The Complete Guide to Blocking Bad Bots

As an experienced cybersecurity professional and website owner, I‘ve seen firsthand the damage automated bots can inflict when they hit your site. Negatively impacting analytics, performance, security and revenue, bad bots are an aspect of digital business you cannot overlook today.

Content Navigation show

This definitive guide arms you with 6 proven tactics to tackle bot infestations head on. Backed by hard statistics and data, you‘ll gain actionable tips to:

  • Identify and understand bad bot types
  • Prevent bot account takeovers
  • Stop comment and form spam
  • Maintain clean user bases
  • Fortify site infrastructure
  • Leverage professional security tools

Implementing even a few of these will lead to noticeable improvements in site and data quality. Use them together as a complete bot prevention blueprint.

Overview of 6 Ways to Banish Bots

Before we dive into specifics, here‘s a high-level overview of the techniques we‘ll cover:

Account Verification – Mandatory email/phone confirmation prevents mass bot signups

Banning Suspicious Accounts – Manual bot detection and account disabling essential

CAPTCHAs – Challenge tests stop automated form/comment submissions

Comment Moderation – Manual approval stops spam slipping through

Email Address Obfuscation – Scrambling email addresses bots crawl for

Inactive User Cleanup – Deleting unused accounts thwarts takeovers

Bot Basics: Know Your Enemy

With roots dating back to the 1990‘s, bots are software applications running automated (scripted) tasks without direct human control. Search engine crawlers gathering data, chatbots assisting web visitors and social media post schedulers are benign examples.

However, the bots jeopardizing websites today exhibit more malicious goals:

  • Scraping Content – Stealing articles/media to reuse without consent
  • Account Takeover – Hacking user profiles for spreading spam
  • Fake Traffic Generation – Fabricating site visits/clicks to defraud advertisers
  • Spamming Forms/Comments – Flooding discussions/emails with unwanted messages
  • Distributing Malware – Infecting site visitors with viruses

Driving these activities are financial incentives and attack vectors leaving sites susceptible:

  • Monetizing Stolen Data – Email lists, articles and user data sold illegally
  • Ad Traffic Fraud – Generating clicks on ads earns site commissions
  • Spreading Ransomware – Infecting site visitors can lead to profitable extortion
  • Ruining Reputations – Tarnishing brand image and credibility

With billions lost annually to cybercrime, the scale of potential damage cannot be underestimated.

Bot attack statistics chart

Chart showing dramatic increase in bot attack rates. Source: Imperva Research

Proactively blocking bad bots is a must. Next we explore actionable techniques to achieve this.

#1: Mandatory Account Verification

Nearly all websites requiring registration are vulnerable to user account takeovers. Preventing automated bot access starts with having sign-up safeguards:

Why It‘s Effective

  • Stops bots instantly creating thousands of fake accounts
  • Verification adds friction making automation harder
  • Links accounts to real identifiable details

Implementation Guide

Enabling Email Verification

Platforms like WordPress and Shopify have built-in email confirmation flows. Under registration settings:

  1. Check box to make email verification required
  2. Set user role on sign-up (Subscriber, Customer etc)
  3. Confirmation email sent automatically
  4. Account activated via link clicked

Adding Phone Verification

SMS validation ensures more robust bot blocking:

  1. Get a phone verification service API key
  2. Install plugin linking to API
  3. Visitor enters phone number on registration
  4. Code is SMSed – they enter it to activate account

Sources like Twilio and Nexmo offer developer APIs and libraries to add this functionality.

By the Numbers: Verification Effectiveness

Email and phone verification drastically curb fake account generation:

Method Average Decrease
Email Validation 87%
SMS Validation 92%

Table showing % decrease in fake bot accounts when adding email and SMS confirmation compared to no checks. Verification works.

Block automated account creation and regain control with these tips. Let‘s tackle more ways to oust bad bots from web properties now.

#2: Banning Suspicious Accounts

Even with upfront registration checks, occasionally bad actors sneak through. Regularly identifying and disabling bogus accounts further impedes malicious bots.

Signals Pointing to Bots

Review user bases seeking these tell-tale signs of bots:

  • Generic/random usernames
  • No profile photo
  • Missing bio info
  • Similar join dates
  • Minimal site activity
  • Repeated generic posts
  • Links to spam sites

Finding several accounts matching these markers likely indicates bots. Leverage ban capabilities built into sites and community platforms.

4-Step Account Ban Process

Step 1: Flag Suspicious Users

As reviewing user directories, flag ones showing bot attributes for investigation. Download lists to clean spreadsheets if needed.

Step 2: Analyze Activity Logs

Analyzing user site activity histories reveals behavioral patterns confirming bots. Specifically watch for:

  • Rapid account creation bursts
  • Repetitive content posting
  • Same source IP addresses
  • Missing location/OS metadata

Step 3: Disable/Block Users

Upon vetting fake accounts, access user management to apply bans/blocks. This revokes posting abilities and hides existing content.

Step 4: Establish Repeat Checks

Schedule bi-weekly or monthly checks repeating the process to disable newly discovered bots. This maintenance keeps communities bot free long term.

Establishing user blocking workflows significantly reduces bot hijacking and spam potential.

#3: Adding CAPTCHAs to Stop Bots

We‘re all familiar with CAPTCHAs – those pixelated word and image challenges distinguising humans from scripts. Implementing them provides powerful bot throttling for:

  • Login pages
  • User registration
  • Contact forms
  • Forums and comments

CAPTCHA Options

Google reCAPTCHA v3

The newest reCAPTCHA uses advanced risk analysis for precision bot detection without user friction. It runs silently assessing visitors‘ legitimacy.

hCAPTCHA

An alternative focused on user privacy not tracking visitors. It uses images to identify humans without analytics or cookies.

Standard CAPTCHAs

The traditional visual challenges with distorted text or images users must decode before submitting forms.

See examples of these options below:

CAPTCHA examples screenshot

Bot prevention CAPTCHA options showing no visual challenge vs. character recognition tests

Evaluate options aligned with site aesthetics and security needs across pages. Harder tests for high sensitivity areas. Invisible analysis on general pages avoiding visitor friction.

Admin settings allow customization around:

  • CAPTCHA type per page
  • Allowed solve attempts
  • Required solve time
  • Scoring thresholds
  • Failover challenges

Use built-in platforms tools if available or install plugins. Most CAPTCHA services have site integration documentation.

#4: Manual Comment Moderation

Site comments and forums provide brilliant user generated content when cultivated. But they also attract relentless bot spamming for black hat SEO and malware distribution.

Manual approval flows let valid discussion thrive while eliminating bot nuisance:

How Manual Moderation Works

  1. User submits comment
  2. Comment held in pending queue
  3. Moderator reviews and approves/rejects
  4. Approved comments go live immediately

Moderation Tips

  • Check frequently – Multiple times daily ideal
  • Ban spammers – Disable accounts posting rubbish
  • Consider partial automation – Some platforms can filter obvious spam automatically with manual review on questionable items
  • Don‘t delay too long – Timely publication keeps discussions active

The workload scaling can become unmanageable on extremely high traffic sites. But for most it‘s a small effort keeping commentary tidy.

#5: Scrambling Email Addresses

Bot coders aren‘t extremely sophisticated, relying on basic techniques like scanning raw HTML for exposed email addresses. Simply obfuscating emails foils scrapers collectingaddresses for spamming.

Obfuscation in Action

Instead of [email protected]:

Use email [at] mycompany [dot] com

This quick tweak allows humans to deciper addresses while hiding them from rudimentary bot harvesters.

Additional tips:

  • Keep actual email addresses out of page text – use contact forms instead
  • If publishing addresses use image based text instead of plain text
  • Use email address encoder tools to generate code protecting inboxes

Starve scrape bots of their targeting fuel with these tricks.

#6: Pruning Unused User Accounts

Dormant accounts pose security risks. Without activity history or established patterns, suspicious logins are harder to detect. They present prime targets for bot account hijacking.

Regularly pruning older inactive profiles denies this attack vector opportunity.

Account Cleanup Formula

On a monthly basis:

  1. Query user tables sorting oldest to newest
  2. Flag accounts passing preset dormancy period
  3. Revoke posting/privileges on flagged users
  4. Manually review to validate status
  5. Delete confirmed inactive profiles

Start conservatively, like accounts inactive 6+ months. Then refine criteria based on user base norms.

Additionally require password changes on survival accounts before reactivating to prevent stale credentials continued use.

Keep communities vibrant through ongoing user spring cleaning.

Layering Bot Defenses

Implementing this article‘s suggestions significantly curtails bot presence. Still modern bots employ advanced evasion tactics challenging to counter.

Adding commercial security solutions creates nearly impenetrable website defense.

Purpose built for blocking sophisticated bot attacks, Sucuri Firewall combines:

  • IP/Domain Blacklists – over 3 million known threats denied
  • Behavior Analysis – anomaly detection identifies odd traffic
  • Machine Learning – adapts blocking to emerging bot patterns
  • Custom WAF Rules – fine tuned filters including geography

These enterprise-grade tools detect fake traffic and stop bots in their tracks. And with auto-setup and configuration, it‘s simple upgrading security.

Visit Sucuri Firewall through this exclusive link to try it protecting your online assets now.

Conclusion

Implementing the suggestions outlined in this guide significantly reduces bot presence across even large web properties. It does require vigilance and a hands on approach, but one delivering immense dividends in security and integrity.

I urge you to start applying one or two tips this week. Once established as habits they require marginal effort while tremendously improving website protection. Then revisit incorporating additional techniques from this industry expert approved playbook.

Here‘s to reclaiming your communities and data from nuisance bots. As always ping me via {email address} if any questions arise activating your new bot fighting powers!

Tags: