Good Bot and Bad Bot, Whether to Block it or Not?

The good bot vs bad bot debate has gained quite momentum in recent years. And so, have the conversions around whether to block bad bots or not.

The bots were originally developed to automate mundane and repetitive tasks and enable humans to focus their time on strategic and creative business tasks. Examples of good bots include IM bots, search engine crawlers, shop bots, chatbots, and monitoring bots. However, over a period, bots with malicious intentions also began to flood the internet. Bad bots become synonymous with DDoS attacks, spam attacks, price scraping, content scraping, data harvesting, and transaction frauds. Today, both good and bad bots have become mainstream and enterprises are striving to tackle them efficiently and effectively.

The challenge to sift through good and bad bots has increased manifold this year due to major digital transformation in the wake of the COVID-19 pandemic. The digital transactions are happening at an unprecedented pace and bad bots 2020 have become a cybersecurity nightmare for organizations.

Is Blocking the Bots a Good Strategy?

Well, not exactly. 

If you completely block the bots, you might end up losing the benefits of good bots. For instance, blocking search engine crawlers can adversely affect SEO results.

In case you do manage to block only bad bots, there is still a high possibility that they will attack your systems through an updated version, a new IP address, difficult to block networks, or some other form. The best way to block bots from websites, apps, and APIs is to manage them with a holistic approach.

The Right Way to Manage Good and Bad Bots

Here are some effective ways to manage bots and eliminate maximum risk factors:

  • Set Up Good Bot Rules

Bots, even if they are good might not be relevant to your business, website, or location. You can install the robots.txt.file on your web server. This file defines the rules that bots need to follow. Unwanted good bots will adhere to these rules and stay away from your website. 

You can also keep an allowlist and blocklist for bots. An allowlist defines a specific IP list of only those good bots that are allowed on your site. On the contrary, a blocklist allows all good bots on your website barring the ones that you have blocked. However, you need to make sure that you update both the allowlist and blocklist regularly.

  • Monitor Suspicious Activities

Has your website, app, or API slowed down suddenly? Are you witnessing a sudden spike or inconsistency in traffic? Are there failed login attempts? These could be bad bot activities. Keep a tab on any activity that looks triggers an alarm and take preventive measures to block bad bots immediately.

  • Share Bot Access Points Across All Your Systems

Whenever you find or block a bot access point on your website, do ensure to share this information with your apps and APIs. This will close all loopholes at all access points and prevent your systems from bot attacks.

  • Deploy Signature Detection Tools

Signature-based detection is one of the most common detection techniques to block bots from the website. Every bad bot attack has a distinct pattern called signature that can help you filter out unwanted bots. However, you need to update the repository of bot signatures at regular intervals to keep all potential bot attacks at bay.

  • Throw a JavaScript or CAPTCHA Challenge

JavaScript challenge is one of the best strategies to identify good bot vs bad bot. You can even put CAPTCHA codes across the entire website or selective webpages. Both JavaScript challenge and CAPTCHA codes ensure that the traffic is generated by real human visitors and not by bots. 

  • Throttling

You can even use the throttling method to keep bots off your website. Throttling puts a limit on the number of times a visitor can hit your website. This is also called a rate-limiting method.

  • Other Security Rules

You can even use features such as multi-layer password authentication, 2FA via Google Authenticator, or other custom security rules to prevent bot attacks.


As you can understand, comprehensive bot management and mitigation solution are more effective than blocking every bot or using a stand-alone solution. It is recommended to use balanced and layered protection solutions such as Indusface’s AppTrana which secures your website, apps, or APIs while you grow your business. 

AppTrana is fully managed risk-based application protection that helps you identify between good bot vs bad bot. Most importantly, it can be tailored to your business needs. It continuously monitors and assesses bot risks and manages them in real-time.

Leave a Response