Search Results :

×
Sign Up Contact Us

Contents

Step-by-Step Guide for Configuring IP Blacklist and Bot Protection in nopCommerce

Prevent unwanted visitors from interacting with your nopCommerce store before they can create accounts, place orders, or copy content. Use IP / IP range blocking and redirection, geolocation (country/state/city) restrictions, bot-protection features (checkout rate limits, fake-email/domain/username checks) and proxy/VPN detection to keep spam, fraud and scrapers out.You can also bypass filtering for static assets to preserve performance, trust X-Forwarded-For when behind a load balancer, and log all filtering events for audit and troubleshooting.

download plugin button Download plugin pricing button plugin pricing button Expert Assistance
  • Download the miniOrange IP Blacklist and Bot Protection plugin for nopCommerce.
  • To install the plugin, login as admin into your nopCommerce site or store. In the admin dashboard, navigate to Configuration Tab >> Local plugins.
nopCommerce admin dashboard

  • On the top right corner of the page select the Upload plugin or theme button to upload the downloaded plugin zip.
Upload plugin or theme

Set up the miniOrange IP Blacklist and Bot Protection plugin on your nopCommerce store.

The IP Restriction feature in the miniOrange IP Blacklist and Bot Protection plugin allows you to block or restrict visitors based on their IP address, IP range, CIDR block, or country code.

  • Go to your nopCommerce Admin DashboardminiOrange IP Blacklist and Bot Protection.
  • Under the IP Restriction tab, enable the following options:
    • Enable/Disable IP Restriction feature - Turn this ON to activate IP-based blocking.
      When disabled, IP filtering will be completely bypassed. All requests will be allowed regardless of blacklist/whitelist settings.
    • Enable detailed logging of IP filtering events – Logs all blocked requests for review and troubleshooting.
    • (Optional) Trust X-Forwarded-For headers – Enable this if your site is behind a proxy or load balancer to ensure the plugin captures the original client IP instead of the proxy IP.
    • Bypass IP filtering for static content – Allows images, CSS, JS, and fonts to load even when IP restrictions apply.
      When enabled, static files (.jpg, .png, .css, .js etc.) will bypass IP filtering. When disabled, even static content will be filtered according to your IP rules.
  • Click Save Settings to apply the configuration.
Enable IP Restriction
  • Scroll down to the Add New IP Restriction section. Here, you can choose how you want to block IPs using one of four entry types:
Add New IP Restriction

Entry Type Description Example Input Use Case
Single IP Address Blocks or allows a specific IP address. 192.168.1.100 or 2001:db8::1 Use when you want to block or whitelist a single user or device.
IP Range Restricts a continuous range of IP addresses. 192.168.1.1 - 192.168.1.255 Useful for blocking all users in a specific office, organization, or region with a defined IP block.
CIDR Block Blocks multiple IP addresses using a CIDR (Classless Inter-Domain Routing) notation. 192.168.1.0/24 Use for large networks or ISPs where multiple users share similar IP prefixes.
Country Code Restricts traffic from specific countries based on their ISO 2-letter code. US, IN, CN Use to block or allow traffic from entire countries. For example, block CN to prevent visitors from China.
  • After selecting any one of the Entry Types and filling in the required details, click on the Add Entry button.
Add New IP Restriction

  • Once added, the entry will appear under the IP Restriction Entries section, where it will be automatically categorized as Blacklisted, and its Status will be shown as Active.
IP Restriction Entries

  • You can also use the Export CSV option to download the list of existing IP restrictions or the Import CSV option to bulk upload multiple IP addresses or ranges at once.
Import and Export CSV

  • You can use the Pause button to temporarily disable an IP restriction or the Delete button to permanently remove the IP from the blacklist.
Pause and Delete Button
  • Once you’ve added the entries:
    • Try to log in or access your nopCommerce store from the restricted IP.
    • You’ll receive an “Access Denied” message if the IP restriction is applied successfully.
Test the Restriction

The Bot Protection feature helps prevent automated bots from interacting with your store. This feature is crucial in safeguarding your store from fraudulent activities, such as fake account creation, order scraping, or abuse of the checkout process.

  • Under the Bot Protection tab, you will find the following sections:
  • General Settings:
    • Enable Bot Protection: Toggle this option ON to activate the bot protection feature. This will prevent automated bots from making unauthorized requests to your store, such as fake sign-ups or scraping.
    • Enable Checkout Protection: Toggle this option ON to limit the number of checkout attempts from a single IP address. This helps prevent abuse by bots trying to place numerous orders in a short time.
    • Log All Validation Attempts: Toggle this option ON to enable logging of all validation attempts. This is useful for tracking suspicious activity and troubleshooting any blocked requests.
Bot Protection - General Settings

  • Checkout Protection Configuration:
    • Max Checkouts Per IP Per Hour: Set the maximum number of checkouts allowed from a single IP address per hour (e.g., 3). Once this limit is reached, the system will block further checkout attempts from that IP for the remainder of the hour.
    • Max Checkouts Per IP Per Day: Set the maximum number of checkouts allowed from a single IP address per day (e.g., 10). After this limit is exceeded, no further checkouts will be allowed from that IP until the next day.
  • Once you’ve configured the settings, click the Save Checkout Config button to save your changes.
General Settings and Checkout Protection Configuration

  • Enter the domains that you want to block, separated by commas. These domains will be rejected when users attempt to register or checkout with email addresses associated with them.
  • Once you have entered all the domains you want to block, click the Save Domains Config button to apply the changes.
Configure Blacklisted Domains
  • Enter regex patterns for detecting fake names. Each pattern should be entered on a new line.
  • These patterns will detect fake names like "Test User", "Fake User", "Bot User", etc. You can customize these patterns based on what fake names you want to block.
  • Once you’ve entered all the desired patterns, click the Save Patterns Config button to apply the changes.
Configure Fake Name Patterns

  • Once you’ve configured the Blacklisted Domains and Fake Name Patterns, the system will actively block users attempting to register or checkout with these domains or suspicious names.
  • For example, if a user tries to register with an email address from a blocked domain (like john@tempmail.com), they will see a notification indicating that the domain is blocked.
domain is blocked

 Thank you for your response. We will get back to you soon.

Something went wrong. Please submit your query again

We'll Reach Out to You at the Earliest!


ADFS_sso ×
Hello there!

Need Help? We are right here!

support