Are Malicious Bots Visiting Your Website?

Bots are alive, well, and busy on the Internet, making up nearly half of Internet traffic. Bad bots are used by cyber-criminals and cyber attackers to automate harmful exploits and attacks, such as denial of service attacks, crypto-coin mining, data mining, information exfilitration, account hijacking, vulnerability scanning, spamming, and other illegal or illicit activities.

Not all bots are bad.  Some of these site visitors are helpful, such as the automated bots from Google and other search engines.  These bots are relatively benign, and provide us with the data that makes Internet search such a powerful research tool.  Other bots are used by marketing and advertising companies to provide price comparison services, serve up personalized ads and to track trends on social networks.  Chat bots provide help, information, and assistance.

There are several methods you can use to monitor your website for bot activity.  Many of these methods are available as part of a website security tool such as WordFence Security.  Here are the details you need to look for:

  • Check your server logs.  Look for connection attempts from geographical locations that do not make sense for your website.  Repetitive connections from foreign IPs and locations can be an indication of malicious bot activity.  Repetitive connections from Mountain View CA is Google doing their thing.
  • Multiple failed login attempts.  Your website may be under attack from someone using automated password guessing software.  Often your website security product will let you know where these attempts are coming from, and provide solutions such as IP black listing, and login rate throttling.  Blacklisting rejects future attempts from anyone at that IP address.  Throttling restricts the number of failed attempts to a low number such as six, and then blocks further attempts for a period of time such as 20 minutes or an hour.  These features are adjustable, so if you want to increase your protection, you just need to change the settings.
  • Successful login attempts.  Look at your access log.  If there are successful attempts to log in to your website that originate from a geographic location that is not your own, this is evidence that your site has been successfully breached.  If this happens, changing your password, and deleting any unknown user accounts is a first step.  Running a full security scan of your site to find any malicious code additions is next.  You made need to restore your website completely from a recent site backup.  Regular backups should be a part of your website security program.
  • Problems with website speed or website crashing.   If your website is operating more slowly than usual or crashing, this can be the results of bots attempting to connect so frequently that it behaves like a denial-of-service attack.  Of perhaps it is a denial-of-service attack.  If your security service provides a web application firewall, this can prevent or reduce the number of unwanted connections.
  • Copied content.  If your website content is showing up elsewhere, your site may have been spoofed or cloned in order to trick regular visitors into using the fake site.  This is usually part of a sophisticated phishing exploit.  You can use the site Copyscape to check for duplicated content on other web sites.  If your site has been cloned, you may want to warn your regular customers and site visitors about the exploit, and warn them to check the actual URL in their browser address box to verify they are using the real website..
  • Check your website email.  If your website has the capability of sending emails automatically, this email facility may be hijacked in order to send phishing emails or spam that look like they originated from you or your company.   You can tell this has happened if your outbox has messages in it you did not send, or if your inbox is filling up with undeliverable or returned messages, or replies to emails you haven’t sent.  This may also mean that any customer database that is part of your website has been compromised.  With your mailing list and email server, a cyber-criminal can impersonate you, sending malware riddled emails that will look legitimate to the recipient.  Again, you need to regain control of your website, and notify your customers of the potential dangers.

Hopefully this article has helped you to understand the dangers that site owners and managers face, and gave you some ideas to protect your website for attack or takeover.  If you are using WordPress for your site design, there are many excellent security plugins that you can work with to harden your website.

More information:

Today is Pi Day, where we celebrate the irrational number that helps us find the circumference and area of a circle, and the volume of a sphere.

Today is also Albert Einstein’s birthday.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.