Not all bot traffic is created equal. Googlebot crawls your site to index it. Bingbot does the same. These are good bots: let them in. Bad bots scrape your content, probe for vulnerabilities, attempt credential stuffing attacks on your login page, generate fake form submissions, and consume server resources without contributing anything of value. On a busy site, bad bot traffic can account for 20% to 40% of total server requests.
Blocking bad bots reduces server load, improves security, and keeps your analytics data clean. Here is how to do it effectively on a WordPress site.
Good Bots vs Bad Bots: How to Tell the Difference
| Bot type | Examples | What to do |
| Search engine crawlers | Googlebot, Bingbot, DuckDuckBot | Allow |
| Legitimate monitoring | UptimeRobot, GTmetrix | Allow |
| AI training crawlers | GPTBot, CCBot, ClaudeBot | Allow or block (your choice) |
| Content scrapers | Generic scrapers, data harvesters | Block |
| Vulnerability scanners | Automated exploit tools | Block |
| Comment and form spammers | Spambot networks | Block |
| Credential stuffers | Login brute-force bots | Block |
Method 1: Use robots.txt to Disallow Known Bad Bots
Your robots.txt file tells crawlers which parts of your site they can access. Well-behaved bots respect it. Bad bots mostly ignore it — but listing known bad bot user agents in robots.txt still reduces some scraper traffic because not all scrapers are sophisticated enough to ignore it.
Add disallow rules for known bad bot user agents to your robots.txt. There are maintained lists of bad bot user agents available online (the Dark Visitors project and the Bad Bot Blocker list are commonly referenced). Adding these to robots.txt is a low-effort first layer.
To edit robots.txt on WP Engine, use the Yoast SEO plugin’s robots.txt editor or edit the file directly via SFTP or SSH. Do not add disallow rules for legitimate crawlers like Googlebot or Bingbot.
Method 2: Block at the Firewall Level
Blocking bad bots in robots.txt relies on the bot respecting the file. Blocking at the firewall level stops the request before it reaches WordPress at all, saving server resources regardless of whether the bot would have respected robots.txt.
WP Engine’s managed firewall blocks known malicious traffic at the network level automatically as part of the platform. This is one of the core security benefits of managed hosting: you do not need to configure firewall rules manually because WP Engine maintains and updates the rules across the platform.
For sites on standard hosting, Cloudflare’s free plan provides bot management at the edge, blocking common bad bots before they reach your origin server. The Cloudflare Bot Fight Mode setting specifically targets malicious automated traffic. For a broader view of WordPress security infrastructure, see WordPress Security in 2026.
Method 3: Protect the WordPress Login Page
The WordPress login page at /wp-login.php is the most targeted URL on any WordPress site. Credential stuffing bots try thousands of username and password combinations automatically, generating server load and representing a genuine security risk.
Three effective login protection measures: add rate limiting to /wp-login.php to block IPs that exceed a defined number of failed login attempts per minute, enable two-factor authentication for all admin users, and consider changing the login URL from the default /wp-login.php to a custom path using a plugin like WPS Hide Login.
WP Engine blocks brute-force login attacks at the infrastructure level, but the above measures add additional layers that are worthwhile on any host. See WordPress Two-Factor Authentication for the setup details.
Method 4: Use a Security Plugin for Application-Level Blocking
Plugins like Wordfence, iThemes Security, and Sucuri Security can identify and block bad bot traffic at the WordPress application level. They maintain threat intelligence feeds and can block known malicious IP addresses, user agents, and request patterns automatically.
On WP Engine, Wordfence is permitted but its firewall mode should be set to Learning Mode initially to avoid conflicts with WP Engine’s own firewall. Some security plugins are blocked on WP Engine because they conflict with platform-level security — check WP Engine’s current plugin restrictions documentation before installing.
Frequently Asked Questions
How do I know if bad bots are affecting my site?
Check your server access logs or analytics for traffic spikes that do not correspond to real user activity, unusually high bounce rates, requests to non-existent URLs (common bot probing behaviour), and high traffic to /wp-login.php. Google Analytics 4 and Cloudflare analytics show bot traffic separately from human traffic, which gives you a cleaner picture.
Will blocking bots affect my Google rankings?
Blocking bad bots will not affect Google rankings as long as you do not block legitimate search engine crawlers. Googlebot, Bingbot, and other search crawlers should always be allowed. Blocking them in robots.txt or via firewall rules would prevent Google from indexing your content.
Does WP Engine block bad bots automatically?
Yes. WP Engine’s managed firewall blocks known malicious traffic at the network level as part of the platform. This includes credential stuffing attempts on wp-login.php, known exploit scanners, and other malicious automated traffic. You can add additional layers via robots.txt and security plugins, but the platform-level protection covers the most common threats automatically.
