How to stop bot traffic from scraping your eCommerce store

· woocommerce , security

Are you seeing a spike in your traffic on certain days, and something about it feels off? Hundreds of extra sessions, no campaign running, no sale on, and a nagging sense that none of it is coming from a real customer. That usually means one thing: someone is scraping your store. Here is how to know for sure, and how to shut it down.

The traffic spikes but nothing converts

Real shoppers leave a trail. They add things to the cart, sign up, linger on a page, come back. A scraper does none of that. So when your sessions jump but your add to carts, sign-ups, and time on page stay flat or fall, the visitors behind that spike are not buying because they were never people. The number went up and every other number that should move with it stayed still.

The same pages get hit over and over from many IPs

Look at which URLs are taking the load. Scrapers want your product and pricing data, so they hammer those pages again and again while ignoring your blog, cart, and checkout. Now open your server logs and you’ll see the second tell: the same relentless pattern arriving from a hundred different IP addresses. It looks like a crowd, but it is one bot wearing a hundred masks.

Blocking the IPs by hand never works

Your first instinct is to find the offending IP and block it, in your host’s firewall or by asking your ISP. Against a serious scraper that fails every time, because they use rotating IPs: a pool of thousands of addresses they cycle through, so every request looks like it came from somewhere new. Block one and the next request just arrives from another. You can’t win that race manually, and you risk blocking a real customer who happens to share an address range. Meanwhile the scraping eats your bandwidth, slows the site for genuine shoppers, hands your catalogue to competitors, and on a WooCommerce store can spike server load enough to drag down the Core Web Vitals that affect your ranking.

The solution: Cloudflare’s free plan plus Bot Fight Mode

You don’t need a paid security product for this. Cloudflare’s free plan handles it, because instead of chasing IPs it sits in front of your site and judges each visitor’s behaviour. It sees that behaviour across millions of sites at once, so it recognises a scraper your own logs never could. Cloudflare is genuinely good at blocking bots, and the setup is a one-time job:

  1. Create a free Cloudflare account and add your store’s domain.
  2. Point your domain’s nameservers at Cloudflare. It gives you the two to use, and you change them at your domain registrar. This routes your traffic through Cloudflare without touching your store itself.
  3. Turn on Bot Fight Mode. Open Security, then Bots, then toggle it on. It challenges traffic that looks automated and lets real browsers straight through.

That’s it. Bot Fight Mode quietly absorbs the bulk of scraping with no ongoing effort, and the same setup hands you a CDN and DDoS protection for free along the way. If a determined scraper still slips through, Cloudflare’s free WAF rules let you rate limit per visitor or block by country, ASN, or user agent. But start with the toggle. For most stores, that one switch turns the mystery spike back into a flat, honest traffic line.

Don’t miss the next one

Don’t want to miss any of my future posts? Subscribe below.

Get ecommerce engineering tips in your inbox

One practical, actionable article at a time. No spam, unsubscribe whenever.