Join
3
1 Comment

How to Block Bad Bot Traffic on Your Website (8 Effective Ways)

by Syed Balkhi

Did you know that as much as 40%-50% of web traffic comes from bots?

Bots are software scripts that repeatedly perform different data tasks. And while there are good bots, like search engine crawlers, chatbots, and performance monitoring bots, approximately 30% of all traffic comes from malicious bots.

These bad bots are used to perform all sorts of malicious tasks, such as scraping and stealing web content, accessing user accounts, committing click fraud, or scalping inventory from eCommerce sites.

Luckily, there are proactive steps you can take to protect your site from bad bot traffic, and this post will cover 8 effective ways to block bad bot traffic on your website. But before we dig in, let's first get clear on what bot traffic is.

What Is Bot Traffic?

Bot traffic is basically any non-human traffic to a website. The bot isn't malicious per se, but the bot's purpose is what makes it "good" or "bad."

Bots that perform a helpful or needed service are considered good bots, and bots used for malicious tasks, such as credential stuffing, data scraping, click fraud, or launching DoS attacks are bad bots.

There are several ways malicious bots can hurt your website. For instance, they can damage your site's performance by performing so-called DDoS attacks, where large amounts of traffic are directed at a website to overload the server and slow down the site. And since only a 3-second delay can cause you to lose 53% of visitors, it can hurt your site significantly.

On top of that, websites that rely on advertising are also vulnerable to bots performing click fraud that eats up their advertising budget. These bots are designed to click on ads and make the advertiser pay for clicks without getting any conversions.

How to Discover Bot Traffic?

You can discover bot traffic by monitoring your traffic sources, and look for:

  • Spikes in traffic

  • High bounce rate

  • Surprisingly low or high session duration

  • Decreased page load speed

  • Unexpected location traffic spike

  • Junk conversions with fake emails and names

  • Excess commenting on your blog posts

  • Comments with spam links

  • Log-in attempts from unknown sources

Using Google Analytics to analyze your traffic sources can help you check if you've got a lot of unwanted bot traffic. For starters, if the bounce rate on your landing pages is 100% and the session duration is 00.00.00, it's most likely bot traffic.

Now that you know how to discover bot traffic on your website, let's look at 8 ways to prevent bad bots from accessing your website:

1. Keep Your Website and Plugins Updated

The first step in blocking bad bots is always keeping your website and plugins up to date with the latest releases. For instance, if you use WordPress, you should stay on top of updating your plugins and theme to their latest versions.

When keeping your site and all functionality up to date, you'll block out bad bots that use older versions to gain access to websites.

Also, the latest updates often come with increased security features and bot blocker options.

2. Add a Robotx.txt File to Your Site

Including a robots.txt file on your site can help you manage and stop bot traffic. The robots.txt file provides instructions for bots crawling your web pages, and this file can be configured to prevent bots from visiting or interacting with your pages altogether.

However, only good bots will abide by the rules in the robots.txt, so, unfortunately, this won't prevent malicious bots from crawling your site.

3. Use CAPTCHA Tools

Another way to block bots from accessing parts of your site content, such as contact forms, other sign-up forms, webshop carts, etc., is by adding CAPTCHA tools.

CAPTCHA tools ensure that only humans can perform specific actions. For example, describing what images display a particular topic or sliding a piece of a puzzle to fit a picture.

This action forces users to prove they're not a bot. And the bot won't be able to complete the entire activity and moves on.

However, using too many CAPTCHA's on your site can create a bad user experience and increase your bounce rate, so you need to consider what's most important for your business.

4. Block Old Browser Versions

If you're good with code, you can update the .htaccess file of your website and block older versions of web browsers from accessing your site.

By updating your .htaccess file, users are required to use new browser versions to view your site, which can block out bots, too. If using an old browser version, users will be asked to update to a newer version before visiting your website.

5. Use a Rate Limiting Solution

Rate limiting can stop certain bot attacks by detecting and preventing bot traffic originating from a single IP address.

What it does is putting a cap on how often someone can repeat an action within a specific timeframe---for instance, trying to log in to your admin account.

Unfortunately, rate limiting is not a complete solution to block bot traffic since it'll still overlook a lot of malicious bot traffic. But also adding a filtering tool, like WAF, can help block out even more bots.

6. Add a WAF

Adding a WAF (Web Application Firewall) can help to stop bot traffic. A WAF creates a shield or firewall between a web page and your website and forces users to first access the WAF before sending them to the actual site.

Specifically, WAFs are used for protecting website applications against the most common types of attacks but may also block unwanted bot traffic.

However, WAFs are powerless against sophisticated bots since they're first and foremost designed for application protection, not bot detection.

7. Install a Security Plugin

Installing a security plugin like Wordfence or Hide My WP Ghost can also help keep bad bots from accessing your website.

It provides brute-force protection against multiple random login attempts and hides common paths for wp-login, wp-content, plugins, and themes. All of which are often performed by malicious bots and other types of hacks.

A security plugin also adds a firewall to block suspicious traffic and sends you regular security notifications to keep you updated on possible threats.

8. Use a Bot Management Solution

Lastly, the most effective way to stop bad bot traffic is by using a bot management solution, like Cloudflare Bot Management. This intelligent tool uses machine learning and behavioral analysis to block malicious bots before they ever reach your site.

It also allows you to set up a blacklist and whitelist, specifying what traffic is allowed to visit your website.

A good bot manager solution can:

  • Identify bots vs. human visitors

  • Analyze bot behavior

  • Add "good" bots to allowlists (whitelist) and bad bots to blacklist

  • Challenge malicious bots via a CAPTCHA test or JavaScript injection

  • Identify bot origin IP addresses and block them based on IP reputation

  • And more

Conclusion

And there you have 8 effective ways to block bad bots on your website. While completely blocking out malicious bots is challenging, a bot management solution remains the most effective strategy. However, staying vigilant and keeping your site and web integrations up to date will also go a long way in preventing unwanted bot traffic.

Avatar for Syed Balkhi Syed Balkhi
on September 23, 2021
Say something nice to syedbalkhi…
Post Comment
  1. 1

    Credential stuffing attacks also use bots; here is an article on how to prevent bot attacks or credential stuffing attacks - https://mojoauth.com/blog/what-is-credential-stuffing/

    User Avatar coffeehacker
    ·
    3 years ago
    ·
    Reply
Trending on Indie Hackers
I'm a lawyer who launched an AI contract tool on Product Hunt today — here's what building it as a non-technical founder actually felt like User Avatar 140 comments “This contract looked normal - but could cost millions” User Avatar 54 comments 👉 The most expensive contract mistakes don’t feel risky User Avatar 41 comments The indie maker's dilemma: 2 months in, 700 downloads, and I'm stuck User Avatar 39 comments I spent weeks building a food decision tool instead of something useful User Avatar 28 comments A simple way to keep AI automations from making bad decisions User Avatar 24 comments