Analysis6 min read2026-03-17

Shopify's 'Limit One Per Customer' doesn't work at guest checkout — here's why

ByViralPilot|Ecommerce SaaS agency, 8 years experience

The setting you're trusting isn't doing what you think

You've set up a product that should only be purchased once per customer. Maybe it's an intro offer, a sampler kit, or a loss-leader you're using to acquire new buyers. You go into Shopify, find the "Limit one per customer" option, check the box, and move on.

Then you check your orders a week later and see the same person has bought it three times.

The setting didn't fail. It did exactly what it was designed to do. The problem is that what it does and what you need it to do are two completely different things.

What Shopify's limit actually checks

When you enable "Limit one per customer" on a product or variant in Shopify, the system performs one check at checkout: does this customer account's email address already have a completed order containing this product?

That's the entire mechanism. One field. One lookup.

If the email on the logged-in customer account matches a previous order with that product, Shopify blocks the purchase. If the email doesn't match, the purchase goes through. No second opinion. No additional verification.

This works fine in a world where every customer has exactly one account and always logs in before purchasing. That world doesn't exist.

Guest checkout has no account — so the limit does nothing

Here's the critical gap. Guest checkout doesn't create a customer account. There's no account to look up. There's no email tied to a persistent identity that Shopify can check against previous orders.

When a buyer checks out as a guest, they enter an email address for the order confirmation. But that email isn't matched against your existing customer database in the way the "limit one per customer" feature requires. The feature needs a logged-in customer account to function. No account, no limit.

This isn't a bug. Shopify's documentation confirms it. The setting is designed for logged-in customer accounts only. If your store allows guest checkout — and most stores do, because forcing account creation kills conversion rates — the limit is effectively turned off for anyone who doesn't log in.

You're running a gate with no fence on either side of it.

Three ways a customer bypasses it without any technical skill

You don't need to be a hacker or even particularly clever to get around this restriction. Any customer who's bought something online more than a few times can do it.

1. Check out as a guest with a different email

The simplest path. Your customer bought the product last week while logged in. This week, they go to your store, add the same product to cart, and check out as a guest with a different email. The limit never fires because there's no account session to check.

They don't even need a second real email address. Any email that receives mail will work. A work email. A partner's email. A throwaway inbox that takes 10 seconds to create.

2. Use a Gmail alias

Gmail ignores dots in email addresses and supports plus-sign aliases. That means these all land in the same inbox:

To Shopify, each of those is a unique customer. To the buyer, they're all the same inbox. One person, unlimited "customers." And this applies whether they check out as a guest or create a new account for each variation.

3. Open an incognito window

If your store uses cookies or sessions to track logged-in state, an incognito window wipes the slate clean. The customer opens a private browsing window, navigates to your store, adds the restricted product, and checks out as a guest. Your store has no idea they were ever there before.

This takes about 15 seconds. No technical knowledge required. Every modern browser has this feature one right-click away.

For a deeper look at the incognito problem, read how incognito checkout bypasses Shopify protections.

Why disabling guest checkout isn't the answer

The obvious reaction is to turn off guest checkout and force everyone to create an account. Then at least the email check would fire every time.

Don't do this. Forced account creation is one of the top reasons for cart abandonment. Studies consistently put it in the top three. You'll lose more revenue from abandoned carts than you'll save from blocking repeat purchases.

And even if you do force account creation, the Gmail alias problem still exists. A customer creates two accounts with two email variations. Both accounts are "new." Both pass the limit check. You've annoyed your legitimate customers and still haven't solved the problem.

What the fix actually looks like

The issue isn't that Shopify's limit is broken. It's that email-only identity checking is fundamentally insufficient. A real solution needs to look at more than one signal to determine whether a buyer is someone who's already purchased a restricted product.

Product-level blocking at checkout means the check happens at the moment of purchase, not on the product page, not in the cart, but at checkout itself where the transaction is finalized. And it needs to work regardless of whether the buyer is logged in or checking out as a guest.

Effective identity matching uses multiple data points. Not just email, but combinations of:

  • Email normalization — catching Gmail dots, plus aliases, and common variations that map to the same person
  • Shipping address — the physical destination, which is harder to change than an email
  • Phone number — another signal that ties back to a real person
  • Browser fingerprinting — device and browser characteristics that persist across sessions
  • IP address patterns — identifying repeat visits from the same network

No single signal is bulletproof. But when you combine them, the cost and effort of bypassing the restriction goes from "15 seconds in incognito" to "not worth the trouble."

This is exactly what OfferGuard does. It sits in your Shopify checkout and checks these identity signals in real time. If a buyer matches a previous purchaser of a restricted product — regardless of what email they used or whether they're logged in — the checkout is blocked. Not the discount. The entire purchase.

The buyer sees a clear message that the product is limited to one per customer. No ambiguity, no partial workaround, no silent failure.

The distinction matters: blocking the purchase, not a discount

This isn't about protecting discount codes on the frontend. That's a different problem with its own set of gaps. This is about preventing the actual transaction from completing when a product should only be sold once to each real person.

If you're selling a product that's meant to be purchased once — an intro offer, a trial, a limited promotional item — you need enforcement at the checkout level that works for every type of buyer, including guests.

What to do next

If you're relying on Shopify's native "limit one per customer" and your store allows guest checkout, your restriction isn't active for a significant portion of your buyers.

Check your orders. Look for the same shipping address appearing on multiple orders for your restricted product. Look for email variations that clearly belong to the same person. If you find them, you have a gap.

OfferGuard closes that gap with server-side identity matching that works at checkout, for every buyer, on every order. No code changes. No theme edits. Installs in under two minutes.

See pricing and start your free trial →

Share:X / TwitterLinkedIn

Try OfferGuard on your store.

Free plan available. No credit card.

Install free on Shopify

More posts

Why IP validation matters for Shopify discount protection

A customer switches emails and clears cookies. But their IP address stays the same. Here's why IP validation is a critical layer in stopping repeat discount abuse.

The Complete Guide to Protecting New-Customer-Only Products on Shopify

Your intro offer, trial box, or new-customer product is being bought by the same people over and over. Here's why Shopify can't stop it — and how to fix it.

← All posts