How to get rid of bots

... would be THE tip of the year for any homepage owner or site administrator. Especially a method to completely and auto-magically exclude any type of traffic not driven by human interaction.

Sadly, getting rid of the bots or agents that probes or scans the WWW every hour, minute, second or millisecond is, literally speaking, impossible. It would be like trying to get rid of the evil in the world, a goal or project that necessarily had to start with defining what evil really is. As for the web, well not all auto-traffic is malevolent or destructive, and that too is a challenge... however.... 

If you have a website, take care of or manage and website,  then you probably either have noticed these agents in the form of fake registrations, fake posts (if you play risky and run with open comment sections), or in the form of pages up/down with entries in your logs. 

Every day thousands, maybe tens of thousands, of websites go online. A blog, personal page, company page, the growth is staggering. Every day the equal number of websites, for whatever reason, may have been exposed to security flaws, configuration errors or issues,  opening up loopholes, entries or possibilities for the army of agents or bots to leap into more serious action.

In most cases it ends with the above, tons of annoying, fake  registrations in your user account management, tons of comments posted by a bot. And that's that. But some of the agents may collect data to be used in far more sinister contexts, and reveal other weaknesses about your web configuration, later to be used in hacking or attacks. 

First or basic step - deflection

When you install your web CMS it has standard paths to login-forms and registration forms. When a probe runs on the web it scans all existing domains to look for any of the known paths. Once identified then either trigger a second agent that produces fake registration attempts or comments (these are sometimes pretty sophisticated) or begin to look for any known directory, scan or look for files with wrong security settings.  

Whether you are using, Drupal, Joomla! or Wordpress, or some other content management solution, you should install and configure a module like this one, this one or a plugin like this one. Similar solutions exists for other platforms They allow you to change standard admin paths, quickly and without any coding or any change made to the code. or run them in stealth mode. They also lety you make quick changes.

NB! Before you try the above  I strongly recommend you take a backup of your installation, website file directory as well as database PRIOR to changes. Then make a new backup set after the setup is done. 

Remember to write down your configuration setup, add bookmarks or better, do both. If  you forget what your naming convention is or something else goes wrong, the only way to get admin access to your website might be to go into the database, look for the right table or cell. Before doing this you a) need some experience with MySQL and b) know exactly where to look. 

Worst case scenario losing track of the configuration could mean a complete restore of your site, whether file structure or database (or both). 

Now - why do this, why bother

If you have ever looked at or scrutinized your web logs, you may have discovered lots of requests that obviously have not been generated by any person. Most of the bots operates under the assumption that your website uses standard paths. They look for all and any weaknesses. To remove or change standard paths is your first line of defense, but nothing more.

If you want to raise the standard you should look for spam bot preventive applications and other tools that can detect blacklisted IP addresses and, finally, consider installing an SSL certificate. I've written another blog about this, particularly aimed at Drupal, but similar tools exists for  Joomla! or Wordpress.

Don't be indifferent to security, especially not basic security. One thing is your personal interest or safety, quite another and far worse is neglect that impacts third party, a user or a community. The more people who take care of and focus on some basic operational issues, the less nuisance we have to deal with. If you don't know what to do or have to get basics done, ask for help.

Sometimes paying for needed assistance is the best solution. It saves you time and trouble. And we all know..... hindsight is 20-20.