How to block bad and spam bots

Try adding this to your .htaccess file:

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(example.com|jetpack.wordpress.com).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) https://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

Replace “example.com” with your domain, and remove “|jetpack.wordpress.com” if you aren’t using Jetpack comments.

This will block all bots from accessing the commenting and login scripts directly, which is what most bad bots try to do. They will need to go through the actual forms if they want to submit comments or log in, which means this won’t affect any normal humans. ??

Via: https://halfelf.org/2013/wp-login-protection-htaccess/

You should also try adding both https://perishablepress.com/5g-blacklist-2013/ and https://perishablepress.com/2014-micro-blacklist/ to your .htaccess file to block more bad bots.

Beyond that, use something like https://www.ads-software.com/plugins/bruteprotect/ to catch the ones that make it through to the login form, and https://www.ads-software.com/plugins/akismet/ to catch the ones that make it through to the spam form.

Hi James,

Thank you for the reply. I added the rule in htaccess and turned off cloudflare protection. But all the bad bots started to enter my site right away. Seems like they are not comment spammers or brute force attackers but crawlers, info hackers or something else. There are plenty of reasons why a bad bot can come to a site.

About the blacklists, they are quite huge. I already checked with this and if I add this in htaccess, site will load slow anyway. So, we are actually going back to the problem. Also there are many bad bots missing in the list and always new bots coming. So, I don’t really see it as a stable long-term solution.

About the plugins, I already use Akismet. I also used Wordfence which has brute force attack protection. But unfortunately, bots were still overloading my server.

In additins to the snippet suggested by James, also try these plugins. I have very good luck with all of that (snippet and plugins), so far:

https://www.ads-software.com/plugins/zero-spam/

https://www.ads-software.com/plugins/cookies-for-comments/

.htaccess really shouldn’t slow down your site at all, it’s a basic Apache process. The point is to stop the bots before PHP/MySQL has to process whatever the bots do, which absolutely does slow down your site.

Try adding both https://perishablepress.com/5g-blacklist-2013/ and https://perishablepress.com/2014-micro-blacklist/ to your .htaccess file.

Hope you don’t mind this related question. I’m finding conflicting answers on this. Should the blocking code you reference at perishable, also found in many other sites, be added in htaccess before or after the wordpress rules? Some argue they should be after so they don’t break WP related rules. Some argue they should be before because you want to block bots before anything else occurs. Thoughts?

I’ll take an answer from anyone on this question. Before or after the WP rules in htaccess? I seems to work fine either way but I want to do what’s correct.

I would think that it doesn’t matter either way. Apache isn’t usually too picky about where you put anything as long as it’s logical.