones.
From Google Analytics if you have it configured to capture IPs (note: GDPR considerations).

Once you have the IP, the next step is blocking it.

How to block an IP on Shopify (the easy way)

Install ShopFence (Premium or Plus plan)
Open the ShopFence dashboard → Access Control → IP Block
Click Add IP → paste the IP address you want to block
Optionally add a reason (“scraper, blocked 2026-05-21”) for future reference
Save. The block goes live immediately worldwide.

You can also block IP ranges (CIDR notation like 185.177.72.0/24) to catch entire scraper subnets at once.

How to block IP without an app (the manual way)

Without an app, Shopify gives you limited tools. You can:

Block specific customer accounts in Shopify admin (Customers → select customer → Disable account). This blocks the account, not the IP.
Add a Liquid script in theme.liquid that checks the visitor’s IP against a blocklist. Shopify does not expose the visitor IP directly in Liquid — you would need a workaround using a third-party geo-IP service.
Use Cloudflare in front of your store if you have a custom domain. Cloudflare’s free plan includes IP blocking, but setting up Cloudflare proxy in front of Shopify is non-trivial.

For most merchants, none of these are practical. An app is the realistic path.

IP blocking + VPN detection (the complete strategy)

Smart attackers know about IP blocking. When you block their IP, they switch to a VPN or proxy and try again from a new address. You can play whack-a-mole forever — or pair IP blocking with VPN/proxy detection so the attacker has nowhere to go.

ShopFence Premium and Plus include real-time VPN/proxy detection. When a request comes from a known VPN exit IP, you can choose to: block it, log it, or challenge it (e.g. require additional verification at checkout).

What about IP whitelisting?

Whitelisting (allow only specific IPs) is the opposite of blocking. Common uses:

Pre-launch / staging. Restrict the store to your team’s office IPs only while you prepare.
B2B store. Lock the storefront to specific business customer IPs.
Internal tools. Restrict admin or special pages to known IPs.

ShopFence supports IP whitelisting alongside blocking. Whitelist takes priority — whitelisted IPs are never blocked even if they hit other rules.

How long should an IP block last?

Three strategies depending on the threat:

Permanent block for confirmed malicious actors (chargeback fraud, repeated brute-force, known scraper data centers).
30-day block for one-off abuse patterns. Re-evaluate after 30 days — IPs do get recycled.
24-hour rate-limit block for noisy-but-not-clearly-malicious traffic. Catches transient scrapers without permanently banning a possibly-legitimate visitor on a shared IP.