8 Tips for Blocking Bots on Your Website

Bots are the source of many ills on the internet, from distributed denial of service (DDoS) attacks to scalper bots buying up in-demand products before legitimate consumers have the chance. It makes sense, then, that companies running a portion of their business—or all of their business—through websites would want to put a stop to bots wherever possible. Fortunately, there are many things you can try to stem the tide.

In this post, we’re going to cover eight effective ways to block bots on your website and protect your business from this kind of malicious behavior.

1. Block Known Proxy Services and Hosting Providers

The architects behind any given bot attack will not be openly sending traffic from their location. For one thing, it would make it easier to find them in the event of any law-breaking activity, but also it makes it easier for websites to block them.

Those aren’t the only reasons, of course, but they are two of the most significant reasons why bots are put through proxy services, or hosted remotely. And, while this isn’t a catch-all solution for stopping any bot, it does give you a way to significantly reduce the number that gets through. For example, the following data centers are notorious for hosting bots.

  • Digital Ocean
  • OVH Hosting
  • GigeNET
  • Choopa, LLC

While they are not inherently bad data centers—merely companies that malicious entities take advantage of—they are not internet service providers, which means there should be no legitimate traffic coming from there, so you won’t be inadvertently blocking genuine customers.

2. Monitor Failed Gift Card Validation Attempts

A technique used by fraudsters online is to launch a bot attack at sites that provide a gift card balance checking feature. These bots attempt to request the balance of a list of potential account numbers, and if a balance is given, the bot knows that the account is legitimate and contains funds. The account number can then be used to purchase goods.

The bots do not know which accounts are real in advance—if they did they would just use them—and work by essentially brute-forcing their way through the list. This will result in a significant increase in this kind of request, and detecting that increase could help you block bots that are trying to steal gift card balances.

3. Protect Everything

Malicious bot behavior is not limited to website access. Indeed, any access point that is available through the internet is a potential target, including mobile apps and APIs.

It is important to ensure that all of these access points are sufficiently protected, as the end result of a security breach by a bot attack is the same, regardless of how the bots got in.

4. Monitor Login Attempts

Public data breaches are a sadly common occurrence, seeing long lists of usernames and password combinations go up for sale or get leaked onto the Internet.

When this happens, malicious parties will invariably try to take advantage of these leaks by automating login attempts at various services. If you are aware of such a public data breach, and you start seeing significantly more login requests, there’s a good chance you are being targeted by bots.

To stay on top of this, set up alerts that will automatically notify you if there are substantial spikes in login attempts. You might also consider throttling login attempts to slow the rate at which these bots can make their attempts.

5. Look into Unusual Traffic Spikes

Not every sudden surge in traffic is a sign of malicious bots attacking your service, but they can be. If you become aware of a spike in traffic to your service, it is worth investigating it to make sure it is legitimate traffic and taking action if it is not.

Legitimate traffic spikes may come about as a result of trends, or marketing material going viral, and there will typically be an obvious cause of the traffic spike in these cases. If the source is inexplicable—or you can confidently identify it as bot activity—you can then take steps to block bots from accessing your service.

6. Use CAPTCHA

CAPTCHA is far from an ironclad, unbreakable defense against bots, but it can do great work in thinning the herd, so to speak. While the more advanced bots may be able to get around CAPTCHA, most of them can’t.

Admittedly, CAPTCHA is something of a nuisance to legitimate users as well, but at this stage, it is a nuisance that internet users have grown accustomed to. And, for the ease with which it can be implemented, it really isn’t worth leaving it out of your security measures.

7. Block Outdated Browsers

Many bots use user-agent strings that are quite outdated. User-agent strings tell your servers what type of system is trying to access them, including the browser that is being used. Bots are not actually accessing your service through a browser, but manipulating the user-agent string to represent themselves as such.

Users should upgrade their browsers regularly for security reasons, and it can be argued that there is no ethical obligation to support browsers that have passed beyond their end-of-life support stage.

Again, the bots aren’t really using browsers, they are just pretending to be one. But many bots in use don’t get their user-agent string updated, so this simple measure can be quite effective at blocking a large number of bots.

8. Consider Bot Mitigation Solutions

There are several solutions available that handle bot mitigation for you. Many of these services are cloud-based and require very little work and minimal disruption to your service.The days of “in-house” solutions are increasingly going away as the need for dedicated specialists increases, and the world of cybersecurity is no different. Dedicated cybersecurity services can do a better job at blocking bot activity because that is their specialty, and in using those companies, you free your company up to focus on its specialty without having to divert as much of your focus to cybersecurity concerns.