bot-protection

What this skill does

# Bot Protection

## Overview

Commerce stores face three major bot threats: scrapers that harvest pricing and inventory data for competitors, scalper bots that buy limited-inventory items instantly, and credential-stuffing bots that test stolen usernames and passwords. Effective bot protection layers platform-level defenses, a WAF (Web Application Firewall), CAPTCHA for high-risk actions, and optional behavioral analysis. For most merchants, Cloudflare provides the most effective and lowest-friction protection — it sits in front of your store regardless of platform.

## When to Use This Skill

- When launching limited-edition products prone to scalping (sneakers, concert tickets, gaming consoles)
- When competitors are systematically scraping your product prices or inventory levels
- When account login pages show signs of credential stuffing (high failure rates from distributed IPs)
- When checkout funnel analytics show suspiciously fast completion times (sub-5-second checkout)
- When your infrastructure is overwhelmed by bot traffic consuming catalog API resources

## Core Instructions

### Step 1: Determine the merchant's platform and choose the right tool

| Platform | Built-in Bot Protection | Recommended Additional Layer |
|----------|------------------------|------------------------------|
| **Shopify** | Shopify includes basic bot detection and rate limiting | Enable Cloudflare (free plan) in front of your Shopify store for WAF rules and bot management |
| **WooCommerce** | None built in — the login and checkout forms are fully exposed | Wordfence (free) for login protection; Cloudflare for WAF and rate limiting |
| **BigCommerce** | Basic DDoS protection included | Cloudflare for advanced bot management; BigCommerce supports custom scripts for CAPTCHA |
| **High-traffic drops (any platform)** | None | Cloudflare Waiting Room (Business/Enterprise) or Queue-it for managed queue |
| **Custom / Headless** | Must build | Cloudflare + custom rate limiting + behavioral analysis |

### Step 2: Set up foundational bot protection

---

#### Step 2a: Enable Cloudflare (works for all platforms)

Cloudflare's free plan provides significant bot protection at the DNS level without touching your application code.

1. **Add your domain to Cloudflare** at cloudflare.com (free plan works for most stores)
2. Update your domain's nameservers to the Cloudflare nameservers provided
3. In Cloudflare dashboard:
   - **SSL/TLS → Overview**: set to "Full (Strict)"
   - **Security → WAF → Managed rules**: enable **Cloudflare Managed Ruleset** (free) and **OWASP Core Ruleset**
   - **Security → Bots → Bot Fight Mode**: enable (free) — blocks known bot user agents
4. For additional protection, create custom **WAF Rules** (Security → WAF → Custom Rules):
   ```
   # Block requests with no User-Agent header
   (not http.user_agent contains " " and not cf.client.bot)

   # Rate limit catalog API scraping
   # Under Security → WAF → Rate Limiting Rules:
   # Path: /products/* or /api/products/*
   # Rate: 100 requests per minute per IP
   # Action: Block for 1 hour
   ```

**Cloudflare Bot Management (Business plan, ~$200/month):**
For stores with serious scalping or scraping problems, Cloudflare Bot Management uses machine learning to score every request and challenge or block suspicious traffic without impacting legitimate shoppers.

---

#### Step 2b: Add CAPTCHA to high-risk forms

Use **Cloudflare Turnstile** (free, privacy-preserving, invisible-first) on login and checkout forms. Turnstile uses passive signals before showing a visible challenge — most legitimate users never see a CAPTCHA.

**Adding Turnstile to a Shopify store:**
1. Sign up for Cloudflare Turnstile at cloudflare.com/products/turnstile (free)
2. Create a new site, select "Managed" mode, note your site key and secret key
3. In Shopify, customize your theme to add the Turnstile widget to the login and checkout forms:
   - Use a Shopify theme app extension or edit the theme directly
   - Add `<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>` and a `<div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY">` to the login form
4. Verify the token server-side in your custom app or use a Shopify Function

**Adding Turnstile to WooCommerce:**
1. Install the **Cloudflare Turnstile** WordPress plugin (search "Cloudflare Turnstile" in the plugin directory)
2. Enter your site key and secret key
3. Configure which forms to protect: login, registration, checkout, comment forms

**Server-side token verification:**
```typescript
async function verifyTurnstile(token: string, ip: string): Promise<boolean> {
  const res = await fetch('https://challenges.cloudflare.com/turnstile/v0/siteverify', {
    method: 'POST',
    body: new URLSearchParams({
      secret: process.env.TURNSTILE_SECRET_KEY!,
      response: token,
      remoteip: ip,
    }),
  });
  const data = await res.json();
  return data.success === true;
}
```

---

#### Step 2c: Set up a Waiting Room for product drops (high-demand launches)

For limited-inventory launches where you expect traffic spikes and scalpers:

**Cloudflare Waiting Room (Business/Enterprise plan):**
1. In Cloudflare dashboard, go to **Traffic → Waiting Room**
2. Click **Create**
3. Configure:
   - **Hostname**: your store domain
   - **Path**: the product URL pattern (e.g., `/products/limited-*` or `/collections/drop`)
   - **Total active users**: maximum concurrent users allowed through (e.g., 500)
   - **New users per minute**: admission rate (e.g., 100 per minute)
4. Customize the waiting room page with your branding
5. Cloudflare queues excess traffic fairly; bot traffic is filtered by Cloudflare's bot detection before entering the queue

---

#### Step 2d: Platform-specific protections

**Shopify — Per-customer purchase limits:**
Shopify does not enforce per-customer purchase limits natively for limited products. Options:
- Use a **Shopify app** like Locksmith or Order Limits by MLveda to restrict purchase quantity per customer
- On Shopify Plus: use **Shopify Functions** to enforce limits at checkout

**WooCommerce — Login brute-force protection:**
1. Install **Wordfence Security** (free)
2. Enable brute-force protection under **Wordfence → Login Security**
3. Enable two-factor authentication for admin accounts

**WooCommerce — CAPTCHA on checkout:**
1. Install **Google Recaptcha for WooCommerce** (free) or the Cloudflare Turnstile plugin
2. Configure to protect: login, registration, checkout, and lost password forms

---

#### Custom / Headless — Application-layer rate limiting

For custom storefronts, add rate limiting at the middleware or edge layer:

```typescript
// Next.js Edge Middleware — rate limiting per IP per route
import { NextRequest, NextResponse } from 'next/server';
import { Ratelimit } from '@upstash/ratelimit';
import { Redis } from '@upstash/redis';

const redis = Redis.fromEnv();
const limiters = {
  checkout: new Ratelimit({ redis, limiter: Ratelimit.slidingWindow(10, '1 m'), prefix: 'rl_checkout' }),
  catalog:  new Ratelimit({ redis, limiter: Ratelimit.slidingWindow(100, '1 m'), prefix: 'rl_catalog' }),
};

export async function middleware(request: NextRequest) {
  const ip = request.ip ?? request.headers.get('x-forwarded-for') ?? '127.0.0.1';
  const pathname = request.nextUrl.pathname;

  const limiter = pathname.startsWith('/checkout') ? limiters.checkout
    : pathname.startsWith('/products') ? limiters.catalog
    : null;

  if (limiter) {
    const { success } = await limiter.limit(ip);
    if (!success) return new NextResponse('Too Many Requests', { status: 429 });
  }

  return NextResponse.next();
}
```

**Per-customer purchase limits (custom):**

```typescript
async function enforcePurchaseLimit(customerId: string, productId: string, limit = 1) {
  const count = await db.orders.countByCustomerAndProduct(customerId, productId);
  if (count >= limit) throw new Error(`Purchase limit of ${limit} per customer rea