State and City-Level Blocking on Shopify — Precision Beats Country Blocks

A merchant in the US notices that 80% of their COD non-acceptances come from one specific metro area. A merchant in India sees coordinated discount-code abuse from a particular state. A merchant in Mexico finds that one city accounts for almost all of their address-not-found returns.

In every case, blocking the country would destroy meaningful legitimate revenue, but leaving the problem unaddressed costs real money.

State and city-level blocking sits in the middle of the geographic-control spectrum. More precise than country blocks. More durable than rolling IP lists. Often the right tool when fraud patterns are clearly sub-national.

What sub-national blocking actually does

Sub-national geo-blocking uses IP-to-region databases to identify a visitor's apparent state, province, or city, then applies rules based on that location. Mechanism is identical to country-level — same database lookup, same enforcement — just at finer resolution.

Two main resolution levels:

State or province: US states, Indian states, Mexican states, Canadian provinces, Australian states, etc. Typically 10-50 distinct regions per country, each with a stable code ("CA" for California, "MH" for Maharashtra).

City: Major cities and metro areas. Coverage varies — IP-to-city accuracy is best for major metros (~90%) and degrades for smaller cities and rural areas (often 70-80%, sometimes worse).

Both work the same as country-level controls: blocks return a blocking page, redirects send the visitor elsewhere, whitelists exempt specific IPs.

The catch — and the thing merchants need to internalize — is that accuracy decreases as resolution increases. Country-level geolocation is right almost all the time. State is right most of the time. City is right often enough to be useful, but wrong often enough to produce false positives.

When sub-national blocking is the right tool

Three patterns specifically justify state/city-level controls:

1. Concentrated fraud in a country you serve

Your data shows India contributes $50K/month of legitimate revenue and $8K/month of confirmed fraud. The fraud all comes from one or two specific states; legitimate revenue is spread across the country.

A country block destroys $42K of legitimate revenue to stop $8K of fraud. A state block keeps the legitimate revenue and addresses the specific loss.

2. Compliance restrictions below national level

Cannabis, alcohol, tobacco, vape, and firearms sellers in the US face state-level legality variation. A federally legal product may be illegal in specific states; selling there creates legal exposure.

State-level shipping restrictions and (in some cases) state-level visibility controls solve this cleanly.

3. Concentrated COD non-acceptance

The most common case for stores in SEA, LATAM, and India. Non-acceptance rates vary dramatically by district — typically 5x to 20x between the best and worst regions in a country.

Hiding COD as a payment option for the worst districts (or blocking outright in extreme cases) recovers significant margin without disturbing the rest of the customer base.

When sub-national blocking is the wrong tool

Equally important to know when not to reach for state/city controls:

Weak underlying signal. If your "high-fraud city" analysis is based on six orders in 90 days, you don't have enough data. Apparent geographic concentration in small samples is often noise. Wait for statistically meaningful evidence.

Mobile traffic dominates. Mobile geolocation is significantly less accurate than desktop. Carriers route through gateways that often misreport location. If your traffic is 80% mobile, the false-positive rate will be uncomfortable.

The "city" is actually a data center. Some IP geolocation databases report a data center's apparent location as a nearby city. Blocking that "city" can hit the data center and miss the actual users. Signature: city-level blocks catch traffic, but affected users came overwhelmingly through proxy or hosting IPs. Treat that as VPN/proxy fraud, not city fraud.

Blocking what you actually need to convert. Some of your highest-fraud districts are also your highest-AOV districts. Wealthy neighborhoods, expat enclaves, major cities are over-represented in both legitimate revenue and certain fraud patterns. Blocking outright is rarely right; selective controls (payment-method hiding, identity verification, manual review) usually are.

What sub-national blocks miss

A few patterns these blocks won't catch:

• Cross-district fraud rings. A coordinated operation that places orders shipping to addresses in District A but is actually run from District B will look like normal traffic from both. Detection requires device-level or address-pattern signals, not geographic ones.
• VPN/proxy routing. A fraudster in a blocked district routing through a VPN exit in an allowed district bypasses the block. The geographic control is necessary but insufficient.
• Mobile users with iCloud Private Relay. Apparent location rotated and obfuscated. Some legitimate users get caught.

These limitations argue for treating geographic controls as one layer in a stack, never the only defense.

Setting up state-level blocks in Shieldy

The standard pattern in Shieldy:

1. Open Shieldy → Block / Redirect Rules
2. Click Add rule
3. Condition type: State / Province
4. Select the target state(s) from the dropdown
5. Choose action: Block (page-level) or Redirect (to a compliance page or coming-soon)
6. Add a private note explaining why (e.g., "Cannabis not licensed in TX — 2026-05-20")
7. Save and enable

The rule fires within minutes of being saved. Visitors from the blocked state see your custom blocking page (you can edit the title, body, contact email, and visual branding in Shieldy's blocking-page editor).

Setting up city-level blocks

City-level needs more care because of accuracy issues.

Use a softer initial action

Instead of hard-blocking outright, set up a softer first control:

• Hold orders from the city for manual review
• Hide COD as a payment option
• Require email verification
• Display a small warning to the customer

Hard blocks at city level should be reserved for overwhelming evidence.

Verify with multiple data sources

Confirm the geographic pattern shows up across multiple indicators — chargebacks, non-acceptance, address-not-found, customer-service complaints — not just one signal. Single-indicator city patterns are often artifacts.

Have a recovery path for false positives

Customers caught in city-level blocks often complain. Your blocking page should tell them how to reach you, and you need a workflow to verify and whitelist legitimate exceptions.

The interaction with shipping zones

A practical consideration: state-level shipping restrictions in Shopify are a separate control from state-level visit blocking via a fraud app.

For most fraud-driven blocks: "block visits, block shipping" is right. For market-availability blocks ("we don't ship here but want to preserve brand visibility"): "block shipping, allow visits with redirect."

A practical pattern that works

The combination most stores converge on:

• Country-level controls for blanket policies and high-fraud countries
• State-level controls for compliance restrictions (cannabis, alcohol, tobacco) and clearly concentrated COD fraud
• City-level controls for very specific, high-evidence districts, with softer initial actions (review, payment-hide)
• IP-level controls for known-bad infrastructure inside allowed regions
• Whitelist as sanity layer over the whole thing for known-good customers and team access

This stack catches the fraud where geography is genuinely informative without breaking the long tail of legitimate customers whose locations happen to overlap with blocked regions.

The takeaway

Sub-national blocking is the precision tool for stores that know geographically *where* their fraud concentrates. It beats country-level blocks (too broad) and per-IP blocks (too granular, harder to maintain).

Shieldy supports state and city-level rules natively — same UI as country-level, just finer resolution. Combined with payment-method hiding for the same geographic profiles, it cuts loss from concentrated districts without alienating the wider customer base.

Pull your last 90 days. Group by sub-national region. If 70%+ of your loss concentrates in 3-5 districts, sub-national blocking is your highest-ROI move.