• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Startup Hero

The Official Blog Of Name Hero

Learn To Fly Above The Competition Get Started
  • HomeWelcome
  • CoursesVideo Training Center
  • About UsWhat is StartupHero?
  • BlogGet the latest
  • Start HereStartup 101
  • SpeakingPodcast & Media
  • ResourcesTools to help You
    • Reselling WordPress Hosting
    • Resell Hero
    • How To Start A Blog
  • NameHeroCloud Web Hosting

How Spam And Bots Can Kill Your Site

By Bhagwad Park on October 26, 2020 0

How Spam And Bots Can Kill Your Site

When I first started hosting on a relatively low-cost server, there came a point when my site suddenly slowed down. It became pretty bad. When I contacted my host, they suggested I upgrade to the next highest tier because I’d outgrown my existing plan. But I wasn’t yet convinced, because my traffic hadn’t suddenly increased or anything. So what was slowing down my site if it wasn’t additional traffic? After fiddling around with the server logs and looking at various metrics like CPU usage etc, I finally came to the conclusion that my site was being hit by bot spam. Thousands upon thousands of bots were flooding my site, slowing things down and essentially killing my site.

Now I had page caching turned on via a plugin, so the impact wasn’t as high as it would have been, but it was still pretty bad because the bots were targeting dynamic areas of my site that required processing power for each hit. This fell into three categories:

  1. Login page bots
  2. Spam comment bots
  3. XMLRPC bots

Here’s how I dealt with each of them to restore my site’s performance.

1. Dealing with Login Page Bots

Unfortunately, everyone knows the default login page for all WordPress installations. It’s just the site name with “wp-login.php” appended to it. So it’s incredibly easy for any bot to come and try various username/password combinations. These attempts are sent to the processor and database for authorization, and that takes away precious resources – especially on a shared server. Add in a few hundred attempts, and you can see why it’s a problem.

There are two different ways to approach this issue. The first, is to simply hide your login page. This is my preferred solution, but it just removes an attack vector, similar to changing the SSH port on your server. There are some who frown upon such measure in principle, because it comes under the “security via obfuscation” umbrella, but hey – it gets the job done! By hiding your login page, you simply send a 404 message to whoever tries to access it directly. Problem solved!

The second solution is to have a CAPTCHA on the login page. Google’s reCAPTCHA is an excellent solution that works great!

2. Dealing with Spam Comments

Spam comments are an issue for the same reasons as login bots. They trigger resource usage on your site by making the server work to identify it as spam, and then store the comment in the database for deletion later on. It can quickly overwhelm your site. Not to mention ruining the experience of your site’s visitors if a spam comment gets through.

I’ve tried many solutions to deal with spam, including “hidden fields” that bots will fill and humans won’t. But in the end, I simply think that Google’s reCAPTCHA solution is the best option here. It’s easy to implement, and keeps up with increasing bot sophistication, unlike other options that they can eventually find ways to work around.

3. Controlling XML-RPC Attempts

XML-RPC is like a backdoor into your site. Using it, bots can try hundreds of login attempts using a simple API that anyone can access. Automattic insists that it’s important for 3rd party integration, but I fear they’ve made it too open. The current situation of simply anyone being able to access your site at will is untenable. Fortunately, there are ways to disable XML-RPC safely, which still keeping it open for some essential functions like Jetpack. I strongly suggest you restrict XML-RPC access either via .htaccess, or through a plugin/custom code, or firewall rules. Closing this loophole in your site is like shutting a window into your home through which anyone can look!

As an aside, if you use Cloudflare, you can set it to block bad bots under the Firewall settings as shown here:

Cloudflare Bot Fight Mode
Cloudflare Bot Fight Mode

It’s not particularly useful to me. Cloudflare doesn’t seem to do a great job of blocking the vast majority of unwanted bots, but you might as well enable it. It’s no cost to you!

Hopefully these tips will help you restore some balance to your site and keep bots in all their forms away!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Connect With Us!

Superhero Resources

Fix Common Issues

  • How To Setup Free And Automatic SSL Certificates
  • How To Setup Cloudflare With Railgun
  • How To Fix Memory Exhausted Errors In WordPress
  • How To Edit PHP Version/Upload Limit/Add Extensions
  • How To Move/Migrate Your Business To Name Hero

Free Guides

  • How To Setup NameHero Hosting
  • How To Create A Web Hosting Business With WordPress
  • How To Start A WordPress Blog
  • How To Migrate WordPress To A VPS
  • How To Speed Test And Optimize Your WordPress Website
  • Magento 2.X Installation Guide
  • How To Clean Up A WordPress Hack

Training

Recent Posts

  • Preventing Malware With WordPress Plugin Updates
  • How To Add A Subdomain In Cloudflare
  • WordPress Should Do More For Core Web Vitals
  • Is it Time to Disable Your RSS Feeds?
  • The Dangers Of FTP – Use With Extreme Care (Or Avoid)!
  • 3 Great Reasons To Use Subdomains
Subscribe in a reader
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • VPS Hosting
  • Twitter
  • Facebook
  • LinkedIn
  • YouTube
  • FTC Disclosure
  • Earnings Disclosure
  • Privacy Policy

Copyright © 2021 · Smart Passive Income Pro on Genesis Framework · WordPress · Log in