Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security Last updated: February 23, 2020
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Don’t let bad bots take over your site and influence business decisions.

Website visitors aren’t always people made from flesh and meat: Sometimes they’re bots. Bots mostly scour websites to collect statistics for search engines like Google and Yahoo, but there are also bots that harvest information, create fake accounts, spread viruses or spam comment sections on autopilot – and these are the ones that can do the most damage.

A sudden take over by site bots can be overwhelming, and it’s a potential nightmare for a site administrator who prefers to run a clean ship. Here’s how to spot which kind of bots are doing what – and a few practical ways to banish bots from your website.

Search Engine Bots versus Spam Bots

Some bots are good, search engine bots visit your website to catalog new information to search engines, and you usually want these types of bots to go over your website. It’s what helps search engines to index your site amongst its results.

What’s essential for a site administrator is to identify search engine bots versus real traffic to gather an accurate picture of how many visitors and views are humans. If you have Google Analytics, look under the advanced settings, and you can split up search engine bots and human traffic to see how search engines and people view your site.

Other than your standard search engine bot, you can also run into a variety of different spam and harvesting bots. These are the more dangerous ones you should try to get rid of when they appear. Sometimes they spread viruses; other times, they spam or fill up a site with false accounts.

Spotting the Spam Bot 

If you have spam bots active on your site, there will likely be…

  • An increase in new accounts, usually ones that either make a few spam posts or none at all.
  • An increase in comments that have nothing to do with the comments, sometimes with or without links.
  • Users complaining about spam in their PM inbox or e-mail inbox.
  • An increase in the amount of spam that hits the e-mail inbox connected to your website.
  • Sometimes an irrationally high increase in site visitors without an increase in activity can indicate bots that are harvesting info.

The presence of bad bots can be a nightmare, especially when their job is to spam your site with links to viruses or illegal images. As soon as you’ve spotted the signs of a bot doing something other than indexing for search engines, try some of the below steps.

Sign Up Authentication

If your website involves the usage of user accounts, sign up authentication can cut down on the number of bot accounts that can register.

Sign up authentication uses a phone number or e-mail address attached to the account for a “verification code” before the user is allowed to sign up. This is easy for most people, although too much effort for the malicious site bot.

It also lets a site admin know that new accounts have a legitimate e-mail address or phone number attached to it: Most fake “spam” accounts don’t.

Banhammer Utilization

Use the account banning and removal functions of your site to weed through any new and old user accounts that might be bots.

Other than stopping new bots from signing up to your website, you also have to make sure you get rid of any old bots or inactive accounts that shouldn’t be there. You’d be surprised how fast spambots can clog up a site or social media account – and until you browse through a list of users, you might not even know they were there.

Captcha Incorporation

The Captcha system was designed to stop spam bots with minor complicated tasks that confuse the average bot into submission.

If you notice too many spam comments getting through your comment filter, it might be time to incorporate Captcha into your website’s comment section additionally. You’ll cut down on spambots and comments almost instantly, guaranteed.

For WordPress sites, you may consider using an Anti-spam solution such as CleanTalk.

Comment Moderation

Check your site comments section on a regular basis. Here, you can remove spam comments that made it through the automatic moderation filers – and usually ban these users.

Set up manual comment moderation if you have serious trouble with bots commenting and spamming. This way, every comment posted on the site means you receive an e-mail and have to approve these comments manually. It can take some time to moderate your comments manually, but it’s sometimes the only way to ensure that your comments section is entirely free of bots and spam.

Tagging Alteration  

An abundance of spam in your own site inbox can mean that bots have latched on to a tag that allows for it.  The problem usually lies in the site’s About page or lurks somewhere in the site’s Contact form.

Choose a contact form that hides the e-mail address that e-mails go to. If you don’t, all a bot has to do in order to find the right e-mail address is to scan the source code where the e-mail address in plain text rather than an external script that’s harder to get to.

If your about page lists your e-mail address in a format easily identifiable by a spam bot (“”), change it to something else (“address[at]domain[dot]com”) or for extra security, switch to a safer embedded contact form like described above.

Inactive and Bot User Elimination

Just the same way as comments should be manually and regularly screened by a site administrator, the list of e-mail subscribers and inactive users should be checked, and anything that shouldn’t be there needs to be removed.  Bot users that managed to sneak through the sign-up authentication chain are easy to identify and remove, although inactive user accounts with only a few posts should be deleted too.

Inactive user accounts are either bots, or they are at risk of being taken over by bots: Bots don’t always create new accounts, but can also sometimes hijack old and inactive ones for the same use. 


I hope by implementing above, you stop the bad bots on your site. If you are using CMS like WordPress, Joomla, Drupal, etc. then you may also consider using cloud-based security protection such as SUCURI not just to stop spam but many other online threats.

  • Geekflare Editorial
    The Editorial team at Geekflare is a group of experienced writers and editors dedicated to providing high-quality content to our readers. We are committed to delivering actionable content that helps individual and business grows.
Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder