2.4.1.16. Bot Protection

Important points:

  • Protection Action does not apply on static files, CNC and addresses with GET parameters.
  • Protection cannot be installed to the main page of the site.
  • When the defense not passed, the visitor receives a 429 response.
  • The language of the Bot Protection page can be changed in site settings.

Bot protection allows you to increase site security, protect the registration page from automatic registrations, protect the site admin panel from automatic password guessing systems, and reduce the load created by bots during attacks on the site. Examples of pages for which it is worth setting such protection: for Joomla! — /administrator/, for WordPress - /wp-login.php and /xmlrpc.php, etc. In the case of WordPress, strongly Not recommended enable bot protection for /wp-admin/.

Anti-bot protection settings are managed in the section «HostingMy sites → Bot protection»:

Setting protection

  1. In the tab «Settings» click «Protect pages».
  2. Fill out the form and click «Save»:
    • «Application» — part of the URL in which the specified pages will be searched:
      • «URL starts with» — at the beginning of the URL.
      • «URL ends with» — at the end of the URL.
      • «URL contains» — in any part of the URL.
    • «List of pages» — pages that will be searched for in the selected part of the URL:
      • Every page a new line.
      • Specify domain not necessary.
      • Page URLs must start with / and point to real files and directories.
    • «Protection method» — protection method that will be triggered when the page is opened by a site visitor:
      • «Calculating the amount » — a simple mathematical problem is displayed to the visitor, the page opens after its successful solution.
      • «Captcha» — the visitor is shown a standard ReCaptcha, the page opens after passing it.
      • «Check JavaScript» — imperceptibly for the visitor in his browser, a simple arithmetic problem is calculated using JavaScript, the page opens in case of successful calculation. Note If JavaScript is disabled, the visitor will see an access error and a request to enable JavaScript.
    • «Disable for User-Agent» — a list of User—Agent separated by commas, for which will not act protection. The field can be left blank.
  3. Wait approximately 10 minutes for the changes to take effect.
  4. Test the protection by opening protected pages in a browser.

Statistics

In the tab «Reports» a graph for the last month is displayed, where you can see how many successful visits to protected pages were and how many requests were blocked due to the fact that the protection was not passed.

Below the graph is a table with detailed information on each visit to the protected page:

  • «Date» — date and time of visit.
  • «IP» — the visitor's IP address.
  • «URL» — the address of the page to which the request was made, and the User—Agent of the visitor.
  • «Check passed» — a mark about whether the defense was successfully passed or not.
Content