Why Block by IP?
IP blocking lets you target specific known threats:
- Identified bad actors - Block IPs that have caused problems
- Competitor scrapers - Stop known scraping operations
- Harassment sources - Block persistent abusive visitors
- Test environments - Block your own office during testing
- Network-wide threats - Block entire problematic networks
Types of IP Blocking
Individual IP Addresses
Block a single IP address:
192.168.1.100Best for: Known bad actors, specific problem sources
IP Ranges (CIDR)
Block a range of addresses:
192.168.1.0/24 (blocks 192.168.1.0 - 192.168.1.255)Best for: Data centers, hosting providers, corporate networks
ISP/ASN Blocking
Block all IPs belonging to an Internet Service Provider:
- Target hosting providers known for bot traffic
- Block ISPs associated with fraud
- Restrict data center traffic entirely
Setting Up IP Blocks
Adding Individual IPs
- Identify the problematic IP from your logs or analytics
- Add to your blocklist in SecurEcommerce
- Optionally add a note explaining why it’s blocked
Adding IP Ranges
- Determine the CIDR range to block
- Verify the range doesn’t include IPs you need to allow
- Add the range to your blocklist
Managing Your Blocklist
- Review blocked IPs periodically
- Remove blocks that are no longer needed
- Document why each IP is blocked
When to Use IP Blocking
Good Use Cases
- Repeat offenders - Someone who keeps causing problems
- Identified scrapers - IPs you’ve confirmed are scraping
- Attack sources - IPs involved in attacks on your store
- Specific networks - Known problematic hosting providers
Poor Use Cases
- Dynamic IPs - Residential IPs change frequently
- Broad ranges - Blocking too many innocent users
- Unverified threats - Blocking based on assumptions
- Country blocking - Use country blocking feature instead
IP Blocking Limitations
Dynamic IP Addresses
Most residential internet users have dynamic IPs that change. Blocking an IP today might block a different person tomorrow.
Shared IPs
Multiple users can share one IP:
- Corporate networks
- Mobile carriers (CGNAT)
- University networks
- Public WiFi
Blocking one bad actor might block many legitimate users.
VPN/Proxy Bypass
Determined bad actors simply switch to different IPs using VPNs or proxies. IP blocking is whack-a-mole without VPN blocking.
Best Practices
Document Everything
For each blocked IP, record:
- When it was blocked
- Why it was blocked
- Expected duration of block
Review Regularly
- Remove stale blocks
- Verify blocks are still needed
- Check for collateral damage
Combine with Other Methods
IP blocking works best alongside:
- Country blocking
- VPN/proxy blocking
- Rate limiting (handled by Shopify)
Start Narrow
Block specific IPs before blocking ranges. Block ranges before blocking entire ISPs.
Custom Block Messages
Create appropriate messages:
General block:
“Access to this store has been restricted. If you believe this is an error, please contact support.”
Temporary block:
“Your access has been temporarily restricted. Please try again later or contact support.”
Monitoring Blocked IPs
Track blocked attempts to:
- Verify your blocks are working
- Identify patterns in blocked traffic
- Discover new threats from similar IPs
- Assess if blocks can be removed
Emergency Blocking
When you identify an active attack:
- Block the immediate source - Individual IP first
- Expand if needed - Block range if attack uses multiple IPs
- Investigate - Determine the scope of the threat
- Document - Record what happened for future reference
- Review - Remove emergency blocks once threat passes