· 13 min read · ShieldFlow Team

How to Set Up Country Blocking on Shopify (Step-by-Step)

Block or redirect visitors from high-risk countries on your Shopify store. Step-by-step guide covering Shopify Markets, apps, and checkout-level blocking.

#country-blocking #geolocation #fraud-prevention #shopify

How to Set Up Country Blocking on Shopify (Step-by-Step)

Sixty percent of your abandoned checkouts came from three countries where you do not ship. Your payment processor flagged a spike in declines originating from IP ranges you have never seen before. Your Klaviyo list absorbed 800 fake email addresses overnight — all registered through checkout attempts from the same region.

Country blocking is one of the simplest and most effective tools available to Shopify merchants dealing with geographically concentrated fraud. When entire waves of card testing attacks or fake checkout floods originate from countries where you have no customers, restricting access from those regions can eliminate the problem at the source.

This guide walks through why country blocking matters, three methods to implement it on Shopify, a step-by-step setup using ShieldFlow, the countries merchants block most often and why, and the risks you need to manage to avoid hurting legitimate sales.

Why Merchants Block Countries

Country blocking is not about xenophobia or lazy fraud prevention. It is a practical response to measurable patterns that cost real money.

Fraud Concentration

Card testing attacks and fake checkout floods are not distributed evenly across the globe. They cluster in regions with high concentrations of fraud infrastructure — proxy farms, carding forums, and organized fraud rings. When your analytics show that 90% of declined transactions originate from countries where you have zero legitimate orders, blocking those regions is a rational business decision.

Merchants running Shopify stores in the US and EU markets consistently report that a small number of countries generate the majority of their fraudulent traffic while contributing almost nothing to revenue.

Shipping Limitations

If you only ship to the United States and Canada, there is no reason to allow visitors from countries you cannot serve to enter your checkout flow. Every checkout attempt from an unserviceable country consumes server resources, pollutes your analytics, and — if the visitor submits payment — creates a declined transaction that costs you gateway fees.

Payment Processor Protection

Visa’s VAMP program penalizes merchants who exceed a 0.3% dispute ratio. Stripe and Shopify Payments both monitor decline rates and will freeze accounts that cross their thresholds. If a significant portion of your declines originate from a specific geography, blocking that geography can be the fastest path to getting your ratios back under control.

Compliance Requirements

Some merchants sell regulated products — age-restricted items, export-controlled goods, or region-licensed digital content. Country blocking can be part of a compliance strategy to prevent sales to jurisdictions where the product is not legally available.

Three Methods to Block Countries on Shopify

There is no single “block countries” button in Shopify. You have three approaches, each with different trade-offs.

Method 1: Shopify Markets (Native)

Shopify Markets lets you define which countries and regions your store serves. It is built into every Shopify plan.

How it works:

  1. Go to Settings > Markets in your Shopify admin
  2. Your primary market (usually your home country) is already configured
  3. Additional markets can be added for international regions you serve
  4. Countries not assigned to any market will see a message that the store does not ship to their region

Pros:

  • Free, built into Shopify
  • Handles currency conversion and language for markets you do serve
  • No app installation required

Cons:

  • It does not actually block access. Visitors from excluded countries can still browse your store, add items to cart, and attempt checkout. They will only be stopped at the shipping step.
  • Bots do not care about shipping restrictions. A card testing bot from an excluded country will still reach your checkout and submit payment attempts.
  • No redirect capability — visitors just hit a dead end
  • No logging or analytics on blocked attempts

Shopify Markets is a commerce tool, not a security tool. It tells visitors you do not ship to their country. It does not prevent malicious traffic from reaching your checkout.

Method 2: Third-Party Geoblocking Apps

Several Shopify apps provide country-level blocking with more control than Shopify Markets. These typically work by detecting the visitor’s IP-based geolocation and either blocking page access or redirecting to a different URL.

Popular options include geoblocking apps that redirect visitors to a “not available in your region” page, block access to specific pages (like checkout), or show a popup explaining the restriction.

Pros:

  • More control than Shopify Markets
  • Redirect capability (send visitors to a region-specific page instead of a blank wall)
  • Some offer analytics on blocked traffic

Cons:

  • IP-based geolocation is not 100% accurate (5-10% error rate at country level)
  • Most operate at the storefront level only — they do not block at checkout
  • VPN users can bypass IP-based blocking trivially
  • Monthly subscription cost ($5-$20/month for basic geoblocking)
  • They block browsing but may not prevent API-level checkout attempts

Method 3: Checkout-Level Blocking with ShieldFlow

ShieldFlow takes a fundamentally different approach. Instead of blocking visitors at the storefront (which bots can bypass), ShieldFlow operates at the checkout level using Shopify’s block_progress API. This means even if a bot bypasses your storefront restrictions, the checkout itself will not proceed.

How it works:

  1. ShieldFlow’s storefront extension collects device fingerprint and geolocation signals from every visitor
  2. When a visitor enters checkout, ShieldFlow evaluates their risk profile — including country of origin
  3. If the visitor’s country is on your blocked list, ShieldFlow blocks the checkout and displays a clear message
  4. The event is logged with full context (fingerprint, IP, country, timestamp) for your review

Pros:

  • Blocks at the checkout level — bots cannot bypass by skipping the storefront
  • Combines country blocking with device fingerprinting and bot detection for layered protection
  • Logs every blocked attempt with forensic detail
  • Redirect or block with customizable messaging
  • Works against express checkout paths (Shop Pay, Apple Pay) via webhook safety net

Cons:

  • Requires app installation and checkout extension approval
  • More powerful than simple geoblocking — merchants who only need basic redirection may not need it

For merchants dealing with fraud-driven country blocking (not just shipping restrictions), checkout-level enforcement is the only approach that actually stops the damage.

Step-by-Step: Setting Up Country Blocking with ShieldFlow

Here is the exact process to configure country blocking in ShieldFlow.

Step 1: Install and Configure ShieldFlow

Install ShieldFlow from the Shopify App Store and complete the onboarding flow. This connects ShieldFlow to your store and deploys the storefront fingerprinting extension and checkout guard extension.

Step 2: Navigate to Country Rules

In your ShieldFlow dashboard, go to Settings > Geo Rules. You will see a world map and a list of countries with toggle controls.

Step 3: Select Countries to Block

Toggle on the countries you want to block. ShieldFlow provides data to help you decide: for each country, you can see the number of checkout attempts, decline rate, and fraud score from your store’s historical data.

For most US-based merchants, common starting points are countries where you have zero orders but measurable fraud traffic. Start conservative — you can always expand the list later.

Step 4: Choose Block or Redirect

For each blocked country, choose the action:

  • Block: The checkout displays a message explaining that orders from their region are not currently accepted. The checkout cannot proceed.
  • Redirect: The visitor is redirected to a URL of your choice before reaching checkout. This is useful if you have a region-specific store or a “coming soon to your country” landing page.

Step 5: Configure the Storefront Redirect (Optional)

ShieldFlow can also redirect visitors at the storefront level, before they even add items to cart. This reduces friction for visitors from blocked countries — they learn immediately that the store does not serve their region, rather than discovering it at checkout.

Enable this under Settings > Geo Rules > Storefront Redirect and specify the redirect URL.

Step 6: Test the Configuration

Use a VPN to simulate a visit from a blocked country. Verify that:

  1. The storefront redirect works (if enabled)
  2. If you bypass the storefront redirect, the checkout block activates
  3. The block message displays correctly
  4. The event appears in your ShieldFlow dashboard with correct country attribution

Step 7: Monitor and Adjust

After enabling country blocking, monitor your ShieldFlow dashboard for the first 48 hours. Watch for:

  • Legitimate orders that might be affected (customers using VPNs, expats)
  • New fraud traffic patterns that shift to unblocked countries
  • Changes in your decline rate and chargeback ratio

Countries Merchants Block Most Often (and Why)

Based on aggregate data from e-commerce fraud reports and merchant community feedback, these are the countries that appear most frequently on blocklists for US/EU-focused Shopify stores.

High Card Testing Activity

  • Nigeria: Consistently ranks among the top sources of card testing traffic targeting US stores. High concentration of carding communities and fraud infrastructure.
  • Indonesia: Significant volume of automated checkout attempts. Often associated with proxy farm traffic.
  • Vietnam: Growing source of bot-driven checkout fraud, particularly targeting fashion and electronics stores.
  • Pakistan: Frequent source of low-value card testing attempts using residential proxies.

Proxy Farm Concentration

  • Bangladesh: Large-scale proxy infrastructure used to route fraud traffic through residential IPs.
  • India: While India has a massive legitimate e-commerce market, some regions host significant proxy farm operations used for card testing on international stores. Block with caution if you have Indian customers.

Organized Fraud Rings

  • Russia and Ukraine: Historical hubs for organized cybercrime, including carding forums and fraud-as-a-service operations. Many US/EU merchants block these regions preemptively.
  • Romania and Moldova: Known concentrations of fraud ring operations targeting Western e-commerce.
  • Brazil: Significant card testing activity, particularly against US stores, though Brazil also has a large legitimate consumer base.

Important Context

These patterns are based on aggregate fraud data, not stereotypes. Every country on this list contains millions of legitimate consumers. The decision to block should be based on your store’s specific data — your decline rates, your fraud patterns, your customer geography — not on generalized lists.

If 15% of your revenue comes from a country that also generates 30% of your fraud, blocking that country entirely would be a net negative. Country blocking is a scalpel, not a sledgehammer.

The Risks of Over-Blocking

Country blocking is effective, but aggressive implementation creates real problems. Understand these risks before you flip the switch.

VPN Users

Over 1.6 billion people use VPNs regularly. Many are privacy-conscious consumers, not fraudsters. A legitimate customer in New York using a VPN that routes through Amsterdam will appear to be visiting from the Netherlands. If you have blocked the Netherlands, you just lost a sale.

VPN usage is especially common among:

  • Tech-savvy consumers (your most valuable demographic for many niches)
  • Customers on public Wi-Fi (using VPN for security)
  • Corporate users whose company VPN exits in another country
  • Privacy-conscious shoppers who use a VPN for everything

Expats and Travelers

An American citizen living in Thailand is still your customer. A Canadian snowbird spending winter in Mexico is still your customer. Military personnel stationed overseas are still your customers. Country blocking based solely on their current IP location will lock them out.

Mobile Carrier Routing

Mobile carriers sometimes route traffic through network infrastructure in unexpected countries. A customer physically in the United States on a roaming agreement might briefly appear to be in another country. This is rare but does happen with some MVNOs and international carriers.

Revenue You Cannot Measure

The hardest risk to quantify: the sales you never see. When you block a country, visitors from that country silently disappear. They do not show up as lost sales in your analytics. They do not submit complaints. They simply leave. You have no way to know how many were legitimate customers unless you later unblock the country and observe the traffic.

Reputation Impact

If word spreads in online communities that your store blocks certain countries, it can create negative sentiment — particularly if the blocking is perceived as discriminatory rather than security-driven. This is more relevant for brands with international visibility.

Best Practices for Country Blocking

Follow these guidelines to maximize security benefit while minimizing collateral damage.

Redirect, Do Not Block Silently

Never show a blank page or a generic error to visitors from blocked countries. Always redirect to a clear, professional page that explains:

  • Your store currently serves specific regions
  • The visitor’s region is not currently supported
  • Alternative options (if any) — such as a different regional store, a waitlist, or a contact form

A redirect message like “We currently ship to the US, Canada, and EU. We hope to expand to your region soon” is far better than a 403 error.

Use Country Blocking as One Layer, Not the Only Layer

Country blocking catches geographically concentrated fraud. It does nothing against a fraudster using a US residential proxy. Always combine country blocking with:

  • Device fingerprinting to identify bots regardless of IP location
  • Velocity-based rate limiting to catch rapid-fire checkout attempts
  • Email validation to filter disposable and suspicious email addresses
  • Behavioral analysis to detect non-human interaction patterns

ShieldFlow combines all of these layers so country blocking works as part of a comprehensive defense, not a standalone measure.

Start Conservative, Expand Based on Data

Begin by blocking only countries where you have zero legitimate orders and measurable fraud traffic. Run this configuration for two weeks. Review the data. Then consider expanding to countries with low order volume but high fraud ratios.

Never block a country preemptively based on general reputation alone. Use your own store’s data.

Review Quarterly

Fraud patterns shift. A country that was a major fraud source six months ago may have cleaned up. A country you never worried about may become a new hotspot. Review your blocked country list quarterly and adjust based on current data.

Whitelist Known Customers

If you have established customers in a country you later decide to block, whitelist their email addresses or customer IDs. ShieldFlow supports customer-level overrides that bypass country rules for known legitimate buyers.

Document Your Rationale

Keep a simple log of why each country is on your blocklist: “Blocked [Country] on [Date] — 340 declined checkouts, 0 legitimate orders in trailing 90 days.” This helps you make informed decisions during quarterly reviews and provides justification if the policy is ever questioned.

Frequently Asked Questions

Does Shopify have a built-in country blocking feature?

Not exactly. Shopify Markets lets you define which countries your store serves, but it does not block access to your site. Visitors from countries outside your defined markets can still browse, add items to cart, and attempt checkout. They will be stopped at the shipping step, but by then, any card testing damage is already done. For actual blocking — preventing checkout attempts entirely — you need a checkout-level solution like ShieldFlow.

Will country blocking stop all fraud from that country?

No. Country blocking stops traffic that originates from IP addresses geolocated to the blocked country. A fraudster using a VPN or residential proxy in an unblocked country will bypass country restrictions entirely. Country blocking eliminates the low-hanging fruit — unsophisticated fraud and bot traffic that does not bother to mask its origin. It should always be combined with device fingerprinting and behavioral analysis for comprehensive protection. (Learn how bot detection works)

Can customers use a VPN to bypass my country block?

Yes. Any visitor can use a VPN to appear as if they are in an allowed country. This is why country blocking is a volume-reduction tool, not an absolute security barrier. It stops the 80% of bad traffic that does not use VPNs while allowing VPN-savvy users (both legitimate and fraudulent) through. The fraudsters who use VPNs to bypass country blocks will be caught by your other defense layers — fingerprinting, velocity detection, and email validation.

How accurate is IP-based geolocation?

At the country level, modern geolocation databases (MaxMind, IP2Location) are approximately 95-99% accurate for most regions. Accuracy drops in certain areas, particularly countries with less developed IP infrastructure or high mobile carrier usage. False positives (blocking a legitimate customer because their IP is misidentified) occur in roughly 1-5% of cases. This is another reason to use redirect-and-explain rather than silent blocking — a legitimate customer who is incorrectly geolocated can contact you for help.

Will blocking countries hurt my SEO?

If you block Googlebot or other search engine crawlers, yes. But search engine crawlers typically use IP addresses based in the United States, and reputable geoblocking solutions whitelist known crawler IPs. ShieldFlow does not interfere with search engine indexing. Your product pages remain fully indexed and visible in search results globally, even for countries where checkout is restricted.

Should I block countries where I have a few legitimate orders?

This requires a cost-benefit analysis. If a country generates 5 orders per month and 500 fraudulent checkout attempts, the math favors blocking — especially if those 5 legitimate customers can be served through a whitelist exception. If a country generates meaningful revenue alongside fraud traffic, blocking is too aggressive. In that case, rely on device fingerprinting and checkout-level fraud scoring to separate legitimate customers from bots within that country.

What happens when I block a country in ShieldFlow?

When a visitor from a blocked country attempts to enter checkout, ShieldFlow intercepts the request and either displays a block message (explaining that orders from their region are not accepted) or redirects them to a URL you specify. The checkout does not proceed. The attempt is logged in your ShieldFlow dashboard with the visitor’s fingerprint, IP, country, and timestamp. If you also enable the storefront redirect, visitors from blocked countries are redirected before they even reach the product page.

Can I block specific regions within a country instead of the entire country?

ShieldFlow supports country-level blocking. Region-level or city-level blocking is not currently available due to the lower accuracy of sub-country geolocation (accuracy drops to approximately 60-80% at the city level). If you need finer granularity, device fingerprinting and behavioral scoring are more reliable than geographic targeting at the sub-country level.

Start Blocking Fraud Traffic by Country Today

Country blocking is one of the fastest wins in fraud prevention. If your data shows concentrated fraud from specific geographies where you have no legitimate customers, there is no reason to keep accepting that traffic.

ShieldFlow makes it straightforward: select the countries, choose block or redirect, and deploy. Combined with device fingerprinting, checkout-level enforcement, and behavioral analysis, country blocking becomes one layer in a defense that catches fraud before it costs you money.

The setup takes five minutes. The reduction in fake checkouts starts immediately.