• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
NameHero Blog

NameHero Blog

Web Hosting Tips & Resources From NameHero

  • Hosting
    • Web Hosting
    • VPS Hosting
    • WordPress Hosting
    • WooCommerce Hosting
  • Reseller
  • Enterprise
  • Domains
  • Account
  • Blog Home
  • Categories

How Spam And Bots Can Kill Your Site

Bhagwad Park

Published on: October 26, 2020

Categories: Website Security 1

When I first started hosting on a relatively low-cost server, there came a point when my site suddenly slowed down. It became pretty bad. When I contacted my host, they suggested I upgrade to the next highest tier because I’d outgrown my existing plan. But I wasn’t yet convinced, because my traffic hadn’t suddenly increased or anything. So what was slowing down my site if it wasn’t additional traffic? After fiddling around with the server logs and looking at various metrics like CPU usage etc, I finally came to the conclusion that my site was being hit by bot spam. Thousands upon thousands of bots were flooding my site, slowing things down and essentially killing my site.

Now I had page caching turned on via a plugin, so the impact wasn’t as high as it would have been, but it was still pretty bad because the bots were targeting dynamic areas of my site that required processing power for each hit. This fell into three categories:

  1. Login page bots
  2. Spam comment bots
  3. XMLRPC bots

Here’s how I dealt with each of them to restore my site’s performance.

1. Dealing with Login Page Bots

Unfortunately, everyone knows the default login page for all WordPress installations. It’s just the site name with “wp-login.php” appended to it. So it’s incredibly easy for any bot to come and try various username/password combinations. These attempts are sent to the processor and database for authorization, and that takes away precious resources – especially on a shared server. Add in a few hundred attempts, and you can see why it’s a problem.

There are two different ways to approach this issue. The first, is to simply hide your login page. This is my preferred solution, but it just removes an attack vector, similar to changing the SSH port on your server. There are some who frown upon such measure in principle, because it comes under the “security via obfuscation” umbrella, but hey – it gets the job done! By hiding your login page, you simply send a 404 message to whoever tries to access it directly. Problem solved!

The second solution is to have a CAPTCHA on the login page. Google’s reCAPTCHA is an excellent solution that works great!

2. Dealing with Spam Comments

Spam comments are an issue for the same reasons as login bots. They trigger resource usage on your site by making the server work to identify it as spam, and then store the comment in the database for deletion later on. It can quickly overwhelm your site. Not to mention ruining the experience of your site’s visitors if a spam comment gets through.

I’ve tried many solutions to deal with spam, including “hidden fields” that bots will fill and humans won’t. But in the end, I simply think that Google’s reCAPTCHA solution is the best option here. It’s easy to implement, and keeps up with increasing bot sophistication, unlike other options that they can eventually find ways to work around.

3. Controlling XML-RPC Attempts

XML-RPC is like a backdoor into your site. Using it, bots can try hundreds of login attempts using a simple API that anyone can access. Automattic insists that it’s important for 3rd party integration, but I fear they’ve made it too open. The current situation of simply anyone being able to access your site at will is untenable. Fortunately, there are ways to disable XML-RPC safely, which still keeping it open for some essential functions like Jetpack. I strongly suggest you restrict XML-RPC access either via .htaccess, or through a plugin/custom code, or firewall rules. Closing this loophole in your site is like shutting a window into your home through which anyone can look!

As an aside, if you use Cloudflare, you can set it to block bad bots under the Firewall settings as shown here:

Cloudflare Bot Fight Mode
Cloudflare Bot Fight Mode

It’s not particularly useful to me. Cloudflare doesn’t seem to do a great job of blocking the vast majority of unwanted bots, but you might as well enable it. It’s no cost to you!

Hopefully these tips will help you restore some balance to your site and keep bots in all their forms away!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Comments

  1. Alex says

    February 19, 2022 at 1:49 pm

    Bot Fight Mode will slow down your website speed by loading additional challenge js script

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Follow & Subscribe

Exclusive promos, content and more!

Most Popular Posts

Speed up your site: solving the WordPress slowdown

NameHero’s Recommended WordPress Plugin and Theme Setup (2023)

How To Increase The InnoDB Buffer Pool Size

How To Fix A Stuck All-in-One WP Migration Import

How To Add A Subdomain In Cloudflare

Top Categories

  • WordPress
  • Website Performance
  • Web Hosting
  • Resellers
  • Website Development
  • Website Security
  • VPS Hosting
  • SEO Tips
  • Announcements
  • Domain Registration
NameHero

NameHero proudly provides web hosting to over 40,000 customers with 99.9% uptime to over 750,000 websites.

  • Master Card
  • Visa
  • American Express
  • Discover
  • Paypal
Products
  • Web Hosting
  • VPS Hosting
  • WordPress Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • Enterprise Hosting
  • Domains
Help & Support
  • NameHero Blog
  • Knowledgebase
  • Announcements
  • Affiliates
Company
  • About Us
  • Contact Sales
  • Reviews
  • Uptime
  • We're Hiring

Copyright © 2023 NameHero, LLC. All rights reserved.

  • Privacy Policy
  • Terms of Use
  • Acceptable Use Policy
  • Payment Policy
  • DMCA