Sample deliverable · Bot Shield + Analytics Stack

SG-traffic anomaly analysis & remediation plan

Prepared for [CLIENT REDACTED] · Report ref SG-BS-0214 · 15 April 2026
Author: SGBP · senior partner direct

1 · Executive summary

Between [DATE-RANGE] the client's Shopify storefront recorded ~[N]K daily sessions with an unusually low conversion rate of [X.XX]%. Pixel and GA4 dashboards reported elevated paid-ad conversions inconsistent with downstream order data in Shopify Admin.

Investigation isolated three SG-originating bot patterns exploiting Shopify's recommended-products URL parameter (refer §3) and Meta Pixel's client-side track('PageView') event. These patterns inflated reported pageviews by ~[XX]% and corrupted Meta's lookalike audience seeds for the past [N] weeks.

Recommended remediation: a 4-layer ruleset spanning Shopify Admin, Meta Pixel client + Conversions API server-side, and GA4 IP/UA exclusions. Estimated implementation: 14 days. Expected outcomes (summarised in §6) are deliberately understated in this preview to preserve client anonymity.

2 · Methodology

Pulled 30-day session log from Shopify (orders, sessions, source/medium, IP class) via Admin GraphQL.
Cross-referenced with Meta Pixel's EventsManager → Test Events stream and the GA4 BigQuery export (events_* table).
Flagged any session matching ≥2 of: (a) UA fingerprint shared by ≥10 unique IPs, (b) zero scroll/click engagement, (c) recommended-products URL parameter exploitation pattern, (d) IP belonging to an SG-resident datacentre ASN.
Sample size: [N,NNN] flagged sessions out of [NN,NNN] total. False-positive review on a stratified sample of 100.

3 · Pattern signatures observed

Pattern A — recommended-products URL exploit

Sessions hitting /products/{handle}?recommended=... with sequential recommended values. Public Shopify Dev forum has documented this affecting "thousands of merchants" with limited official response. Pattern stays inside Shopify, never reaches checkout, but inflates Pixel ViewContent events.

// Shopify Admin GraphQL — flag rule (extract):
sessions {
  filter: {
    landingPath: { matches: "^/products/.+\?recommended=" }
    pageviewCount: { gte: 8 }
    addToCart: { eq: 0 }
  }
}

Pattern B — UA-rotating SG datacentre traffic

IP set traced to [N] SG-resident commercial-datacentre ASNs. UA strings rotate across 12 distinct mobile browser signatures every [NN] minutes. No referrer, no scroll events. Hits add-to-cart on flagship SKUs only.

Impact: corrupts Meta's InitiateCheckout conversion signal — Meta's auction algorithm starts bidding aggressively on lookalikes that are themselves derived from bot data. This is the costliest pattern because it converts into ad-spend waste.

Pattern C — abandoned-cart payload pollution

Sessions reaching /cart with cart contents totalling exactly S$0.00 (uses gift-card SKU with zero face value). Triggers Klaviyo abandoned-cart flow despite no genuine purchase intent. Suspected list-poisoning behaviour rather than commercial scraping.

4 · Ruleset deployed (4 layers)

Layer	Surface	Mechanism	Patterns covered
L1	Shopify Admin → Bot & Crawler exclusion	UA + ASN ruleset (`script-tags` via custom Shopify app)	A, B
L2	Meta Pixel (client-side)	Conditional `fbq` guard — checks UA + scroll-depth + dwell ≥3s before firing `ViewContent`	A, B
L3	Conversions API (server-side, Stape GTM)	Server-side dedup hash + IP/UA exclusion list. Sends only validated `Purchase`/`InitiateCheckout` events with iOS17 ATT recovery.	B (ad-spend critical)
L4	GA4 + Klaviyo	IP exclusion list + UA filter for cart/checkout payloads with S$0.00 total	C

# Stape GTM Server-side variable (ruleset extract):
const isBot = (event) => {
  const ua = event.user_agent || '';
  const ip = event.ip_override || event.client_ip;
  return BOT_UA_PATTERNS.some(rx => rx.test(ua))
      || BLOCKED_ASN_PREFIXES.some(p => ip.startsWith(p))
      || (event.event_name === 'AddToCart' && event.value === 0);
};

5 · Conversions API migration plan

Migration from client-only Pixel to dual-mode (client + server) executed via Stape's GTM Server-side container. Preserves attribution for iOS 17+ users (ATT-restricted) while filtering bot traffic before it reaches Meta's optimisation surface.

Day 1–2: Stape container setup, custom domain (track.[client-domain]), Conversions API connector deployed.
Day 3–5: Client → server dedup keys configured for Purchase, InitiateCheckout, AddToCart, ViewContent. event_id hashed via SHA-256 of (timestamp + cart_token).
Day 6–10: Bot ruleset (§4) integrated into Stape transformations. Test events validated in Meta EventsManager.
Day 11–14: Cutover. 7-day monitoring window with daily diagnostic against Shopify Admin source-of-truth.

6 · Outcomes (redacted)

Over the 30 days following ruleset deployment:

Reported sessions down [XX]% (the bot inflation, removed)
Reported InitiateCheckout events down [XX]%; actual checkout count from Shopify Admin unchanged
Meta lookalike audience signal restored — CPM rebased to within [X]% of historical norm
Klaviyo abandoned-cart flow open rate up [XX]% (cleaner list)
Founder reported "I can trust the dashboard again" — qualitative but the most-cited outcome at the 30-day handoff

Quantitative outcomes redacted under NDA. Discuss your own situation in WhatsApp; we can share approximate ranges from comparable engagements without identifying clients.

7 · Bot Shield + Analytics Stack — your deliverables

The actual engagement (S$2,800, 18 days) ships:

Bot-pattern report formatted as above, with your store's specific signatures
Ruleset deployed across Shopify, Meta Pixel, GA4 (L1–L2 + L4)
Conversions API migration via Stape (L3) — 14-day implementation
Re-anchored conversion baseline + 30-day handoff memo
Monthly diagnostic template — you run it yourself; quarterly check-in optional

Get this for your store?

Message on WhatsApp with your storefront URL. Expect a 24-hour reply with an honest fit assessment before any commitment.

Message on WhatsApp Book a Scope Call