What is bot traffic — and how to stop it
Bot traffic is any visit to your website generated by an automated program rather than a real person. Some of it is helpful (search engines). A lot of it isn’t — and it quietly skews your analytics, inflates your bills, and can put your ad account at risk. Here’s how to recognise it, and a layered, practical way to detect, block and prevent it.
What is bot traffic?
Bot traffic is any request to your website made by software — a “bot” — instead of a human using a browser. Bots range from the search-engine crawlers that index your pages to automated scripts that scrape content, spam forms, test stolen passwords, or click ads. The traffic looks like page views and sessions in your reports, but there’s no person behind it.
It is far more common than most site owners realise. Industry measurements have found for years that automated traffic makes up close to half of everything that hits the web, and that a large share of it is malicious. So the question usually isn’t whether you have bot traffic — it’s how much, what kind, and what it’s doing to your data and your revenue.
Source: Imperva (Thales) Bad Bot Report, an annual industry benchmark on automated traffic.
Good bots vs bad bots
Not all bots are bad, and the goal is not to block every one — blocking Googlebot would remove you from search. The practical split is between bots you want, bots you can tolerate, and bots you should stop.
| Bot type | Verdict | What it does |
|---|---|---|
| Search crawlers (Googlebot, Bingbot) | ✓ Good | Index your pages so people can find them |
| SEO & uptime tools (AhrefsBot, monitors) | Tolerate | Crawl for tools and availability checks |
| AI scrapers (GPTBot, CCBot, …) | Your call | Harvest content to train models — allow or block via robots.txt |
| Content / price scrapers | ✗ Bad | Copy your content or undercut your prices |
| Spam bots | ✗ Bad | Form, comment and referral spam |
| Credential stuffing / account takeover | ✗ Bad | Test stolen logins against your users |
| Ad-fraud / click bots | ✗ Bad | Fake ad impressions and clicks — puts your ad account at risk |
| Scalper / inventory & DDoS bots | ✗ Bad | Hoard stock or overwhelm your server |
Modern bad bots are good at hiding. Many run through residential proxies and real browser engines, rotate IPs and user agents, and even mimic mouse movement — which is exactly why simple IP or user-agent blocklists no longer catch them.
Why bot traffic is a problem
- It corrupts your analytics. Inflated sessions, fake “direct” or referral spikes, near-zero engagement times and impossible geographies push you toward the wrong decisions.
- It wastes money. Bots consume bandwidth, server capacity and API quota, and can drive up costs on usage-priced infrastructure.
- It threatens your ad revenue. If you monetise with ads, bot impressions and clicks count as invalid traffic. Ad networks like Google AdSense penalise or suspend accounts with too much of it — often with little warning.
- It’s a security signal. Credential-stuffing and scraping bots are frequently the first stage of a real attack.
The through-line: bot traffic makes your numbers lie. Every downstream decision — content, spend, hiring, “what’s working” — inherits that error.
How to identify bot traffic
You rarely see one obvious red flag; you see a pattern. Common signs of bot traffic:
- Sudden, unexplained traffic spikes with no campaign or content behind them.
- Near-100% bounce rate and ~0-second session duration on a segment of traffic.
- One page, many hits — lots of sessions that view a single URL and leave.
- Geography that doesn’t match your audience, or a spike from one city/data centre.
- Odd sources — a jump in “direct” traffic, or spam referral domains.
- Outdated or inconsistent user agents, and environments that contradict themselves (e.g. a “mobile” hit with a desktop resolution and no touch support).
- Perfectly regular timing — requests spaced with mechanical, equal intervals.
Any one of these can be innocent. Several together, on the same slice of traffic, is bot traffic.
How to detect bot traffic (including in Google Analytics)
Google Analytics 4 automatically excludes traffic from known bots and spiders using the IAB/ABC International Spiders & Bots List. That’s on by default and you can’t turn it off — which is good, but it only covers declared, known bots. Sophisticated bots that spoof real browsers sail straight past it and show up as “human” in your reports.
To find what GA’s filter misses:
- Segment and explore in GA4. Build segments for 0-second engagement, single-page sessions, or specific suspicious sources/regions, and compare against your real audience.
- Read your server logs. They show every request — user agents, IPs, request rate and paths — before any client-side filtering. Repetitive hits from one ASN or data-centre IP range are a giveaway.
- Look at behaviour, not just identity. The reliable modern signal is how a visitor behaves — timing, interaction, environmental consistency — not the user-agent string, which is trivial to fake.
This is the layer traditional analytics ignores. PVUV.ai is built around it: it scores every visit 0–100 for authenticity using client signals, session behaviour and population-level patterns, and labels each hit clean, suspect, bot or crawler — so the bots that slip past GA’s known-bot list still get caught.
How to stop and prevent bot traffic
No single control stops bot traffic; each catches a different slice, and the sophisticated bots are built to evade the simple ones. Layer them:
| Method | What it catches | Limitation |
|---|---|---|
robots.txt | Polite, declared crawlers | Bad bots simply ignore it |
| GA4 known-bot filter | Known bots (IAB list) | Misses spoofed / residential bots |
| Rate limiting | High-volume crude bots | Slow, distributed bots slip under limits |
| WAF / edge bot management (e.g. Cloudflare) | Many automated threats at the edge | Setup & cost; blunt for ad-value nuance |
| CAPTCHA / Turnstile | Bots on logins & forms | Adds friction; solver farms bypass it |
| Honeypot fields | Naive form bots | Only the naive ones |
| IP / datacentre blocklists | Known-bad and cloud IPs | Residential proxies evade |
| Fingerprint + behavioural scoring | Sophisticated bots by behaviour | Needs data & aggregation to be accurate |
A sensible layered setup
- Block at the edge with a WAF / bot management and rate limiting — this stops the crude, high-volume floods before they cost you anything.
- Protect key actions (login, signup, checkout, comments) with a lightweight challenge like Cloudflare Turnstile and honeypots.
- Keep robots.txt honest for the good crawlers, and decide your stance on AI scrapers there.
- Score what gets through. Edge tools block obvious threats; a behavioural authenticity score catches the sophisticated bots that look human — and, crucially, keeps them out of your analytics and away from your ads.
Bot traffic and your ad revenue
If your site runs ads, this is the part that can actually cost you your business. Ad networks call bot-driven impressions and clicks invalid traffic (IVT). Too much of it and Google AdSense will deduct earnings, disable ad serving, or ban the account — and appeals are hard.
The tricky part: by the time AdSense flags you, the damage is done, and GA never warned you because the bots looked human. Detecting invalid traffic before it piles up — and gating ad code so it never loads for untrusted visits — is exactly what PVUV.ai’s ad-protection layer is for.
→ Read next: AdSense invalid traffic — what it means and how to fix it.
Quick checklist
- ✓Confirm GA4’s known-bot filter is on (it is by default)
- ✓Segment for 0-second, single-page, odd-geo spikes
- ✓Add rate limiting + a WAF / Turnstile at the edge
- ✓Score traffic for authenticity to catch what filters miss
- ✓If you run ads, gate ad code away from untrusted traffic
Frequently asked questions
How much of my website traffic is bots?
It varies by site, but industry benchmarks (e.g. Imperva’s Bad Bot Report) have found for years that automated traffic is close to half of all web traffic, with roughly a third being malicious bad bots. Smaller and ad-monetised sites often see even higher bot shares.
Does Google Analytics filter out bot traffic?
GA4 automatically excludes traffic from known bots and spiders using the IAB/ABC International Spiders & Bots List, and it can’t be turned off. But it only catches declared, known bots — sophisticated bots that spoof real browsers still show up as human, so you need behavioural detection to catch them.
How do I stop bot traffic on my website?
Layer your defences: block crude, high-volume bots at the edge with a WAF and rate limiting; protect logins and forms with a challenge like Turnstile; keep robots.txt honest for good crawlers; and score the remaining traffic for authenticity to catch sophisticated bots that look human.
Can bot traffic hurt my SEO or AdSense?
Bot traffic doesn’t directly change your rankings, but it corrupts the analytics you use to make SEO decisions. For ads it’s more serious: bot impressions and clicks are invalid traffic, and too much of it can get your AdSense earnings deducted or your account suspended.
Is bot traffic illegal?
Receiving bot traffic isn’t illegal — you can’t control who requests your pages. Operating malicious bots (fraud, credential stuffing, scraping in breach of terms) can be, depending on jurisdiction. Your job is to detect and reduce the harmful traffic, not to police the operators.
Can I block all bot traffic completely?
No — and you shouldn’t try. You want good bots like Googlebot to reach you. The realistic goal is to separate good bots from bad, block the crude threats, and detect the sophisticated ones so they stay out of your reports and away from your ads.
See how much of your traffic is real
PVUV.ai scores every visit for authenticity and flags invalid traffic and bots — free, hosted or self-hosted on your own Cloudflare account.