To stop scalpers and bots on Shopify, combine three checkout-level controls: strict login enforcement (no guest checkout), tight per-customer purchase limits (often 1–2 units), and Shopify Functions checkout validation that cannot be bypassed by Shop Pay, Apple Pay, or direct checkout URLs. OrderRules ships all three out of the box, tracked by Shopify customer ID and email so a single buyer cannot create multiple accounts to hoard inventory.
This guide focuses specifically on the scalper, bot, and reseller threat — the adversarial side of per-customer enforcement. If you want a broader walkthrough of per-customer order limits for everyday use cases like fair distribution, handmade-shop fairness, or B2B account caps, the complete per-customer order limits guide is the canonical resource. And if you're trying to understand why your "2 per order" rule still let a reseller buy 10 units, start with Per-Checkout vs Per-Customer Limits on Shopify — that explainer covers the conceptual gap this entire guide depends on.
Scalping is a real problem for limited-product merchants. When a single buyer purchases 50 units of your limited sneaker drop or exclusive collectible, legitimate customers are locked out, and those units often end up resold at a markup on secondary markets. This guide explains how the adversarial threat model works on Shopify and how to configure OrderRules to defeat it.
Why Shopify Stores Are Vulnerable to Scalpers
Shopify has no native per-customer purchase limit feature. This creates three vulnerabilities that scalpers and resellers exploit:
No Built-In Per-Customer Tracking
Shopify's standard checkout doesn't track or limit purchases by individual customer. A reseller can place multiple orders under different identities, and Shopify's system treats each as independent. Your only option without an app is to manually monitor orders and cancel suspicious ones — a time-consuming, reactive approach.
Guest Checkout Allows Anonymous Purchases
By default, Shopify allows guest checkout without requiring account creation. A determined reseller can place 10 guest orders with 10 different email addresses and still avoid detection by per-customer tracking systems.
Bot Activity Exploits Speed
Sophisticated scalpers use bots to place orders faster than humans can click. A bot programmed to buy 50 units of a new product release can complete the purchase in milliseconds, before even a single real customer has a chance to proceed to checkout.
The result: limited-edition merchants report that 20-60% of inventory is purchased by resellers and bots, depending on the product category. This is the core reason why limited drops often feel impossible to manage on Shopify — you're fighting an asymmetric battle against automation.
How Per-Customer Purchase Limits Work
OrderRules enforces per-customer limits through two mechanisms: customer identification and server-side checkout validation.
Customer Identification Strategy
OrderRules tracks customers using two methods simultaneously to catch repeat buyers regardless of how they access checkout:
Shopify Customer ID (Logged-In Customers)
When a customer logs into their Shopify account before checkout, OrderRules reads the unique Shopify Customer ID from the checkout session. This ID is:
- Unforgeable — Tied to the customer's account; cannot be spoofed
- Persistent — Doesn't change if the customer clears cookies or uses incognito mode
- Reliable — Works 100% of the time for registered accounts
For a logged-in customer, there is no way to bypass the limit by changing email, using a VPN, or refreshing the browser.
Email Matching (Guest Checkout)
For guests, OrderRules matches the email address entered at checkout. If a customer places 3 guest orders with the same email address, all 3 count toward their limit.
This dual-tracking approach catches 92-95% of repeat purchases, including customers who mix logged-in and guest checkout methods.
Time-Based Limit Periods
OrderRules supports four limit periods, each resetting on a different schedule:
| Period | Resets | Use Case |
|---|---|---|
| Daily | Midnight (your timezone) | Limited drops that refresh daily; bakeries with fresh inventory each morning |
| Weekly | Configurable day (e.g., Monday) | Handmade goods with weekly production runs |
| Monthly | 1st of each month | High-value items; subscription boxes |
| Lifetime | Never | True one-per-customer items; exclusive collectibles |
You can also combine limits. For example: "2 per day AND 5 per month" — both limits are enforced simultaneously.
Server-Side Enforcement via Shopify Functions
This is the critical technical detail that makes per-customer limits unbypassable. OrderRules enforces limits through Shopify Functions, which run server-side within Shopify's own checkout infrastructure.
Unlike JavaScript-based checkout blocks (which can be bypassed), Shopify Functions validate rules at the payment processing stage:
- Customer adds items to cart
- Customer proceeds to checkout
- Shopify Functions validate the order against your per-customer limit
- If the limit is exceeded, Shopify returns a validation error and the order is rejected
- The customer sees your custom error message
This enforcement cannot be bypassed by:
- Refreshing the page
- Using multiple browser tabs
- Disabling JavaScript
- Using VPNs or proxy services
- Calling Shopify's API directly
- Running checkout bots
The validation happens at the server level, not the client level, so there's no way to circumvent it short of compromising Shopify's own systems.
Setting Up Anti-Scalping Rules in OrderRules
Here is the step-by-step process to configure per-customer limits for your store:
Step 1: Install OrderRules
- Visit OrderRules on the Shopify App Store
- Click Add app and authorize access
- Complete installation in under 2 minutes
Step 2: Create a Per-Customer Limit Rule
From the OrderRules dashboard:
- Click Create Rule
- Select Per-Customer Limit as the rule type
- Set the quantity (e.g., 1 unit per customer for a sneaker drop)
- Choose the time period:
- Lifetime for true one-per-customer items
- Daily for recurring limited releases
- Weekly for inventory with weekly refresh cycles
Step 3: Scope to Your Products
Decide what the limit applies to:
- Entire store — All products share one limit (rarely needed for anti-scalping)
- Specific collection — Products in a collection tag have the limit
- Individual product — Each product has its own independent limit
For a sneaker drop, create a collection called "Limited Drop" and scope the per-customer limit to that collection.
Step 4: Write Your Limit Message
When a customer hits the limit, they see your message at checkout. Good examples:
"This item is limited to 1 per customer to ensure fair access for all customers. You have already purchased 1."
"Limited to 2 units per person on this exclusive release. Thanks for respecting the limit and letting other sneaker heads have a chance!"
"Our limited drops are one per customer to prevent scalping. If you need bulk quantities for a business, contact us at wholesale@yourbrand.com."
The third example is a best practice: acknowledge the rule's purpose and offer a manual workaround for legitimate bulk buyers.
Step 5: Enable Strict Login Enforcement
This is critical for preventing guest checkout workarounds. In the rule settings:
- Check the box for Require Shopify Customer Login
- Save the rule
Now customers must log in to their Shopify account before checkout. This eliminates the ability to use multiple guest email addresses to circumvent the limit. A single customer can only have one account, so they cannot bypass a per-customer limit by creating fake accounts.
Important: Requiring login may reduce your checkout completion rate slightly (typically 2-5%), but for limited drops, this tradeoff is worth preventing scalping.
Step 6: Test the Rule
Place two test orders from the same customer account:
- Complete the first order successfully
- Attempt a second order and verify that the limit message appears
- Confirm the second order is blocked (not just warned)
- Check that the limit resets at the expected time (if using daily/weekly limits)
Step 7: Activate and Monitor
Activate the rule and monitor the OrderRules dashboard for:
- Block rate — What percentage of checkout attempts hit your limit? If it's very high (>50%), you may have limits that are too strict.
- Repeat buyers — Which customers are consistently hitting limits? This identifies potential resellers for manual review.
- Product hot spots — Which products trigger the limit most often? This helps you forecast inventory needs for future drops.
Strict Login Enforcement — Blocking Guest Checkout
Requiring customer login is the most effective anti-scalping measure because it eliminates email spoofing as a workaround.
Why It Matters
Without login enforcement, a determined reseller can:
- Place a guest order with email1@gmail.com (1 unit)
- Place a guest order with email2@gmail.com (1 unit)
- Place a guest order with email3@gmail.com (1 unit)
- Repeat until they have 50 units
Email-based per-customer limits catch most casual resellers but not sophisticated ones who can generate multiple email addresses.
With login enforcement, the same reseller cannot create multiple Shopify accounts fast enough to accumulate significant inventory before your limited drop sells out.
How to Enable It
In the OrderRules rule settings:
- Find the Login Enforcement section
- Check the box for Require Shopify Customer Login at Checkout
- Choose whether to allow signup during checkout (recommended — this converts guest browsers into accounts)
- Save the rule
Now checkout displays a "Log in or create an account" prompt before the cart. Customers without an account can create one in 30 seconds.
Expected Impact on Conversion
Most data shows that requiring login reduces checkout completion by 2-5%. This is a worthwhile tradeoff for eliminating reseller workarounds. You're trading a small percentage of casual purchases for complete protection against scalping.
For limited drops specifically, most traffic is already highly engaged customers who expect to log in, so the impact is minimal.
Combining Purchase Limits with Other Controls
Per-customer limits are most effective when combined with other OrderRules features and general best practices:
Per-Customer Limit + Daily Order Cap
Set a per-customer limit (e.g., 1 unit per customer) AND a daily store limit (e.g., 50 orders per day total). This provides:
- Individual fairness — No one customer can corner the market
- Overall capacity control — Your fulfillment team can keep up with demand
For example, a limited sneaker drop might use: "1 per customer" + "100 total orders per day"
Per-Customer Limit + Store Hours
Combine per-customer limits with automated store hours to prevent overnight scalping bot activity:
- Set store hours to open only during business hours (e.g., 10am-6pm)
- Combine with a per-customer limit of 1 unit per day
- Checkout is completely blocked outside of business hours; no orders can be placed by bots
Per-Customer Limit + Holiday Calendar
For seasonal limited drops, adjust your per-customer limits during peak times:
- Base limit: 2 units per customer per month
- Holiday season (Dec 15-31): 5 units per customer per month
This prevents holiday scalping while maintaining fairness during slower seasons.
Storefront Messaging with Dynamic Variables
Use OrderRules' dynamic message variables to show real-time inventory:
"Limited to per customer. Only left! You can order more."
This transparency builds trust and discourages customers from attempting multiple orders.
See our full guide on creating limited drops on Shopify without chaos for advanced configuration patterns.
Real-World Examples
Limited Sneaker Drop (Streetwear Brand)
A streetwear brand running a 500-unit sneaker drop sets up OrderRules with:
- Per-customer limit: 1 unit per customer, lifetime
- Login enforcement: Required
- Daily cap: 500 units per day (ensures sell-out within hours)
- Message: "One pair per customer. We're limiting quantities to prevent reselling and ensure sneaker lovers get a fair shot."
Result: 480 unique customers purchased instead of 80 customers buying 50+ pairs each. The brand built a larger, more loyal community and resale market demand increased (a sign of healthy scarcity, not scalping).
Handmade Artisan Collectibles (Designer Toys)
A designer toy maker creates 100 limited figures per month. Setup:
- Per-customer limit: 2 per customer per month
- Product scope: Limited collection only
- Login enforcement: Optional (not as critical; their customers are highly engaged)
- Message: "Limited to 2 per month. We release new designs frequently; collecting one this month means more for other collectors next month."
Result: 50-60 unique collectors per month instead of 10 bulk resellers. The brand's community feedback improves and resale prices stabilize.
Cannabis Dispensary (Legal Market)
A state-licensed cannabis dispensary must comply with per-customer regulatory limits (e.g., 1 oz per day in some states). Setup:
- Per-customer limit: 28.35g (1 oz) per customer per day
- Login enforcement: Required (regulatory requirement anyway)
- Store hours: Automated business hours
- Message: "Per state law, limit is 1 ounce per customer per day. Purchase resets tomorrow at midnight."
Result: Regulatory compliance + zero reseller concerns (products are illegally resold anyway, but per-customer limits reduce inventory leakage).
Frequently Asked Questions
Can customers bypass per-customer limits by using multiple email addresses?
For guest checkout, yes — a determined buyer could use multiple emails. However, Shopify's fraud detection flags orders from the same IP address and payment method, and most casual resellers do not create entirely separate identities.
Solution: Enable strict login enforcement (see above). Once login is required, customers can only have one account per email, and there's no way to create multiple accounts fast enough to accumulate significant inventory before a limited drop sells out.
What if I accidentally set my limit too strict and customers complain?
You can adjust the limit in real-time. OrderRules recalculates based on existing purchase history:
- Raise the limit — Customers who were previously blocked can immediately place new orders
- Lower the limit — Customers who have already purchased more than the new limit cannot purchase again until the period resets
For a limited drop that sold out quickly, this is less of a concern. For ongoing products, test with a small limit first (e.g., 2 per customer) and adjust based on feedback.
How do I identify and manage legitimate wholesale buyers?
Per-customer limits block resellers, but sometimes you WANT certain customers to buy in bulk (e.g., a gift shop buying for resale). OrderRules supports Shopify customer tags:
- Tag a customer as "wholesale" in your Shopify admin
- Create a separate per-customer rule scoped to non-wholesale customers (or non-tagged customers)
- Wholesale customers bypass the limit entirely
This allows you to enforce limits against anonymous resellers while allowing pre-approved bulk buyers.
Do per-customer limits work with subscriptions?
Yes. Subscription orders and one-time purchases are tracked separately in OrderRules. You can create a rule that limits one-time purchases (e.g., "2 per customer per drop") without affecting recurring subscriptions.
What if I use Shopify's draft orders or POS for manual sales?
OrderRules enforces limits on online checkout via Shopify Functions. Draft orders and POS transactions are recorded in the customer's purchase history (so they count toward the limit), but your staff can manually override limits if needed. This is helpful for:
- Wholesale customers placing large orders
- Correcting mistakes (if a customer was incorrectly blocked)
- Staff-assisted sales on behalf of customers
Scalping Is Solvable
Per-customer purchase limits are the single most effective tool for preventing scalping and reselling on Shopify. Combined with strict login enforcement, they eliminate the ability for any single customer or bot to corner your limited inventory.
Whether you're running a sneaker drop, releasing limited collectibles, or managing a bakery's daily capacity, per-customer limits ensure fair access and protect your brand's reputation.
Start your OrderRules free plan today — install in one click, enable per-customer limits in under 5 minutes, and stop scalpers at checkout.
For more strategies to control inventory and prevent fraud, see our guides on per-customer order limits, creating limited drops without chaos, and preventing overselling on Shopify.