Bad bots are a waste of server resources and can skew Google Analytics data.
To block bad bots in WordPress, use Wordfence’s live traffic report to view spam bots hitting your site in real-time. Then block them using Cloudflare bot fight mode, the Blackhole For Bad Bots plugin, Wordfence Blocking, or Cloudflare Firewall Rules. Wordfence is not recommended since it slows down your site. Moving the WordPress login page + limiting login attempts helps.
Blocking bad bots in WordPress can speed up your site and prevent useless bots from constantly hitting your site. You would never know if spam bots were hitting your site unless you checked. In this tutorial, I will show you how to find bad bots using Wordfence, then block them either using Wordfence, Cloudflare Firewall Rules, or the Blackhole For Bad Bots plugin.
I don’t recommend Wordfence since it can be a slow plugin itself. Cloudflare Firewall Rules only let you block 5 bots (with the free plan) which can be a great start for most WordPress sites, and the Blackhole For Bad Bots plugin should block all spam bots not obeying the nofollow rule.
What Are Bad Bots And Why Should I Block Them?
Bad bots are any bot that hit your website at no benefit to you. These bots consume server resources especially if they hit your website or wp-login page excessively. Blocking them can put less stress on your server and potentially save you bandwidth, hosting costs, and speed up your site. This can can also prevent bad bots from appearing in your Google Analytics data.
How To Block Bad Bots In WordPress
1. View Bad Bots Hitting Your Website
Wordfence shows you all bots hitting your website in real-time.
You don’t need to leave this plugin enabled permanently; you can strictly use it for it’s Live Traffic report to identify which bots are hitting your site and whether they should be blocked. Once we know the bad bots, we can block them without having to leave Wordfence installed.
Go to Wordfence → Tools → Live Traffic.
The live traffic report shows all bots hitting your website in real-time.
Observe your live traffic report for a few minutes to see if any suspicious bots are hitting your site repetitively. Make a list of their hostnames (shown in Wordfence) then Google their hostnames to see if other people reported are reporting them as a bad bot (you will need to do some research and make sure it’s actually a spam bot). Googlebot and other legitimate bots are OK and shouldn’t be blocked, but keep an eye out for suspicious ones and add them to your list.
After creating a list of all your spam bot’s hostnames, you have a few options for blocking them. Keep in mind that bots are always evolving which means it’s ideal to use a solution/software that is constantly being updated. For example, some security plugins as well as Jeff Starr’s 7G Firewall are constantly coming out with updates to protect your website from evolving bots.
I recommend the Blackhole For Bad Bots plugin since it’s automatic and will block any new bad bots in the future (which may not currently be on your list). Or if you only have a few primary spam bots hitting your site (up to 5 hostnames), you can also use Cloudflare’s Firewall Rules. Wordfence is great at blocking bad bots, but the plugin itself can cause a slow WordPress site.
2. Block Bad Bots With Wordfence
Wordfence has a variety of blocking options for blocking bad bots, but the plugin itself can make your WordPress site a little slower and you risk blocking legitimate humans/crawlers if the plugin isn’t configured correctly. Only use Wordfence if you’re comfortable configuring it.
Block Bad Bots By Hostname
- Go to the Blocking Settings and create a blocking rule
- Add the hostname of a bad bot you would like to block
- Use an asterisk (as shown below) to block all variations of that bot
- Create blocking rules for all bad bot hostnames from your live traffic report
Block Bad Bots With Rate Limiting
- Go to Wordfence → Firewall → Rate Limiting
- Configure the settings to limit “requests” and “pages viewed” by crawlers
- Be careful not to block legitimate bots/humans who don’t follow your rate limiting rules
Configure Wordfence Brute Force Protection
- Go to Wordfence → Firewall → Brute Force Protection
- Enable limit login attempts and prevent “admin” usernames
- Configure these settings to further secure your WP admin area
See A Log Of Spam Bots Being Blocked – once you configure Wordfence to block bad bots, you can see a login of all bots being blocked from your site, their hostnames, and their block count.
3. Block Bad Bots With Cloudflare
The easiest way to block bad bots with Cloudflare is to enable bot fight mode which is under Firewall → Bots. Cloudflare also has a super bot fight mode on their Pro plan which is built into their firewall. You can also restrict bot protection to a particular path (like your WP login page).
Cloudflare Firewall Rules also let you block a maximum of 5 hostnames on the free plan.
Login to your Cloudflare Dashboard and go to Firewall → Firewall Rules → Create A Firewall Rule. Copy the bad bot’s hostnames (from Wordfence) and add it here in the “Value” field. Since you can create 5 rules, you would repeat this step for your 5 worst bad bots from Wordfence.
- Field = Hostname
- Operator = Contains
- Value = the hostname of the bad bot you found in Wordfence
You can see bots being blocked by Cloudflare in the Firewall Events tab:
4. Install The Blackhole For Bad Bots Plugin
The Blackhole For Bad Bots plugin stops bad bots by adding a hidden trigger link to the footer of your website that tells bots not to follow it. If they do, they will be blocked immediately from your website. Any legitimate bots (eg. Googlebot) will follow your rule and will not be blocked.
Step 1: Install The Blackhole For Bad Bots Plugin.
Step 2: In the plugin settings, copy the Robots Rules.
Step 3: Add the Robots Rules to your robots.txt file.
Step 4: Once you added the rule, go to your homepage and view the source code. Search the word “blackhole” and you should see the link created by the plugin. It should look like this:
<a rel="nofollow" style="display:none;" href="https://onlinemediamaste rs.com/?blackhole=2de810ae57" title="Blackhole for Bad Bots">Do NOT follow this link or you will be banned from the site!</a>
Step 5: In the plugin’s “Bad Bots” settings, you can view all bots that have been blocked.
4. Enable Bot Protection In Cloudways
This monitors suspicious traffic and bot crawling and blocks IP addresses and bots. Cloudways also offer a CAPTCHA login protection feature to protect your site from any unwanted logins.
5. Use Jeff Starr’s 7G Firewall
Jeff’ Starr’s 7G Firewall is a free, open source solution to block bad bots.
It works on any Apache-powered website, not just WordPress. It provides server-level protection against a range of bad bots and attacks by checks all URI requests against a set of carefully constructed Apache/.htaccess directives. It scans requests made to your site then compares them against patterns and regular expressions, and blocks those that trigger a match via 403. The 7G Firewall aims for no false positives and comprises over a decade of experience.
To add, it, download the file on their website, then add the code to your site’s root .htaccess file.
6. Move Your WordPress Login Page
Some bad bots will try accessing your wp-login page. Even if they fail to gain access, they will still attempt this numerous times which is a waste of server resources. Since most spam bots aren’t complex, moving your WP Login page should help prevent the bots from even hitting it.
- Hide Login Page
- IThemes Security
- Remove Dashboard Access
- Some security plugins also have this feature
7. Limit Login Attempts
Limiting login attempts will lock out users and bots with too many failed login attempts on your wp-login page. This is just another way help block spam bots from excessively hitting your site.
- Limit Login Attempts Reloaded
- Some security plugins also have this feature
- Wordfence → Firewall → Brute Force Protection settings
Frequently Asked Questions
What are bad bots?
Bad bots are any bot that hit your website without any benefit, leading to a waste of server resources and possibly even skewed Google Analytics data.
How do I check if bad bots are hitting my site?
Wordfence's Live Traffic report shows you all bots hitting your website in real-time. Google their hostnames and research whether other people are reporting them as a bot bot.
How do I block bad bots in WordPress?
The easiest way to block bad bots in WordPress is with the Blackhole For Bad Bots plugin or Wordfence's Blocking and Rate Limiting settings.
Which WordPress plugins block bad bots?
Blackhole For Bad Bots and many security plugins such as Wordfence are plugins that block bad bots.
I hope this guide was helpful and that you’re able to block those pesky bots! If you have any questions whatsoever, leave me a comment below and I will get back to you as soon as I can.
See Also: Ultimate WordPress Speed Guide