Seeing some strange traffic to your WordPress website? Getting spam comments and card chargebacks? You may be at the mercy of bad bots.
When bots are mentioned, a chatbot is probably what comes to mind for many. We’ve all seen the little chat box that pops up with automated messages to help with customer service queries or lead generation – and these bots definitely fall into the good or useful bot category.
Other more benign bots include the Google crawler and the useful data bots dispatched by research tools like Ahrefs or SpyFu.
However, not all bots are created equal, and anyone who runs a WordPress site is all too aware of the damage bad bots can serve.
When it comes to WordPress bad bots, understanding the threats and how to protect your business are necessary parts of modern marketing.
What are bad bots?
A bad bot is any bot that has a malicious or potentially negative purpose.
Whether that’s stealing your content, clicking on your ads, posting spam anywhere it can, or overloading or hacking your server.
Due to the nature of the attacks, some of these happen at once – a spam bot that’s filled hundreds of form queries and submitted hundreds of spam comments may cause your server to be overloaded.
To get one-up on WordPress bad bots, we recommend you verse yourself in WordPress bot protection. Because the only way you can protect yourself against something is to know what it is and how it works. Knowledge is power, as they say!
Typical bad bots on WordPress
Whatever site builder you’re using, the truth is that bad bots can cause havoc. But because WordPress is one of the most popular options for website owners, there are a number of bots that can be used to target WordPress sites.
Some of the most common forms of WordPress bad bots include:
If you’ve ever seen loads of spam comments on someone’s website or even had it happen on your own, you’ve witnessed the work of a spam bot. They not only spam content or comments, but they can also fill up your forms with useless entries and even hack your server.
Spam bots can also make your site run slower as it gets overwhelmed by all the entries, which has the knock-on effect of making you rank lower in Google.
This means if you’ve taken care not to write spammy content or stuff your keywords, a spam bot could come along and undo all your hard work.
There are plugins you can use to block spam bots. But due to the sophistication of these sneaky bots, using another layer of spam prevention can be wise.
Read more about spam bots in our guide.
Another type of WordPress bad bot is the content scraper. These are pretty self-explanatory; they scan and copy data from your website and then publish it to another site claiming it as their own.
This can be particularly frustrating because it takes the content you’ve spent time crafting and finessing and, through no effort at all, passes it off as their own.
You might think you’d be flattered but trust me, that ends quickly if you see their version is performing better than yours and potentially stealing customers from you!
Unfortunately, content scrapers are easy to set up and run automatically in the background using RSS (Really Simple Syndication). An RSS file contains details about the content, like the date it was published and the author, but also, crucially, the whole text of that content.
Therefore, these bots can easily read your content via the RSS, save it down, and pass it off as their own. It’s not limited to one bot scraping like-for-like content either, they can scrape content from multiple sources and combine it into their own blog post.
Brute force attack bots
Brute force bots make login attempts on your website, trying combinations of common usernames and passwords like ‘admin’ and ‘password’ until it finds the right one. They’re also known as dictionary attacks.
You’d have thought by 2022, everyone would be using strong password generators, but brute force attacks are actually the most common type of hacking, making up over 80% of password infiltration.
The name stems from the thousands or millions of combinations that will be tried tirelessly and in quick succession. While the attack is happening, your server can be overloaded, causing your website to crash.
But the worst part about these bad bots is the damage they do once they’re in. They can steal your customers’ data (think personally identifiable information and card details), delete, or deface your site, use your site to send malicious or spam links, or even hack other sites.
The dreaded Distributed Denial of Service (DDoS) ranks alongside ransomware as the most damaging form of a modern bot attack.
One of the most famous DDoS attacks, which happened in October 2016, targeted Dyn, a company that controlled a huge amount of the internet’s domain name systems (DNS). Affected websites included Netflix, Amazon, Twitter, PayPal, and The Guardian, making the scope of the attack absolutely massive.
Bots performing DDoS attacks flood your site with so much traffic it either slows down or completely shuts down.
As most companies depend on their website or online infrastructure to work properly 24/7, even a relatively small DDoS attack can have devastating consequences.
In some cases, hackers will demand a huge ransom to stop their attack and get the website back up and running.
Even if it’s not an extreme case of having to pay a ransom, if no one can access your WordPress site, that means they can’t purchase from you. In the short term, you might lose out on revenue, but in the long term, the damage to trust or future business can be irreparable.
How to manage bad bots on WordPress
There are plenty of apps that are designed to reduce your exposure to bad bots on WordPress.
Most likely, you have a few of these installed already, but if not, we recommend adding:
- Akismet – A standard WordPress plugin that is very effective at reducing spam comments
- Captchas – Add captchas to your account signings on WordPress. If you have users with weak passwords, this will add an extra layer of protection
- Force strong passwords – If you have a WordPress site with multiple authors, site users, or other account users, you can add plugins to ensure they use a complex password.
- ClickCease – Protecting your PPC ads from bots is one thing (and ClickCease is the leader in this field). ClickCease now zaps organic and direct bots, including DDoS bots and other WordPress bad bots.
Stay tuned for more information about bot zapping on ClickCease.