Are Malicious Bots Visiting Your Website?

Bots are alive, well, and busy on the Internet, making up nearly half of Internet traffic. Bad bots are used by cyber-criminals and cyber attackers to automate harmful exploits and attacks, such as denial of service attacks, crypto-coin mining, data mining, information exfilitration, account hijacking, vulnerability scanning, spamming, and other illegal or illicit activities.

Not all bots are bad.  Some of these site visitors are helpful, such as the automated bots from Google and other search engines.  These bots are relatively benign, and provide us with the data that makes Internet search such a powerful research tool.  Other bots are used by marketing and advertising companies to provide price comparison services, serve up personalized ads and to track trends on social networks.  Chat bots provide help, information, and assistance.

There are several methods you can use to monitor your website for bot activity.  Many of these methods are available as part of a website security tool such as WordFence Security.  Here are the details you need to look for:

  • Check your server logs.  Look for connection attempts from geographical locations that do not make sense for your website.  Repetitive connections from foreign IPs and locations can be an indication of malicious bot activity.  Repetitive connections from Mountain View CA is Google doing their thing.
  • Multiple failed login attempts.  Your website may be under attack from someone using automated password guessing software.  Often your website security product will let you know where these attempts are coming from, and provide solutions such as IP black listing, and login rate throttling.  Blacklisting rejects future attempts from anyone at that IP address.  Throttling restricts the number of failed attempts to a low number such as six, and then blocks further attempts for a period of time such as 20 minutes or an hour.  These features are adjustable, so if you want to increase your protection, you just need to change the settings.
  • Successful login attempts.  Look at your access log.  If there are successful attempts to log in to your website that originate from a geographic location that is not your own, this is evidence that your site has been successfully breached.  If this happens, changing your password, and deleting any unknown user accounts is a first step.  Running a full security scan of your site to find any malicious code additions is next.  You made need to restore your website completely from a recent site backup.  Regular backups should be a part of your website security program.
  • Problems with website speed or website crashing.   If your website is operating more slowly than usual or crashing, this can be the results of bots attempting to connect so frequently that it behaves like a denial-of-service attack.  Of perhaps it is a denial-of-service attack.  If your security service provides a web application firewall, this can prevent or reduce the number of unwanted connections.
  • Copied content.  If your website content is showing up elsewhere, your site may have been spoofed or cloned in order to trick regular visitors into using the fake site.  This is usually part of a sophisticated phishing exploit.  You can use the site Copyscape to check for duplicated content on other web sites.  If your site has been cloned, you may want to warn your regular customers and site visitors about the exploit, and warn them to check the actual URL in their browser address box to verify they are using the real website..
  • Check your website email.  If your website has the capability of sending emails automatically, this email facility may be hijacked in order to send phishing emails or spam that look like they originated from you or your company.   You can tell this has happened if your outbox has messages in it you did not send, or if your inbox is filling up with undeliverable or returned messages, or replies to emails you haven’t sent.  This may also mean that any customer database that is part of your website has been compromised.  With your mailing list and email server, a cyber-criminal can impersonate you, sending malware riddled emails that will look legitimate to the recipient.  Again, you need to regain control of your website, and notify your customers of the potential dangers.

Hopefully this article has helped you to understand the dangers that site owners and managers face, and gave you some ideas to protect your website for attack or takeover.  If you are using WordPress for your site design, there are many excellent security plugins that you can work with to harden your website.

More information:

Today is Pi Day, where we celebrate the irrational number that helps us find the circumference and area of a circle, and the volume of a sphere.

Today is also Albert Einstein’s birthday.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.