How to Block Spam Bots from Your Analytics and Website

Anyone with a website and a comments section knows the feeling of excitement followed by dread when seeing spam comments. If you have set up your Google Analytics or other analytics tool to include page comments tracking, you will be able to track the number and rate at which users comment on your website. If you see your comment numbers skyrocket, you get excited. You may think, “Did a page go viral?” However, upon further inspection either in the referral URL of your Google Analytics traffic report or actually examining your website, you may also realize that those comments are actually just spam for a new wonder drug that sheds 20 pounds in two weeks.

These spam bots not only affect your website analytics like conversion rate and bounce rate, but because of their high volume, they slow down the load time of your website and therefore increase bounce rates for your real good traffic. In addition, sometimes, they have more sinister motives– they visit your website looking for vulnerabilities to hack. Once they find a vulnerability like an unprotected SQL query, the spam bot will launch an injection attack to enter your website’s databases and steal customers’ personal information.

How Do You Completely Identify Traffic From Spam Bots?

If you take a look at your Google Analytics traffic report’s referral URLs, you will see the Source / Medium of your visitors. As you can see below in the red boxes, spam bots’ Bounce Rate is usually around 100%, Pages / Session average at around 1 and the average session duration is extremely low. These characteristics are very typical of spam bots because they are obviously not visiting your website long enough to be a human interested in your website. Instead, they are scanning for vulnerabilities, overwhelming your website with high traffic (as seen with / referral and /referral), or leaving spam behind (like those wonder drug spam comments).

After Knowing Who the Spam Bots Are, How to Filter and Block Them in Reporting

To block spot bots from your reporting, you need to use Google Analytics. First, log into Google Analytics and go to your Admin page on your menu bar. Then click on +Add Filter to create a custom filter like the one below. As you can see for this example, we created a filter called “Spam bots.”

screen capture of Google analytics with instructions of how to filter traffic
When creating a filter, remember to add *. before the domain name

Once you have saved and applied the filter, all future traffic from will be removed from your reports.

How to Stop Malicious Spam Bots From Entering Your Website

You have two options to stop these spam bots from ever entering your site in the future.

1. You Can Manually Blacklist the Spam Bots’ Domains

You would do this by manipulating your server configurations rules in your .htaccess, web.config or nginx.conf files to block the spam bots’ domains. You can find the Ultimate Referral Blacklist here. The disadvantages to this method are it is difficult to configure your server rules if you do not have any personal experience with it and the process itself is extremely tedious as you need to add the 8,000 domains to the list.

2. Use Cloudbric to Block the Spam Bots’ Domains For You

Cloudbric, the only highly-advanced and full service WAF service in the market, can help you add your own custom rules to your WAF. Cloudbric identifies and filters out all malicious traffic, but if you have identified a spam bot on your analytics tool, Cloudbric will block it once you have identified it.

This means that instead of manually configuring your server rules, you can just contact us and we will block those domains for you. All you need to do is provide us the domains you want to block, and we will do the rest to keep your website free from malicious spam bots and bad referrals.

Gain control of your website and stop spam bots from muddying your website’s analytics reports and threatening the security of your website. Using your analytics tool, identify malicious spam bots and use those learnings to block those domains from ever entering your website again.