Most of the WordPress hosting companies track the number of visits for the website and based on that they set pricing plans. Here is the common scenario, the website was running for years on one hosting plan, and you received an email saying that your visits are UP and the website is exceeding traffic limits.
Basically, you will need to increase the plan and pay extra, and occasionally that can be a significant increase. That is ok if your traffic really increased, but what if these are generated by bots?
This text is for you.
Most of the hosting companies will not check if the increase is real, or these are generated by bots, so you will need to do some detective work.
Here is the list of things you can check:
- Check your Google Analytics, that might be a good place to start, as GA filters bots and it will give you some perspective compared with hosting numbers.
- Reach out to the hosting company and ask them for access server logs. You could also check the logs to see if any of the IPs are showing multiple times.
- Define with hosting what methodology they use to count visits.
These should be a good place to start, and once you have all the info, it will give you perspective if the traffic reported by hosting is valid or not.
Traffic is generated by bots, and now what?
Well, there are several actions you need to take.
- Disable XML-RPC, it is WordPress API and it can be used for brute force attacks (you can disable it with the plugin). Before doing this, please check if you have any services using this API.
- Install some security plugin and block IPs that you are seeing under the records.
- Block these IPs under the Cloudflare if you are using it as well.
- Reach out to the hosting company and ask them if they have a way of blocking traffic.
- Block more than 3 bad login attempts.
- Change the URL of your admin page, as bots might be targeting your admin page.
We had a case where none of the actions above was not stopping bots, until we changed the URL of the admin page. Traffic was lowered from 45.000 to 29.000 of monthly visits, and that gave us a key argument for reverting to the old hosting plan.