2.3.16. Protection from bots

Important points:

  • The protection does not apply to static files, CNC and addresses with GET parameters.
  • Protection cannot be installed on the main page of the site.

Bot protection allows you to increase site security, protect the registration page from automatic registrations, protect the site admin panel from automatic password guessing systems, and reduce the load created by bots during attacks on the site. Examples of pages for which it is worth setting such protection: for Joomla! — /administrator/, for WordPress - /wp-login.php and /xmlrpc.php, etc. In the case of WordPress, strongly Not recommended enable bot protection for /wp-admin/.

Anti-bot protection settings are managed in the section "HostingMy sites → Bot protection":

The language of the Bot Protection page can be changed in site settings.
  1. Click "Protect pages" in the tab "Settings".
  2. Select the appropriate settings for your case, list the pages that need to be protected (page addresses must start with / and point to real files and directories), and press "Save":
    • "Application" — select the part of the URL in which the specified pages will be searched:
      • "URL starts with" — at the beginning of the URL.
      • "URL ends with" — at the end of the URL.
      • "URL contains" — in any part of the URL.
    • "List of pages" — Specify the pages that will be searched for in the selected part of the URL. Every page a new line, specify the domain not necessary.
    • "Protection method" — select the protection method that will be triggered when the page is opened by a site visitor:
      • "Captcha" — the visitor is shown a standard ReCaptcha, the page opens after passing it.
      • "Check JavaScript" — imperceptibly for the visitor in his browser, a simple arithmetic problem is calculated using JavaScript, the page opens in case of successful calculation. If JavaScript is disabled, the visitor will see an access error and a request to enable JavaScript.
      • "Calculating the amount " — a simple mathematical problem is displayed to the visitor, the page opens after solving it.
    • "Disable for User-Agent" — list the User—Agent, separated by commas, for which will not act protection. The field can be left blank.
  3. Wait approximately 10 minutes for the changes to take effect.
  4. Test the protection by opening protected pages in a browser.

In the tab "Reports" a graph for the last month is displayed, where you can see how many successful visits to protected pages were and how many requests were blocked due to the fact that the protection was not passed.

Below the graph is a table with detailed information on each visit to the protected page:

  • "Date" — date and time of visit.
  • "IP" — the visitor's IP address.
  • "URL" — the address of the page to which the reference was made.
  • "Check passed" — a mark about whether the defense was successfully passed or not.