How Spam And Bots Can Kill Your Site

When I first started hosting on a relatively low-cost server, there came a point when my site suddenly slowed down. It became pretty bad. When I contacted my host, they suggested I upgrade to the next highest tier because I’d outgrown my existing plan. But I wasn’t yet convinced, because my traffic hadn’t suddenly increased or anything. So what was slowing down my site if it wasn’t additional traffic? After fiddling around with the server logs and looking at various metrics like CPU usage etc, I finally came to the conclusion that my site was being hit by bot spam. Thousands upon thousands of bots were flooding my site, slowing things down and essentially killing my site.

Now I had page caching turned on via a plugin, so the impact wasn’t as high as it would have been, but it was still pretty bad because the bots were targeting dynamic areas of my site that required processing power for each hit. This fell into three categories:

1. Login page bots
2. Spam comment bots
3. XMLRPC bots

Here’s how I dealt with each of them to restore my site’s performance.

1. Dealing with Login Page Bots

Unfortunately, everyone knows the default login page for all WordPress installations. It’s just the site name with “wp-login.php” appended to it. So it’s incredibly easy for any bot to come and try various username/password combinations. These attempts are sent to the processor and database for authorization, and that takes away precious resources – especially on a shared server. Add in a few hundred attempts, and you can see why it’s a problem.

There are two different ways to approach this issue. The first, is to simply hide your login page. This is my preferred solution, but it just removes an attack vector, similar to changing the SSH port on your server. There are some who frown upon such measure in principle, because it comes under the “security via obfuscation” umbrella, but hey – it gets the job done! By hiding your login page, you simply send a 404 message to whoever tries to access it directly. Problem solved!

The second solution is to have a CAPTCHA on the login page. Google’s reCAPTCHA is an excellent solution that works great!

2. Dealing with Spam Comments

Spam comments are an issue for the same reasons as login bots. They trigger resource usage on your site by making the server work to identify it as spam, and then store the comment in the database for deletion later on. It can quickly overwhelm your site. Not to mention ruining the experience of your site’s visitors if a spam comment gets through.

I’ve tried many solutions to deal with spam, including “hidden fields” that bots will fill and humans won’t. But in the end, I simply think that Google’s reCAPTCHA solution is the best option here. It’s easy to implement, and keeps up with increasing bot sophistication, unlike other options that they can eventually find ways to work around.

3. Controlling XML-RPC Attempts

XML-RPC is like a backdoor into your site. Using it, bots can try hundreds of login attempts using a simple API that anyone can access. Automattic insists that it’s important for 3^rd party integration, but I fear they’ve made it too open. The current situation of simply anyone being able to access your site at will is untenable. Fortunately, there are ways to disable XML-RPC safely, which still keeping it open for some essential functions like Jetpack. I strongly suggest you restrict XML-RPC access either via .htaccess, or through a plugin/custom code, or firewall rules. Closing this loophole in your site is like shutting a window into your home through which anyone can look!

As an aside, if you use Cloudflare, you can set it to block bad bots under the Firewall settings as shown here:

It’s not particularly useful to me. Cloudflare doesn’t seem to do a great job of blocking the vast majority of unwanted bots, but you might as well enable it. It’s no cost to you!

Hopefully these tips will help you restore some balance to your site and keep bots in all their forms away!