Half of all internet traffic isn’t human activity — it’s bots. Spambots, search bots, Twitterbots, and DDoS bots are just a few common types of web robots. They’re everywhere in the online world, and not all of them are bad. But some of them are bad, and bad bots can be more than a nuisance. They can disrupt your WordPress site’s functionality, slow down your workflow, and drive away your users or customers.
When it’s time to stop bad bots from meddling with your WordPress site, some approaches work better than others. Fortunately, WordPress gives us several practical solutions for dealing with bots.
In this guide, we’ll discuss what bots are, why some are good, how you can block the bad ones, and how to keep them from harming your WordPress site. To block bots vulnerable WordPress sites attract, take a few minutes now to read this guide. By the end, you’ll have the answers you need to block bad bots in WordPress. Let’s take a look.
What Is a Bot?
As you probably already figured out, the term “bot” is short for “robot.” Sometimes, people refer to the bots we’re discussing here as “internet bots” or “web bots.” To put it simply, a bot is software that operates as an independent user agent for a person or a larger command-and-control program that directs the actions of many bots.
For good and bad reasons, people often use bots to simulate the activity of real humans browsing the web and carrying out repetitive tasks. Bots are quite a bit faster than people at performing mundane tasks, so people use bots to do many simple things quickly and at scale. Generally speaking, 40-50% of all internet traffic is actually bots interacting with web pages, communicating directly with people, scanning for specific content, or performing other basic tasks.
Oftentimes you don’t benefit from these bot-driven tasks. You don’t want them, and they’re unhelpful to you. They are a waste of server and energy resources. Worse, some are malicious, and those bots pose a constant threat.
How Exactly Do Bots Work?
In most instances, a bot operates over a network. When bots communicate with each another, they’ll use different services like IRC (Internet Relay Chat), or even direct messaging systems in social media platforms.
Following different algorithm sets that define the tasks their designers program them to do, bots can do anything from talking to people and scraping website content from around the internet. The most sophisticated bots attempt to mimic true human behavior, like Google Duplex.
People and organizations that use bots typically use bot management software that’s part of a web app security platform. Bot managers allow good bots to function properly while blocking bad bots that can cause harm.
When the bot manager sees a suspected or known bad bot, it redirects them away from the website it’s protecting. It works like a web application firewall.
Some of the more basic features of bot management software include CAPTCHAs (to detect humans versus bots) and IP rate limiting, which limits the number of requests that can come from one IP address.
As part of its features, iThemes Security detects and blocks bot traffic using CAPTCHAs and other methods.
Eight Common Types of Bots
There are many different kinds of bots, each with its own unique tasks and agendas.
Some of the most common bots include:
- Chatbots simulate human conversations and interact with you as another person might. One of the first chatbots predates the worldwide web — Eliza. Eliza is a program that acts like a Rogerian psychotherapist who answers questions with more questions.
- Rule-based chatbots interact with people by providing pre-defined prompts for them to choose from. Chatbots that are intellectually independent make use of machine learning to learn and understand human input and respond to known keywords.
- AI (artificial intelligence) chatbots combine the characteristics of intellectually independent bots and rule-based bots. These sophisticated AI bots use natural language processing, pattern matching, and natural language generation tools to replicate human interaction in very realistic ways.
- Shopbots scan the internet on a user’s behalf. A Shopbot’s job is to locate the lowest cost for any product, item, or service that a user is looking for. Bots such as OpenSesame observe user website navigation patterns and customize the site for each user.
- Social bots operate on Facebook, Twitter, and other social media platforms.
- Knowbots collect specific information on subjects defined by the person controlling them.
- Crawlers and spiders AKA web crawlers or web spiders are the most common bots you may run into. Search engines use them to map and index the structure and content of websites.
- Web scraping crawlers harvest data and extract other content someone has programmed them to find.
- Transactional bots complete transactions on behalf of a human controlling them.
- Monitoring bots watch the overall health of a network or website.
Bots in each of these categories serve legitimate purposes, like testing, monitoring, and protecting systems. Of course, each category can also include malicious bots.
A customer service bot can be available 24 hours a day, seven days a week. For answering common questions and giving basic assistance, this is a good way to us a bot. It helps free up customer service staff so they can focus on more complex issues that require human interaction.
You’ve probably had some conversations with customer service bots, also known as virtual agents or virtual representatives. Over two decades ago, “Andrette” and “Shallow Red” were pioneers among customer service bots. They were in the first generation of bots that could answer detailed questions about a product or service.
Today, many services you’re probably familiar with use bots:
- Instant messaging apps like WhatsApp, Slack, and Facebook Messenger.
- News apps such as The New York Times.
- Rideshare apps like Lyft.
- Scheduling assistants that use AI, like Clara and Trevor.
These examples don’t even begin to scratch the surface of the many applications bots have in technology and business. Unfortunately, there are just as many illegitimate roles bots play in cybercrime.
While there are bots that serve very positive purposes for people and businesses, there are also malicious bots that support hacking and cybercrime. These malicious bots are very different from helpful Chatbots. For one thing, Chatbots don’t freely roam around the web looking for trouble. Bad bots do.
Some of the most common malicious or “bad” bots include:
Some additional types of malicious bots include email harvesters, malicious web crawlers, brute-force password crackers, and credential- or password-stuffing bots.
The Advantages and Disadvantages Of Bots
As with other areas of technology, using bots can offer some positive advantages for people with legitimate business goals:
- They perform repetitive tasks faster than people can — and without using people!
- Bots save human time for direct, person-to-person client and customer interactions.
- They’re available at all times of the day and night.
- You can reach a lot of people very quickly with bots.
- Customer service UX (user experience) drastically improves with bots.
- Businesses can use robotic process automation (RPA) to streamline workflows.
On the other hand,
- Rule-based bots are limited to the tasks and capabilities of their programming. They pale in comparison to the fluency and intelligence of AI-powered chatbots.
- Even AI Chatbots often “misunderstand” user intent and frustrate people.
- Criminals constantly use bots for spam and fraud.
- Bots can be malicious if they’re programmed to do harm.
- It is hard to get people to “trust” bots, so they have limited use where a relational rather than a merely transactional experience is called for.
How Do I Block Bad Bots In WordPress?
It’s important to learn how to stop bad bot traffic WordPress can’t stop on its own. Bad bots pose real threats, and they do substantial harm every day. Your WordPress site is one of their targets, and you should block them.
Learning how to stop bot traffic in WordPress begins with understanding that a bad bot is simply one that hits your WordPress site with no benefit to you as the site owner.
Bad bots consume a lot of server resources. This is especially true if they continually hit your
wp-login page or other areas of your site, looking for a way to break in.
By blocking them, you won’t need to deal with as much server stress. You’ll be able to save on hosting costs and bandwidth. This will speed up your site and prevent DDoS attacks.
Here’s how to get started keeping bad bots away:
1. Get the Free iThemes Security plugin
The first thing to do is get the free iThemes Security plugin. iThemes Security is a WordPress security plugin that adds extra security to your WordPress site.
By using the iThemes Security plugin, you get a real-time WordPress security log that collects security events on your website, including bot activity.
Using a plugin like iThemes Security to generate WordPress security logs is useful on many levels. Security logs have several benefits in your overall website security strategy.
Logs equip you to:
- Identity and stop malicious behavior.
- Spot activity that can alert you of a security breach.
- Assess how much damage was done in the case of a breach.
- Aid you in the repair of a hacked site.
If your site gets hacked, you will want the best information to support a quick investigation and recovery. That information is your server access log.
2. Get iThemes Security Pro and Choose a CAPTCHA for User Registration, Reset Password, Login, and Comments
By far, the best bot-busting feature in the iThemes Security Pro plugin are its CAPTCHA options.
Choose from Many Different CAPTCHA Providers
Cloudflare’s noCAPTCHA Turnstile, Intuition Machines’ hCaptcha, and Google’ reCAPTCHA are all options you have in iThemes Security Pro to keep bad bots locked out of your website. Each of these CAPTCHAs will identify your legitimate visitors and allow them to log in, make purchases, view pages, or create accounts. All these CAPTCHA services use advanced risk analysis techniques to tell humans and bots apart, sometimes without even challenging humans to prove they’re not a bot. (Turnstile generally operates quite invisibly.)
To get started using the CAPTCHA service of your choice, enable the CAPTCHA feature on the Features › Lockouts page under Security › Settings.
Your CAPTCHA Keys
The next step is to select which type of CAPTCHA you want to use and generate your keys for it — you’ll need to set up a free account with your chosen CAPTCHA provider to get your keys.
Note: Cloudflare’s Turnstile is currently the least intrusive and most sophisticated CAPTCHA solution. If you use Google reCAPTCHA we recommend using their Invisible reCAPTCHA option.
The Convenience of noCAPTCHA
What’s great about Cloudflare’s Turnstile and Google’s Invisible reCAPTCHA is that they can usually detect bot traffic on your website without any user interaction. Instead of showing a visible CAPTCHA challenge, they monitor browser agent behavior to determine if it’s a human or a bot completely behind the scenes.
Now enable your chosen CAPTCHA on your WordPress user registration, password reset, login, and comment screens.
Finally, set the number of failed CAPTCHAs needed to trigger a lockout with the Lockout Error Threshold when a manual CAPTCHA test is used. Bots probing your login screen and other forms are most likely to fail the tests repeatedly, so locking them out automatically is a good way to strengthen your blocklist.
After activation, the CAPTCHA platform badge displays on the bottom right-hand corner of every page it’s active on, letting you know you’re protected from bad bots.
3. Automatically Identify and Block Bad Bots with iThemes Security’s Local Brute Force Protection
Both the Free and Pro editions of iThemes Security can automatically ban bad bots and users that repeatedly fail login attempts or use the “Admin” username. This is the typical behavior of bots that are making brute-force login attempts. To get started using the Local Brute Force Protection feature, enable it on the iThemes Security Pro settings page’s main page. You can modify the settings that determine how these bots are handled on the Configure › Lockouts › Local Brute Force screen.
By lowering the number of login attempts you allow your site users, you’ll immediately lock out the users and bots that have repeatedly entered invalid login criteria on the
The iThemes Security Pro Local Brute Force Protection feature keeps track of invalid login attempts made by a host or IP address and a username. Once an IP or username has made too many consecutive invalid login attempts, they will get locked out and will be prevented from making any more attempts for a set period of time.
4. Automatically Identify and Block Bad Bots with iThemes Security’s Network Brute Force Protection
A very effective way to protect your site from bad bots is to may opt into iThemes’ network of users who are sharing their blocklists. Bad bots your site blocks will be shared and blocked by others in the network, and you’ll benefit from receiving their blocklists too. You just have to opt-in, and no further action is necessary on your part.
5. Identify and Block Lists of Bad Bots Manually
Your iThemes Security dashboard gives you a heads-up display of important up-to-the-moment information, including the number of brute force attacks attempted and the number of bots and users that have been blocked. This is a visual display of the information collected in the log kept by iThemes Security.
Get Familiar with Your Security Logs
Take a few minutes to observe your security log under Security › Logs. You’ll probably see a lot of lockouts (bad login attempts) and detected brute-force login attempts.
iThemes Security looks for suspicious or malicious requests that stand out. Bots that repetitively hit your site don’t look like normal human-operated browser requests. They tend to be repetitive. If one IP is making more than the average number of requests, or requests are being repeated from the same IP regularly (like every hour on the dot), that is most likely a bot. You can google their hostnames and look up their IPs to learn more about them and confirm whether they’re benign or harmful.
Increase the Lockout Time and Ban Repeat Offenders
Many of the locked and banned host IPs will appear repeatedly. You may want to ban them for longer periods of time in your lockout and ban threshold settings.
Permanently Ban Large Lists of Bad IPs
You can also permanently ban many IPs with the Banned Users widget on your iThemes Security dashboard. Just be careful — a very large list can slow down your server.
Permanently Ban Large Lists of Bad User Agents
Blocking bad user agents is an effective way to blacklist known bots. This is also a part of iThemes Security’s user-banning features.
You can save yourself a lot of time by basing your bad bot list on a routinely updated common source. Jim Walker’s ban list is already integrated into iThemes Security. You can add others, like Jeff Starr’s 4G bad bot blacklist, which currently has 1200 entries in it for bad user agents.
New with iThemes Security: Blocking Bots with Zero Friction and Better Privacy — Watch the Webinar Replay:
Blocking Bad Bots In WordPress Will Make Your Life Easier
If you’ve been a WordPress site owner for any period of time, you’ve almost certainly dealt with bad bots attacking your site. In this eBook, you’ll find some simple advice to set yourself up for a more secure future. Learn how to block bad bots and other security techniques to make your website a harder target.
Get the bonus content: A Guide to WordPress Security
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.