Organic Bot Traffic: Why It Exists & How To Defend A Site

By some estimates, nearly 50% of global internet traffic is actually driven by bots.

Most of these are the “good kind”, such as the Google bot that crawls and indexes web pages, or bots from SEO tools like Ahrefs.

These are mostly filtered out of analytics tools and have 0 negative impact on your site. 99.99% of the time, you won’t even notice such bots and don’t have to do anything about them.

That being said, some bot traffic, including organic traffic bots, are the “bad kind”.

Most of the times, organic bot traffic is completely harmless and only ruins your analytics. This type of harmless bot traffic is nearly always an ingenious method of blackhat marketing.

In other situations though, bot traffic can actually be malicious and can cause your site to be taken down, demonetized and even used to hack your account.

If you’re interested in buying bot traffic, this article has a few links in it’s dedicated section. It’s not something we condone, but bot traffic itself is not illegal, it’s how you use it that can be problematic.

That being said, you’re probably here because you’re suffering from a bot attack, so let’s see how harmful (or not) organic bot traffic is.

How bad is bot traffic?

Most bot traffic is harmless marketing

Bot traffic is usually a completely harmless annoyance called ghost spam. The biggest downside you’re likely to suffer from a bot attack is a scrambled Google Analytics that makes it harder to find the correct information you need.

Ghost spam bot traffic doesn’t even load up your website page or use hosting resources. Instead, it bypasses your site entirely by doing HTTP/HTTPS requests that trick Google Analytics into thinking an actual human user visited the site.

In most cases, bot traffic is usually a disguised ad from from marketers trying to sell marketing services to website owners or administrators, since they’re the ones that actually see the bot traffic in Google Analytics.

Basically, website owners see a huge spike in traffic coming from a certain link.

Some then visit the link out of curiosity, which leads them to a site selling SEO services, bot traffic, marketing strategies etc.

Most bot attack episodes last only a few hours and happen once every few months.

The most concerning issue is that a persistent long-term bot traffic problem can devastate the ad revenues of legitimate sites.

As an example, Adsense will often claw back ad revenue from a website by labeling it as coming from “Invalid Traffic”

This Invalid Traffic problem can make it hard for sites to join more premium ad networks that pay better than Adsense.

In the worst case scenario, site owners that can’t get a handle on an organic bot traffic problem will risk being banned from Adsense altogether. And since Adsense is used by every other premium ad network, they’ll have 0 options left to monetize a site through ads.

As an example, this user lost 47% of monthly revenue to invalid traffic.

Bot traffic can be used to hack site owners and admins

In most cases of bot attacks, you can see a report from Google Analytics that tells you where the bot traffic is coming from.

As mentioned previously, most of the times this link will take you to a landing page that advertises various products for website owners.

In more malicious cases though, this link can lead to a malware infested website the moment you look it up in a browser. A phishing attempt, basically.

Interacting with the site or opening any files it downloads can compromise your computer and vital accounts such as emails, logins and more.

It’s easy to see why hackers would use this method of phishing. The people with access to a Google Analytics account usually have access to other, more sensitive information such as databases, payment information or confidential information – which makes them prime targets.

If you really want to open the link, then do so in a controlled sandbox environment on sites such as:

Bot traffic can be a sign of a DDoS attack

DDoS means “distributed denial of service” and involves throwing vast amounts of traffic at a certain website to overwhelm it’s system and take it offline.

Most of the times it’s done out of “fun” or simple spite.

However, DDoS attacks are used in some small, competitive niches where a competitor wants to take down a website and knock it out of the top search results so they can move up and replace them.

If you suspect a DDoS attack, verify your hosting provider’s network stats to get a firmer grip on the situation.

If you’re not a technical person, then contact your organization’s system admin and inform them you have a bot traffic issue.

If you’re a solo blogger, then most quality hosting providers will have a 24/7 support department you can contact and can guide you through this problem.

How do I spot bot traffic?

Most forms of bot traffic are immediately visible in Google Analytics as an unusual traffic spike.

If you dig into analytics, you can find a report pointing out where the traffic comes from.

Other ways to identify bot traffic:

Is bounce rate way higher than average?
Is the organic bot traffic coming from a country you don’t see traffic from?
Are your search rankings and Google Search Console impressions normal?
If the traffic is all coming from a single IP.

Other uses of bot traffic

Ad fraud (+ demonetizing legitimate sites)

Some site owners try to squeeze more money from Adsense or other ad providers by feeding bot traffic to their websites to inflate their ad impressions and even clicks.

This is a big phenomenon too, since the online ad industry loses billions of dollars per year to ad fraud.

Google and other major players in the ad industry are fully aware of this phenomenon, so they are very aggressive in tackling it.

As a result, sites owners that feed organic traffic to their sites to increase ad revenue risk being blacklisted by Adsense and practically every other major ad network such AdThrive, Mediavine etc.

Fake a site’s analytics to increase resale value

Selling websites is a big business, and the more traffic a website has the bigger the price tag it can command.

Some site flippers want to maximize how much money they’re making by inflating their site’s analytics to increase it’s value when putting it up for sale on Flippa or Empire Flippers.

Marketers use fake traffic instead of providing real results

Many unscrupulous marketers (and even ad agencies), will use fake traffic as a way to give clients the impression they’re putting in the work and providing measurable results.

Of course, this usually hits a big snag when that extra traffic doesn’t seem to convert to extra sales, leads or revenue.

When clients point this out, these fraudsters will try to spin tales of “pages unoptimized for conversions” , “pricing issues”. Basically, they’re gaslighting their clients.

Eventually, the clients will figure out the “marketers” sold them snake oil, but by that time they’ll have paid them months or even years for practically no results.

Manipulate product listings algorithms on eCommerce websites

Many eCommerce marketplaces (such as Amazon or eBay) have algorithms in place that can suggest interesting products to users, in the hopes it might increase conversion rate and sales.

Some of these algorithms are pretty simple, and can be manipulated by sellers on these marketplaces by sending fake traffic to their product pages to make them seem popular with site visitors.

If the fake traffic works, the seller’s products get promoted by the algorithm and benefit from increased visibility to human visitors, which often translates to increased sales.

Using bot traffic for Google bombing & SEO manipulation

Google bombing is a practice where users can manipulate the search algorithm push a page into the top results for a particular keyword.

One of the most famous examples of Google bombings occurred in 2007 when users who typed “miserable failure” would see a result of former US President George W. Bush.

Google bombing is usually done with bots that repeatedly click on a target web page in search results, which sends a signal to search engines that the page is highly relevant for the keyword and so it should be moved up the rankings.

Another way to do it is by sending massive amounts of bot traffic to a decoy page, which links to the target page with a desired keyword used as anchor text.

The bot traffic will then click the anchor text link on the decoy page, tricking Google into thinking the target page is relevant for the keyword used in the anchor text.

As a result, Google will then rank the target page for the desired keyword used in the anchor text, even if the page is not relevant for that particular keyword.

How to block organic bot traffic

Filter and block bot traffic in Google Analytics

If the bot attack is only impacting your analytics, then Google has a built in feature which can exclude known bots and spiders from polluting your GA reports.

To activate it, go to Google Analytics -> Settings -> View Settings and activate the “Exclude all hits from known bots and spiders” option.

This feature will block out most (but not all) bot traffic polluting your GA account.

The 2nd option you have is to setup Google Analytics filters to block referral spam traffic coming from a particular domain (such as bot-traffic.xyz).

This is pretty easy to do, but unfortunately you’ll have to do it every time you’re noticing incoming bot traffic.

To setup filters go to Google Analytics -> Settings ->View Settings -> Filters.

From there, click the red “Add Filter” button.

Now adjust the settings so they look just like the image below:

You can change the name of the filter to anything you want, but the Filter pattern “example/.com” should be kept with the “/” as a regular expression to ensure it blocks all traffic from that target domain.

Unfortunately, you cannot manually delete bot traffic already recorded in Google Analytics. However, sometimes Google Analytics will be smart enough to identify artificial bot traffic and will remove it on it’s own. It won’t happen often, but it’s possible.

WordPress plugins

If your site is on WordPress, then you’ll have numerous anti-bot plugins available to choose from.

Use a CAPTCHA

If the bot traffic is heavily targeting a page with a contact form or similar, then you might consider implementing a CAPTCHA system to prevent bot entries.

It’s not a very user friendly method, but in some cases it can help in cutting out a lot of the spam.

Explore your hosting provider’s antibot solutions or find others

There are quite a few platforms available for site owners that can help protect them from bots.

These antibot services are usually part of CDN’s such as Cloudflare, or even come included as part of your hosting plan.

A free server-level antibot solution is 7G Firewall. This one is endorsed by SiteGround, one of the leading hosting providers.

Many other hosting providers such as Bluehost or HostGator come included with some form of bot protection as part of their package. As such, explore your hosting provider’s settings and see what they have to offer as anti-bot protection.

Where to find organic traffic bots

Organic traffic bots aren’t illegal, but they are considered “blackhat”, and as such are not endorsed as legitimate business tools.

As such, it’s hard to find legitimate reviews and opinions on which bots are good and which aren’t, both feature and price wise.

If you do intent to use bots, it’s our recommendation that you explore the following message boards to find an organic traffic bot that’s right for you:

blackhatworld.com: this is the biggest online forum for discussing blackhat marketing strategies, and has a huge section that covers organic traffic bots complete with reviews.
Reddit.com has numerous communities about blogging such as r/seo or r/blogging, and there is often a lot of relevant discussions around bots.

Author
Recent Posts

Paul Bonea