Most web traffic is generated not by humans, but by software. Last year, just over half of all web traffic was machine generated — no humans in the loop. Software web users are called bots. Bots can be divided into the good and the bad. There are more bad bots than good by a wide margin.
Good bots are useful, and even essential, to the web. Google’s crawlers are bots, and the web would be unusable without search engines. Google’s bots move through the web following links and indexing of the content of web pages. For some site owners, over-zealous search crawling causes headaches, but few would want to turn Googlebot away.
Bad bots are useful to whoever created them, but they’re harmful to everyone else, including WordPress site owners. They waste resources, they attempt to exploit vulnerabilities, they fraudulently click on ads, and they skew analytics data. If you own a WordPress site, it will almost certainly have been visited by a bad bot in the last week.
What Do Bad Bots Want?
Typically, bad bots want to exploit a resource on your site. That might be the site itself: its network connection and storage. It might be your site’s visitors; bots compromise sites to infect them with malware or to steal user data. Some bots are interested in exploiting your site’s SEO by injecting links to domains under the control of the bot owner’s clients. Others want to scrape your content for price comparison sites or plagiarism. There are even bots that buy products from a WooCommerce store to horde and sell later at a higher price, so-called sneakerbots.
But you don’t have to put up with bots. You pay for your WordPress site’s hosting resources and bad bots abuse them. They impose a cost on every site owner, and, by extension, every web user. Let’s look at some of the ways bad bots can be sent packing.
Defeating Bad Bots
You can defeat many bots with basic security precautions. If you ensure that your site is up-to-date, then bots programmed with known exploits won’t be able to compromise it. If you implement two-factor authentication, then brute-force bots that try to guess your password are out of luck.
Beyond these security best practices, a web application firewall like ModSecurity can repel many types of bot attack. ModSecurity monitors incoming requests for patterns that match most common attacks, including SQL injection, cross-site scripting, and brute-force attacks. It drops malicious requests and may block the attacker. WordPress sites hosted on Nexcess have ModSecurity installed by default. We wrote in more depth about how ModSecurity protects WordPress here.
ModSecurity is an excellent WAF, but it’s not perfect. You may want to consider adding another layer of protection to deter bad bots. Blackhole for Bad Bots is a plugin that adds hidden links to your WordPress site’s pages. Ordinary visitors and good bots will ignore the hidden links. Only bad bots follow them, and, when they do, Blackhole for Bad Bots blocks them.
Bad bots are a security risk for any site on the web but with a few precautions its possible to keep them at bay, protecting your site, its data, and your users.