2.3.16. Protection from bots


Bot protection does not apply to static files, CNC and addresses with GET parameters.
The language of the bot protection page is configurable by instructions.

Protection against bots allows you to restrict access to the site control panel or registration page for bots engaged in automatic registration and password guessing. This function is useful for sites that do not provide advanced protection against bots.

The mechanism of protection against bots allows you to increase the security of the site, protect the administrative part from automatic password guessing systems, and reduce the load created by bots during attacks on the site. For example, the recommended pages for which it is worth setting such protection: for Joomla! it is recommended to indicate /administrator/, for WordPress /wp-login.php and /xmlrpc.php etc. In the case of WordPress, it is highly recommended NOT to add bot protection for /wp-admin/.

Anti-bot protection settings are managed in the section "HostingMy sites → Bot protection":

  1. In the tab "Settings" click "Protect pages".
  2. Select the appropriate settings for your case, list the pages that need to be protected (page addresses must start with / and point to real files and directories), and press "Save":
    • "Application" — select a pattern that will be used to search for a part of the URL. Important! Protection against bots cannot be installed on the home page of the site.
      Available templates:
      • "URL starts with" — search pattern for the specified part of the URL, in which the search is performed by thebeginning URL.
      • "URL ends with" — search pattern for the specified part of the URL, in which the search is performed by ending URL.
      • "URL contains" — a search pattern for the specified part of the URL, which searches for any match, regardless of placement in the URL itself.
    • "List of pages" — Specify a list of URL parts. It should be specified depending on the selected template in the field "Application"... Each address must start on a new line, while domain pointout not necessary.
    • "Protection method" — select the method used to organize protection on the page. Available methods:
      • "Captcha" — before entering the page, a standard ReCaptcha is displayed, after passing through which the page is displayed.
      • "Check JavaScript" — a way of protection, which invisibly to the user performs the calculation of simple arithmetic problems in the browser using JavaScript. If JavaScript is disabled, an access error will be displayed and a request to enable JavaScript support.
      • "Calculating the amount " — a method of protection, in which a simple math problem is displayed and you need to indicate the correct result to go to the page.
    • "Disable for User-Agent" — list separated by commas User-Agentfor which protection will not work. The field can be left blank.
  3. Wait approximately 10 minutes for the changes to take effect.
  4. Test the protection by opening protected pages in a browser.

In the tab "Reports" a graph for the last month is displayed, where you can see how many successful visits to protected pages were and how many requests were blocked due to the fact that the protection was not passed.

Below the graph is a table with detailed information on each visit to the protected page:

  • "Date" — date and time of visit.
  • "IP" — the visitor's IP address.
  • "URL" — the address of the page to which the reference was made.
  • "Check passed" — a mark about whether the defense was successfully passed or not.