How to Block Bad Bots from Your WordPress Website (2026 Guide)

If you run a WordPress website, bots are visiting it right now. Some of them are helpful — Google’s crawler indexing your pages so they appear in search results. But a significant portion are bad bots: scrapers stealing your content, spam bots filling your contact forms with rubbish, and brute-force attackers trying to guess your login password thousands of times an hour.

The problem is real. Industry data consistently shows that bad bots account for roughly a third of all web traffic. For small business websites on shared hosting, that’s wasted server resources, slower page speeds, and sometimes a genuine security risk.

I’m Spencer Thomas, a freelance WordPress developer based in Brighton. I’ve built and maintained more than 55 WordPress websites, and dealing with bot traffic is something I handle for clients regularly. This guide covers everything you need to know about how to block bots from your WordPress site — from the quick wins to the more technical approaches. No jargon, no fluff, just practical steps you can actually follow.

What Are Bad Bots and Why Should You Care?

A bot is simply an automated programme that visits websites. Some are essential to how the internet works. Others exist solely to exploit your site. Here are the main types of bad bots you need to worry about:

• Content scrapers. These copy your text, images, and product data. Your carefully written service pages end up duplicated on spam sites, which can actually harm your SEO rankings if Google struggles to determine which version is the original.
• Spam bots. The ones that flood your contact forms, comment sections, and registration pages with junk. If you’ve ever received a form submission about cheap pharmaceuticals or cryptocurrency, a spam bot sent it.
• Credential stuffers. These bots try stolen username and password combinations against your WordPress login page. If you or your users reuse passwords (and most people do), this is a serious risk.
• DDoS bots. Distributed Denial of Service bots hammer your server with requests until it buckles under the load. Even small-scale bot attacks can slow your site to a crawl during peak business hours.
• SEO spam bots. These create fake referral traffic in your analytics, inject spammy links into your site if they find a vulnerability, or attempt to manipulate your search rankings through negative SEO tactics.

The bottom line: bad bots waste your hosting resources, compromise your security, skew your analytics data, and can directly damage your search rankings. If you’re paying for hosting and investing in SEO, you owe it to yourself to block bots that are working against you.

How to Tell If Bots Are Hitting Your Site

Before you start blocking anything, it’s worth checking whether you actually have a bot problem. In my experience, most WordPress sites do — they just don’t realise it. Here are the telltale signs:

• Unusually high server load. If your hosting provider’s resource usage dashboard shows spikes that don’t correlate with your actual visitor numbers, bots are likely the cause. This is one reason managed WordPress hosting matters — a good host will flag this for you.
• Traffic spikes with zero conversions. Your analytics show a surge in visitors but nobody fills in a form, makes a purchase, or even stays on the page for more than a second. That’s bot traffic.
• Strange referral URLs. Check your Google Analytics referral traffic. If you see domains you’ve never heard of sending you hundreds of visits, that’s almost certainly referral spam from bots.
• Sudden spikes in 404 errors. Bots often probe for common file paths and vulnerable endpoints. A sudden increase in “page not found” errors in your server logs is a classic indicator.
• Slow page speeds without explanation. If your site was loading quickly last week and now it’s sluggish, and you haven’t changed anything, bot traffic consuming your server resources is a likely culprit.
• Spam form submissions. This one’s obvious. If your inbox is full of gibberish contact form submissions, bots have found your forms.

If any of that sounds familiar, keep reading. The solutions range from five-minute fixes to more involved configurations, and I’ll walk you through all of them.

Good Bots vs Bad Bots: Know the Difference Before You Block

This is critical. One of the most common mistakes I see is business owners who try to block bots and accidentally block the ones they need. Before you start adding block rules, you need to understand which bots are helpful and which are harmful.

Good Bots You Should Never Block

• Googlebot. Google’s web crawler. If you block this, your site disappears from Google search results. I’ve seen this happen to clients who hired inexperienced developers — it’s devastating and can take weeks to recover from.
• Bingbot. Microsoft’s equivalent. Bing has a meaningful share of UK search traffic, especially on desktop and through voice search via Cortana.
• Facebot / Meta crawler. Fetches preview data when someone shares your link on Facebook or Instagram. Block it and your social shares will look broken — no image, no description.
• Twitterbot. Same idea as Facebot but for X (formerly Twitter). Generates those nice preview cards when someone shares your link.
• Pinterest crawler. If you get any traffic from Pinterest, blocking this will stop your content being pinnable.

Optional Bots (Block If You Want To)

• AhrefsBot. Used by the Ahrefs SEO tool. It crawls your site to build their backlink database. Blocking it won’t hurt your Google rankings but some SEO professionals use Ahrefs data about your site, so it’s your call.
• SemrushBot. Same as above but for SEMrush. These SEO tool crawlers are legitimate but they do use your server resources. If you’re on limited hosting, blocking them can free up some overhead.
• BLEXBot. Crawls sites for the WebMeUp backlink tool. Harmless but unnecessary if you’re not using that platform.

Bad Bots You Should Almost Always Block

• MJ12Bot. The Majestic SEO crawler. It’s extremely aggressive — I’ve seen it send hundreds of requests per minute to small business sites. It provides no benefit to your website whatsoever and is one of the first bots I block on every site I manage.
• DotBot. Used by Moz’s link research tools. Aggressive crawling behaviour that hammers smaller servers.
• BaiduSpider. Baidu’s search crawler. Unless you’re targeting the Chinese market, there’s no reason to let it consume your resources.
• YandexBot. Russia’s search engine crawler. Same logic as BaiduSpider for UK businesses.
• Sogou Spider. Another Chinese search crawler. Block it unless you have a specific reason not to.

A sensible approach is to keep the door open for search engine crawlers and social media bots, and block everything else that’s using resources without providing value. Now let’s look at exactly how to do that.

How to Block Bad Bots in WordPress

There are several methods to block bots from your WordPress site. I’ll cover each one, from the easiest to the most technical, so you can choose the approach that matches your confidence level.

Method 1: Using Wordfence (Free)

Wordfence is the most popular WordPress security plugin, and its free version includes solid bot-blocking features. It’s the first thing I install on virtually every WordPress site I build.

Here’s how to block bots with Wordfence:

• Install and activate Wordfence from the WordPress plugin repository. The free version is more than adequate for most small business sites.
• Go to Wordfence > Firewall > Blocking. Here you can create custom block rules based on IP address, user-agent string, referrer URL, and more.
• To block a bot by user-agent, click “Create Blocking Rule”, select “Block Type: Custom Pattern”, and enter the bot’s user-agent string in the appropriate field. For example, enter MJ12bot to block the Majestic crawler.
• Enable Rate Limiting. Under Wordfence > Firewall > Rate Limiting, you can throttle or block visitors that exceed a certain number of page requests per minute. I typically set this to block anyone requesting more than 60 pages per minute — no legitimate human visitor would do that.
• Enable Brute Force Protection. Under the Login Security section, configure it to lock out IP addresses after a set number of failed login attempts. I use 5 attempts within 5 minutes as my standard setting.

Wordfence also gives you a live traffic view showing exactly which bots are hitting your site in real time, which is invaluable for identifying the worst offenders.

Method 2: Using Sucuri

Sucuri is a website security platform that works as a cloud-based firewall — meaning bot traffic is filtered before it even reaches your server. This is a significant advantage over plugin-based solutions like Wordfence, which process blocking rules using your own server resources.

• The free Sucuri Security plugin offers file integrity monitoring and security hardening, but the real bot-blocking power comes from their paid firewall service.
• Sucuri’s firewall sits between your visitors and your server, blocking known bad bots, DDoS attacks, and brute-force attempts before they consume any of your hosting resources.
• Their dashboard lets you whitelist specific bots (like Googlebot) and block everything else with granular rules for user-agents, IP addresses, and geographic locations.

Sucuri’s paid plans start at around $10 per month, which is reasonable if you’re dealing with persistent bot problems. For most small business sites though, Wordfence combined with Cloudflare (covered next) provides excellent protection at no cost.

Method 3: Using Cloudflare (Free Tier)

Cloudflare is my go-to recommendation for blocking bots, and their free tier is genuinely generous. It’s a content delivery network (CDN) that also acts as a security layer, and it’s remarkably effective at filtering bad bot traffic.

• Sign up for a free Cloudflare account and add your domain. You’ll need to update your domain’s nameservers to point to Cloudflare — your hosting provider or domain registrar can help with this.
• Enable Bot Fight Mode. This is Cloudflare’s automated bot detection system and it’s available on the free plan. Go to Security > Bots and toggle it on. It uses machine learning to identify and challenge bot traffic. I’ll cover this in more detail later in this guide.
• Set up Firewall Rules. Cloudflare’s free plan includes five custom firewall rules. You can use these to block specific user-agents, IP addresses, or even entire countries if you don’t serve international customers.
• Enable “Under Attack Mode” when needed. If you’re experiencing a bot attack, Cloudflare’s “Under Attack Mode” adds a JavaScript challenge that all visitors must pass before accessing your site. It’s disruptive for real users so don’t leave it on permanently, but it’s extremely effective during an active attack.

The beauty of Cloudflare is that it filters traffic before it reaches your server. Your hosting resources are preserved for legitimate visitors, and bad bots never even get through the door. It’s one of the reasons I set up Cloudflare on every site I manage through my WordPress support service.

Method 4: Using .htaccess Rules

If your WordPress site runs on Apache (which most shared hosting does), you can block bots directly in your .htaccess file. This is server-level blocking, which means it’s fast and efficient — the bot is rejected before WordPress even loads.

Here’s a practical .htaccess snippet to block common bad bots:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (MJ12bot|DotBot|BaiduSpider|YandexBot|SogouSpider|AhrefsBot) [NC]
RewriteRule .* - [F,L]
</IfModule>

What this does: it checks every visitor’s user-agent string, and if it matches any of the bots listed, it returns a 403 Forbidden response. The [NC] flag makes it case-insensitive, and the [F,L] flags mean “Forbidden” and “Last rule” respectively.

A word of caution: editing .htaccess incorrectly can take your entire site offline. Always make a backup of the file before you edit it. If you’re not comfortable working with server configuration files, use one of the plugin-based methods above instead, or ask your developer to handle it.

To add more bots to the block list, simply add their user-agent name inside the brackets, separated by a pipe (|) character. You can find comprehensive lists of bad bot user-agents online.

Method 5: Using robots.txt (and Its Limitations)

Your robots.txt file tells bots which parts of your site they should and shouldn’t crawl. You’ll find it at yourdomain.co.uk/robots.txt. Here’s what a basic bot-blocking entry looks like:

User-agent: MJ12bot
Disallow: /

User-agent: DotBot
Disallow: /

User-agent: BaiduSpider
Disallow: /

This tells the named bots that they’re not allowed to crawl any page on your site.

Here’s the critical limitation: robots.txt is a suggestion, not an enforcement mechanism. Well-behaved bots like Googlebot will respect it. Malicious bots will ignore it completely. It’s like putting a “Please Keep Off the Grass” sign on your lawn — polite visitors will comply, but it won’t stop someone who’s determined to walk across it.

Use robots.txt alongside other methods, never as your sole line of defence. It’s useful for discouraging legitimate crawlers that you don’t want indexing your site (like SEO tool bots), but it’s worthless against genuinely malicious traffic.

How to Block Bots by User-Agent

Every bot identifies itself with a user-agent string — a label that tells your server what it is. Blocking by user-agent is one of the most common and effective ways to block bots from your WordPress site.

You can implement user-agent blocking through any of the methods I’ve already covered:

• Wordfence: Firewall > Blocking > Custom Pattern > User-Agent Pattern.
• Cloudflare: Security > WAF > Custom Rules > Field: User-Agent.
• .htaccess: Using the RewriteCond method shown above.
• robots.txt: Using User-agent directives (remembering its limitations).

The user-agents I recommend blocking for most UK small business WordPress sites:

• MJ12bot — Majestic SEO. Aggressive, no benefit to your site.
• DotBot — Moz crawler. Heavy resource usage.
• BLEXBot — WebMeUp. Unnecessary.
• BaiduSpider — Chinese search engine. Not relevant for UK businesses.
• YandexBot — Russian search engine. Same reasoning.
• SogouSpider — Chinese search engine.
• PetalBot — Huawei’s search crawler. Aggressive and unnecessary for UK sites.
• Bytespider — TikTok/ByteDance’s crawler. Extremely aggressive, known for hammering sites with thousands of requests.

One important note: sophisticated bad bots often fake their user-agent string, pretending to be Googlebot or a regular web browser. User-agent blocking catches the honest-but-unwanted bots, but it won’t stop the truly malicious ones. That’s why a layered approach using multiple methods is essential.

How to Block Bots by IP Address

If you’ve identified a specific IP address that’s hammering your site, blocking it directly is the most effective response. There’s no ambiguity — traffic from that IP simply can’t reach your site.

Here’s how to do it:

• In Wordfence: Go to Firewall > Blocking, enter the IP address, and click “Block This IP”. You can also block entire IP ranges using CIDR notation (e.g., 192.168.1.0/24 blocks all addresses from 192.168.1.0 to 192.168.1.255).
• In Cloudflare: Go to Security > WAF > Tools > IP Access Rules. Enter the IP and select “Block”. You can also block entire countries here, which is useful if you only serve UK customers and you’re getting hammered by traffic from a specific region.
• In .htaccess:

order allow,deny
deny from 123.456.789.0
deny from 111.222.333.0/24
allow from all

The challenge with IP blocking is that sophisticated bots use rotating IP addresses — they might send requests from hundreds or thousands of different IPs. Blocking individual IPs works well for persistent offenders, but it’s a game of whack-a-mole against large botnets. That’s where rate limiting comes in.

Rate Limiting: What It Is and How to Set It Up

Rate limiting restricts how many requests a single visitor (or bot) can make to your site within a given time period. It’s one of the most effective ways to block bots without having to identify each one individually.

The logic is simple: a human visitor browsing your website might load 10 to 20 pages in a session. A bot scraping your entire site might request 500 pages in a minute. By capping the request rate, you let normal visitors through while throttling or blocking aggressive bots.

Here’s how to set up rate limiting:

• In Wordfence (free): Go to Firewall > Rate Limiting. Set the throttle for crawlers to “If a crawler’s page views exceed 60 per minute, block it.” For humans, set “If a human’s page views exceed 30 per minute, throttle it.” These are sensible defaults that catch most bots without affecting real visitors.
• In Cloudflare (free tier): Cloudflare’s free plan includes basic rate limiting through their Security settings. The paid plans offer more granular rules, but the free Bot Fight Mode (covered below) handles a lot of this automatically.
• Server-level rate limiting: If your server runs Nginx, you can use the limit_req module. On Apache, mod_evasive provides similar functionality. These are more technical to configure but very efficient because they operate at the server level before WordPress even processes the request.

Rate limiting is particularly effective against DDoS-style attacks and aggressive scrapers. Combined with user-agent and IP blocking, it forms a solid defence layer. If you’re on managed WordPress hosting, your host may already have server-level rate limiting in place — it’s worth checking.

Cloudflare Bot Fight Mode: Free and Effective

I want to give Cloudflare Bot Fight Mode its own section because it’s genuinely one of the best free tools available for blocking bad bots in 2026.

Bot Fight Mode uses Cloudflare’s machine learning models — trained on traffic patterns from millions of websites — to automatically identify and challenge bot traffic. It runs in the background and requires almost no configuration.

To enable it:

• Log into your Cloudflare dashboard.
• Go to Security > Bots.
• Toggle on “Bot Fight Mode”.

That’s it. Cloudflare will now automatically present challenges to traffic it identifies as coming from bots. Legitimate visitors and good bots (like Googlebot) pass through without seeing anything. Bad bots get stopped.

For businesses on Cloudflare’s paid plans, there’s an upgraded version called “Super Bot Fight Mode” that offers more granularity. You can configure it to allow, challenge, or block different categories of bots — verified bots, general automated traffic, and definitely-automated traffic. But honestly, for most small business WordPress sites, the free Bot Fight Mode is more than sufficient.

One thing to watch for: Bot Fight Mode can occasionally challenge legitimate tools like uptime monitors or payment notification webhooks. If you notice issues with any third-party services after enabling it, you may need to create a firewall rule to whitelist those specific services.

How to Check Your Server Logs for Bot Traffic

Server logs are the most reliable way to see exactly what’s hitting your website. Unlike analytics tools (which rely on JavaScript that bots often don’t execute), server logs record every single request to your server.

Here’s how to access and review them:

• cPanel hosting: Log into cPanel, go to Metrics > Raw Access or Errors, and download your access logs. These are plain text files showing every request made to your server, including the IP address, user-agent, requested URL, and response code.
• Managed WordPress hosting: Hosts like Kinsta, WP Engine, and Cloudways provide log access through their dashboards, often with more user-friendly formatting.
• SFTP: Access log files are typically stored in /var/log/apache2/ (Apache) or /var/log/nginx/ (Nginx).

What to look for in your logs:

• High-frequency requests from a single IP. If one IP address is making hundreds of requests in a short period, it’s almost certainly a bot.
• Suspicious user-agent strings. Look for the bad bot names I listed earlier, or for empty user-agent fields — legitimate browsers always send a user-agent.
• Repeated requests to wp-login.php. This is a brute-force attack in progress. If you see dozens of POST requests to your login page from the same IP, block it immediately.
• Requests to non-existent files. Bots probing for vulnerabilities often request files like wp-config.php.bak, xmlrpc.php, or common exploit paths. A spike in 404 responses in your logs typically means bots are probing your site.

If you’re not comfortable reading raw server logs (and they can be daunting), plugins like Wordfence provide a much friendlier “Live Traffic” view that shows the same information in a readable format within your WordPress dashboard.

Common Mistakes When Trying to Block Bots

I’ve cleaned up after enough botched bot-blocking attempts to know which mistakes come up most often. Avoid these and you’ll save yourself a lot of trouble.

• Accidentally blocking Googlebot. This is the big one. If you add an overly broad block rule — or worse, add User-agent: * Disallow: / to your robots.txt — you’ll disappear from Google entirely. I’ve had clients come to me in a panic after a developer did exactly this. Always test your blocking rules and verify Googlebot can still crawl your site using Google Search Console’s URL Inspection tool.
• Blocking all bots indiscriminately. Not all bots are bad. Blocking everything means no search engine indexing, no social media previews, no uptime monitoring, and potentially broken payment processing. Use a targeted approach, not a blanket ban.
• Relying only on robots.txt. I’ve already covered this, but it bears repeating. robots.txt is a polite request, not a security measure. If your bot-blocking strategy is limited to robots.txt, you have no bot-blocking strategy.
• Not monitoring after making changes. Block rules can have unintended consequences. After implementing any bot-blocking measures, monitor your site for a week. Check Google Search Console for crawl errors. Check your analytics for traffic drops. Check that contact forms and payment systems still work.
• Setting rate limits too aggressively. If you set your rate limit to 5 requests per minute, you’ll catch bots but you might also lock out legitimate visitors who are browsing your site normally — especially if they have multiple tabs open or are on a page with lots of images that each count as a separate request.
• Forgetting about caching. If you use a caching plugin, some bot requests might be served from cache without hitting your server directly. This means your server-level blocking rules might not trigger for cached pages. Make sure your blocking happens before caching — Cloudflare handles this naturally since it sits in front of everything.
• Not keeping rules updated. New bad bots appear constantly. A block list from 2024 won’t cover the aggressive crawlers that emerged in 2025 and 2026. Review and update your blocking rules quarterly.

The Bigger Picture: Why Bot Protection Matters for Your Business

This isn’t just a technical exercise. Bad bot traffic has a real impact on your business in ways you might not immediately realise:

• Your site speed drops. Every bot request uses server resources that could be serving your actual customers. On shared hosting, this can mean noticeably slower page loads during peak bot activity — and Google uses site speed as a ranking factor.
• Your analytics become unreliable. If 30% of your “traffic” is bots, your data is telling you lies. Bounce rates, session durations, and conversion rates all become meaningless when bot traffic is mixed in with real visitors.
• Your SEO performance suffers. Content scrapers duplicate your pages, creating confusion for search engines. Spam bots can inject malicious links. Aggressive crawlers eat through your crawl budget, meaning Google spends its limited time crawling bot-requested junk instead of your important pages.
• Your hosting costs increase. If bots are consuming bandwidth and server resources, you might be forced onto a more expensive hosting plan to keep your site running smoothly. Blocking them first is almost always cheaper.
• Your security is at risk. Brute-force bots trying to crack your WordPress login, vulnerability scanners probing for exploits, and spam bots injecting content into your site are all genuine security threats.

This is exactly why I include bot protection as part of my WordPress support and managed hosting service. It’s not glamorous work, but it keeps sites fast, secure, and running smoothly.

Frequently Asked Questions

Will blocking bots affect my Google rankings?

Blocking bad bots will not hurt your rankings — in fact, it can help by reducing server load and protecting your crawl budget. The critical thing is to never block Googlebot, Bingbot, or other legitimate search engine crawlers. Always test your blocking rules and check Google Search Console afterwards to confirm Google can still crawl your site normally.

Is the Cloudflare free plan good enough to block bots?

For most small business WordPress sites, yes. Cloudflare’s free plan includes Bot Fight Mode, five custom firewall rules, and basic DDoS protection. That combination blocks the vast majority of bad bot traffic. You’d only need to upgrade if you’re dealing with sophisticated targeted attacks or need more granular control.

Can I use Wordfence and Cloudflare together?

Absolutely, and I recommend it. Cloudflare filters traffic at the network edge before it reaches your server, and Wordfence provides an additional security layer at the WordPress level. They complement each other well. Just make sure to configure Wordfence to use Cloudflare’s IP addresses correctly so it logs the real visitor IPs rather than Cloudflare’s proxy IPs.

How often should I check for bot traffic?

I review bot traffic on the sites I manage at least monthly. Check your server logs or Wordfence live traffic view for new bad bots, review your Cloudflare analytics for blocked threats, and keep an eye on your Google Analytics for referral spam. If you notice a sudden spike in traffic or server resource usage, check immediately — it could be a bot attack in progress.

What’s the difference between blocking a bot and challenging it?

Blocking returns a hard “403 Forbidden” response — the bot gets nothing. Challenging (used by Cloudflare) presents a CAPTCHA or JavaScript puzzle that the visitor must solve to proceed. Legitimate human visitors pass the challenge easily; most bots cannot. Challenging is a gentler approach that reduces false positives — if your blocking rule accidentally catches a real visitor, they can still solve the challenge and access your site.

My site is on shared hosting. Does that make bot problems worse?

Yes. On shared hosting, your site shares server resources with potentially hundreds of other websites. When bots hammer your site, they’re consuming CPU and memory that’s already limited. This is one of the key reasons I recommend either upgrading to managed WordPress hosting or at minimum putting Cloudflare in front of your site. Cloudflare’s free plan absorbs bot traffic before it reaches your shared server, which makes a significant difference.

Need Help Protecting Your WordPress Site?

If you’ve read this far, you’ve got a solid understanding of how to block bots from your WordPress website. The steps aren’t complicated — but they do require some technical confidence, and getting them wrong can cause real problems.

I’ve configured bot protection on more than 55 WordPress websites. It’s part of the standard setup for every site I build and every hosting arrangement I manage. If you’d rather not deal with .htaccess files and firewall rules yourself, I’m happy to help.

You can see the kind of work I do on my WordPress web design page, or read what my clients have to say — I’ve got 51 five-star Google reviews from business owners across the UK.

If you’d like to see what a properly built, properly protected WordPress website could look like for your business, request a free mock-up. No obligation, no pressure. And if your existing site needs a security review, get in touch — I’ll take a look and let you know what needs fixing.