Shopify shipped a Human or bot session filter on October 7, 2025. It’s genuinely useful, and if you’re reading this because your abandoned checkout list has gone sideways or your conversion rate is mysteriously tanking, the first thing to do is turn it on. It takes about ten seconds and it’ll make your sessions reports honest again.
But there’s a catch that nobody seems to be writing about, and it’s worth understanding before you assume the problem is solved.
The filter is a reporting tool. It’s not a block. And it only cleans one surface.
What the filter actually does
When you open a sessions-related report in Shopify Analytics, you can now add a dimension called Human or bot session, or apply it as a filter from the configuration panel. Every session on your storefront is tagged as human or bot as it happens, using signals like IP reputation, user agent, request patterns, and interaction depth (bots typically don’t scroll, don’t click around, don’t engage with pages the way a real shopper does). Add the filter, flip it to Human, and your report stops counting bot sessions in your totals.
The practical win is real. Your conversion rate stops looking like it cratered, your sessions count stops looking like it tripled overnight, your checkout starts reports stop being inflated by automated scripts hitting the cart URL directly. If you only ever look at Shopify’s native reports, you’ll feel like the problem is fixed.
What the filter does not do
It doesn’t stop bots from hitting your store. They still load pages, they still hit your cart URL, they still populate your customer list, they still trigger whatever downstream automations you’ve got configured. What the filter does is separate their sessions from human sessions in one specific place… Shopify’s sessions-based reports. Everything downstream of that, every other tool you’ve got connected to your store, keeps seeing the raw traffic.
Here’s where that matters.
Your GA4 property still counts them. Shopify’s filter is proprietary to Shopify, it doesn’t propagate to Google Analytics. If you’re making decisions from GA4 (or Looker Studio pulling from GA4), your numbers are still dirty. You can set up your own bot filtering rules in GA4, but you’ve got to do it yourself, and the signals GA4 has access to aren’t the same as what Shopify has in the session layer.
Your Meta pixel still fires for them. Every bot session that loads your product pages is still sending PageView, ViewContent, and sometimes AddToCart events to Meta. Those events feed your lookalike audiences. They feed your optimization algorithm. If bot sessions look like a specific profile, Meta will happily go find more humans who match that profile, and your campaigns will optimize for the wrong cohort. ROAS reporting downstream of that is compounding the lie.
Your ESP still has them. Klaviyo, Omnisend, Mailchimp, Shopify Email… they’re all pulling customer and abandoned checkout data from Shopify via webhooks. The filter doesn’t change what goes into those webhooks, it only changes what shows up in Shopify’s own reports. So:
- Your abandoned cart flow is still firing recovery emails to fake addresses. Your sender reputation is still getting hit.
- Your list size is still inflated. If your ESP charges by contact count, you’re still paying for bots.
- Your segmentation is still contaminated. Engagement scores, RFM buckets, subscriber cohorts all include the bot traffic.
Your customer list still has them. Go to Customers in your admin. Those bot-created records (the gibberish names, the sequential emails, the “street 10 apt 2” addresses) are all still there. The filter doesn’t clean them, and it doesn’t prevent new ones from being created. You’ve got to delete them manually or use a separate tool.
Your abandoned checkouts list still has them. Same story. The filter changes how the reports summarize sessions, but the raw checkout records are untouched.
It’s not retroactive. The filter only classifies sessions from October 7, 2025 onward. Any bot pollution in your historical data is still there, and Shopify won’t relabel it.
The practical gap
If you only live in Shopify reports, the filter is enough. If any part of your decision-making touches GA4, Meta, paid ads, your ESP, your customer data platform, or your admin customer list, the filter is solving maybe 20% of the problem.
That’s not a criticism of Shopify’s feature. It’s a perfectly reasonable scope for a free built-in filter. It just means you probably need more than the filter, and a lot of merchants are finding out the hard way after they turn it on, see their reports look clean, and then notice their Meta ROAS still looks wrong or their Klaviyo bill keeps climbing.
Same-day things you can do yourself
Before you think about any paid tool, a few checks worth running:
-
Turn on the filter in your sessions reports. Reports, open any sessions-based metric, add filter, select Human or bot session, set to Human. Save the configured view.
-
Add bot exclusions in GA4. Admin, Data settings, Data filters, set up IP and user agent excludes for the patterns you’re seeing. Not perfect, but it stops the most obvious offenders from corrupting your reporting.
-
In Klaviyo (or your ESP), add a suppression filter on obviously-syntax-suspicious emails. If you’re seeing mail01, mail02, mail03 at the same domain, you can exclude them with a regex filter on your abandoned cart flow so they stop getting sent to.
-
Delete the bot customer records in your admin. Filter customers by created date + zero orders + no store interaction, review, bulk delete. This won’t stop new ones, but it cleans your list and your ESP sync.
The deeper fix, honestly framed
There are broadly two categories of tools that go beyond the filter:
Edge / DNS-layer blocking. You reroute your storefront traffic through a third-party WAF (Cloudflare, Akamai-style proxies) and block the bots before they ever reach Shopify. The theory is clean, the practice is fragile. DNS misconfigurations can point your storefront at the wrong origin, break SSL, cause timeouts, break legit customer traffic during sales. The pattern you’ll see in forum threads is something like “worked great for a month, then the bots adapted, then my storefront started throwing errors and I had to uninstall.” It’s not that edge blocking is a bad idea in principle, it’s that consumer-grade edge setups on a Shopify store are high-risk for low-to-medium-technical merchants, and the blast radius when it breaks is your whole storefront.
Shopify checkout-layer blocking. You keep your DNS clean, bots still hit your storefront (you can’t prevent that without edge work), but they get stopped at the session / checkout layer inside Shopify before they pollute anything downstream. No pixel firing, no Klaviyo sync, no fake abandoned checkout, no customer record created. The trade-off is that your origin still serves the initial page request, but the cascade of downstream pollution stops. Your reports stay clean, your pixel stays clean, your ESP stays clean, your customer list stays clean, without the DNS risk.
Analytics cleanup alone, which the Shopify filter does, shows you the problem. It doesn’t solve it downstream.
Which one you need depends on whether you care about what happens after the bot is detected. If your only goal is to look at clean sessions reports in Shopify, the filter is enough. If you care about your pixel, your ESP, your customer list, or your ad ROAS, you need something that blocks the pollution before it cascades.
Where Doorman fits
Doorman is in the Shopify checkout-layer category. It blocks bots at the session layer, which keeps them off your pixel, out of your ESP, out of your customer list, and out of your abandoned checkout flow, without DNS changes. The filter is a good first step. Doorman is where you go when the filter isn’t enough.
If you want to try it, the founding cohort is open, no credit card… doormanapp.com.