How to Block an IP Address in Shopify (2026 Guide)

Shopify does not let you block IP addresses out of the box. There is no "Banned IPs" tab in your admin, no built-in blocklist, and no native country-level firewall. Yet IP blocking is one of the most common store-protection tasks merchants need — to stop chargeback fraud, repeated bot scraping, abusive visitors, or unwanted geographies.

This guide walks through every reliable way to block an IP address in Shopify in 2026, from the simplest free option to the most powerful checkout-level blocking using Shopify Functions.

Why you cannot block IPs natively in Shopify

Shopify's hosted infrastructure means you do not control the web server. Cloudflare, the CDN that fronts every Shopify store, does not expose its firewall rules to merchants. Themes run in the browser, so any client-side blocking (JavaScript redirect, hidden DOM) can be bypassed by disabling JavaScript or using a developer console.

The only way to block visitors server-side on Shopify is through a Shopify app that uses the platform's official extensibility APIs — primarily Shopify Functions for checkout-level enforcement and App Proxy / Online Store 2.0 sections for storefront-level protection.

Method 1 — Block a single IP address with Shieldy (recommended)

Shieldy Fraud Filter is a free Shopify app built specifically for IP and country blocking. The free plan supports four rules — enough to block a small list of known bad IPs.

Steps:

1. Install Shieldify Fraud Filter from the Shopify App Store.
2. Open the app and go to Block rules → New rule.
3. Choose Rule type: Block and Criteria: IP address.
4. Enter the IP address (for example 192.0.2.45) or an IP range using the "Starts with" operator (for example 192.0.2.).
5. Save. The rule is active in under a minute and synced to Shopify's edge network.

Blocked visitors see a customizable error page or are silently redirected — your choice.

Method 2 — Block a range of IPs

CIDR notation (like 192.0.2.0/24) is the most common way to express IP ranges in network engineering. Shieldy supports both CIDR ranges and prefix matching via the "Starts with" operator:

For most merchants, prefix matching is easier to reason about than CIDR. If you copy IP addresses out of your fraud-order logs, simply paste the first three octets and add a trailing dot.

Method 3 — Block by country instead of IP

Manually adding individual IPs is reactive. If 80 % of your chargebacks come from one country, blocking the country is faster and more durable than chasing IPs.

In Shieldy:

1. Create a new rule.
2. Choose Criteria: Location.
3. Pick the country from the dropdown (full ISO-3166 list with flags).
4. Optional: set a Redirect URL so blocked visitors are pushed to a "We do not ship to your region" page instead of a hard block.

The free plan ships with four country-blocking slots. If you need more, the Premium plan at $4.99/month removes the limit and adds VPN/proxy detection so masked traffic from blocked countries is also stopped.

Method 4 — Block at checkout (Shopify Functions)

Storefront-level blocking stops visitors before they browse. Checkout-level blocking is stricter — it lets requests through to your store (good for SEO and analytics), but stops the order at payment.

Checkout blocking is built on Shopify Functions, the official server-side extensibility API. You cannot bypass it from the browser. Shieldy's Enterprise plan adds:

• Block by billing/shipping IP
• Block by email pattern (e.g. *@tempmail.com)
• Block by phone prefix
• Block by address keywords or ZIP code
• Auto-cancel orders that match a risk score threshold

This is the strongest layer of protection because it executes on Shopify's infrastructure, not your storefront.

Method 5 — Block VPN, proxy, and Tor exit nodes

If a fraudster cycles through VPN providers, blocking individual IPs is whack-a-mole. The fix is to detect and block the infrastructure category rather than the address.

Shieldy maintains a database of 500M+ classified IPs updated every 15 minutes from 40+ sources, including:

• Commercial VPN providers (NordVPN, ExpressVPN, Surfshark, ProtonVPN, etc.)
• Residential proxy networks (Luminati, Smartproxy, Oxylabs)
• Datacenter and hosting providers (AWS, GCP, Hetzner, OVH)
• Live Tor exit-node list, updated every 30 minutes

Enable Auto-block VPN/Proxy in the Bot Killer module — one toggle, no rule configuration needed.

Method 6 — Use the Shopify theme's "Password Protect" page

This is a hack that only works in narrow cases. You can password-protect your entire store during launch, but you cannot password-protect by IP. If you need to allow access only to a small whitelist (for staging or B2B), Shieldy's Whitelist mode is the right tool — it inverts the rule logic so only listed IPs/countries get in.

Common mistakes to avoid

Blocking IPs in your theme.liquid with JavaScript. This is the most common DIY approach and the easiest to bypass. Disabling JavaScript or running document.querySelector('.blocker').remove() defeats it instantly.

Using robots.txt to block bots. robots.txt is a polite request, not a firewall. Malicious bots ignore it. Use server-side rules through a real app instead.

Blocking entire ASNs without checking who else uses them. Some hosting providers (AWS, Google Cloud) carry both bot traffic and legitimate visitors who use cloud-based browsers (e.g. corporate VPNs, accessibility tools). Test before applying broad blocks.

Not whitelisting your own team. If you block VPN traffic and your dev team uses one, you will lock yourselves out. Add your team's IPs to the whitelist first.

How to find the IP address you want to block

If a customer placed a fraudulent order, the IP is in Shopify's order details:

1. Open Orders → click the order.
2. Scroll to Customer → Conversion summary.
3. Look for IP address.

For visitor traffic without an order, you need an app that logs visitor IPs. Shieldy's Visitor Analytics dashboard logs every visitor with IP, country, ISP, user agent, risk score, and time spent on site.

Frequently asked questions

Can I block an IP in Shopify without an app?

No. There is no native IP-blocking feature in Shopify admin. Even custom code in your theme runs in the browser and can be bypassed.

Will blocking IPs affect my SEO?

No, if you only block confirmed bad actors. Returning a 403 Forbidden or redirect to a small subset of IPs does not affect Google's crawl. If you accidentally block Googlebot, your site disappears from search — so always whitelist Googlebot user agents (Shieldy does this automatically).

Does IP blocking stop VPN users?

Only if you also block the VPN provider's IP ranges. Use VPN/Proxy detection alongside IP rules for full coverage.

Can I block IPv6 addresses?

Yes. Shieldy supports both IPv4 and IPv6 in all rule types.

How many IPs can I block on the free plan?

The Free plan supports 4 block rules total (any mix of IP, country, etc.). The Premium plan ($4.99/mo) lifts the cap to unlimited.

Wrapping up

For most Shopify merchants, the right answer is install Shieldy and start with country-level rules — they cover 80 % of fraud at near-zero effort. Add IP-specific rules for repeat offenders, and turn on VPN/Tor detection if your store sells digital goods or high-margin items.

Install Shieldy free on the Shopify App Store →