Shield is a security app you must install from the Apps market before its settings become available. Once installed, it adds multiple layers of protection to your store's checkout to block bots, fraudulent order patterns, and fake phone numbers. Go to Apps, find Shield in the Security & Privacy collection, install it, then click the settings icon to configure it.
Opening Shield settings
After installation, go to Apps and click the gear icon next to Shield, or navigate directly to /apps/shield. A settings panel opens with all available controls.
Captcha
When Captcha is enabled, a CAPTCHA input with an image code appears on the checkout form. Customers must type the numbers shown to place an order. This blocks bots, scripts, and macro-based abuse. Only real users who can read the image can complete checkout.
Duplicate orders blocker
When Duplicate orders blocker is enabled, new orders are checked against previous orders placed by the same customer, matched using email address and phone number. If a duplicate is detected, the order is blocked automatically. This prevents repeated or fraudulent purchases from the same identity.
Decoy mode
When Decoy mode is enabled, visitors whose device has been banned or whose order is rejected by another Shield rule see a fully normal store: real cart, real validation, real totals. They then receive a fake order confirmation built from the data they entered. No real order is created, no notifications are sent, and no advertising pixels fire. Attackers believe their orders went through and waste time re-attempting, while your real order data stays clean.
Enabling or disabling Decoy mode immediately updates how banned devices experience your store. With Decoy on, those visitors see the store as normal and receive a fake confirmation; with Decoy off, they receive the standard blocked response.
Paste protection
When Paste protection is enabled, customers cannot paste text into checkout fields. This forces manual entry and blocks automated scripts and clipboard-based bot attacks that populate forms programmatically.
WhatsApp validator
When WhatsApp validator is enabled, the phone number provided by the customer is validated against the WhatsApp API. If the phone number is not associated with a real WhatsApp account, the order cannot be placed. This is particularly effective for stores using WhatsApp-based order confirmation workflows, since fraudulent orders often use invented or non-existent phone numbers.
Max orders per customer
When Max orders per customer is enabled, customers are restricted from placing more than the specified number of orders. The Maximum orders per customer field accepts a number between 1 and 3. Setting this to 1 means each customer (identified by email and phone) can only ever place one order. This prevents abuse and limits bulk fraudulent purchasing from a single identity.
Minimum order placement delay
When Minimum order placement delay is enabled, the checkout order button stays inactive for a required number of seconds after the page loads. The delay is set using a slider labelled Required delay time, ranging from 2 to 20 seconds. The customer sees no countdown or timer. The button simply does nothing when clicked until the time has passed. This ensures bots and scripts that submit instantly cannot place orders, without revealing the security threshold to potential attackers.
A hint on screen reads: "Tip: Use this feature to block bots and scripts that submit instantly. Setting the time too long may frustrate genuine customers."
Blocked user-agent keywords
The Blocked User-Agent keywords textarea accepts one keyword per line, up to 50 keywords. Each keyword must be between 2 and 100 characters. Every incoming visit is checked: if any keyword appears in the visitor's browser identifier, the request is blocked. Typical entries might include tool names such as scrapy, selenium, headless, or apifybot. Leave the field empty to disable this check entirely. When Decoy mode is also enabled, matching visitors see a fake store instead of being outright blocked.
Blocked URL parameters
The Blocked URL parameters textarea lets you flag visitors by the tracking parameters carried in the link they arrived on. Every visit is checked against this list: if the visitor's landing URL contains a matching parameter, the request is blocked. Enter one rule per line, up to 50 rules. Each rule can be up to 100 characters, and its parameter name may contain letters, digits, underscores, and dashes.
There are two kinds of rule:
- Name with a value: written as
name=value, for exampleutm_source=an. It matches only when that parameter appears with exactly that value. - Name only: written as just the parameter name, for example
gclid. It matches whenever that parameter appears in the landing URL, whatever its value.
This is useful for cutting off traffic you know is fraudulent or automated, such as a specific ad source, campaign, or click identifier that keeps producing fake cash-on-delivery orders. Leave the field empty to disable this check entirely. When Decoy mode is also enabled, matching visitors see a fully normal store and every order they submit is silently faked instead of being blocked outright.
Additional protection
A note in the panel explains that beyond Shield's configurable rules, Storeep runs multiple layered security measures silently in the background, including advanced behavioural and automator detection, to keep your store and orders secure at all times.
Every order records the customer's device and IP address. You can ban a specific device or IP directly from the order details page; those bans appear in Settings > Banned sessions. See Sessions and banned sessions for how to review and release bans.
Saving
Click Save. A success message confirms the update. Validation errors appear inline next to the relevant field if a value is out of the allowed range.