Staring at those server logs, coffee gone cold. 48 hours of raw requests, no fancy analytics sugarcoating. And bam – 79% of it? Not a single human finger on a mouse.
WordPress probes alone chewed up 34%. XMLRPC attacks at 18%. PHP endpoint pokes, 27%. The rest? General scanning, like digital cockroaches sniffing every crack.
Those IPs Won’t Quit
Look, I’ve seen this circus before – back in the dial-up days when spam bots first crawled out of the woodwork. But here’s the fresh gut-punch: these aren’t opportunistic hackers. They’re relentless, industrial-scale scanners hitting every exposed site, WordPress or not.
Take 185.220.101.45. Dude (or botnet) slammed wp-login.php hundreds of times. Or 45.146.165.12, obsessed with xmlrpc.php for pingback abuse. These IPs? They’re not targeting you specifically. You’re just another port in the storm.
And the patterns? Brutal in their stupidity. /wp-admin/, /config.php, /.env – bots fishing for lazy deploys. Credential stuffing on /login, /admin. High-frequency blasts from 176.65.148.92 screaming botnet.
Roughly 79 percent of requests were not normal user activity.
That’s the raw truth from the logs. No spin. Pulled straight from unfiltered data, March 31 to April 2, 2026 UTC. (Yeah, future-dated logs – beta test vibes, but the lesson’s timeless.)
Is Your Google Analytics Full of Hot Air?
Here’s the thing. You’re patting yourself on the back for 10k monthly visitors? Wake up. Standard tools like GA? They inflate everything with this bot sludge. Engagement metrics? Lies. Bounce rates? Meaningless when half the ‘visits’ are sub-second probes.
Infrastructure groans under phantom load. Servers spinning cycles blocking what ain’t customers. And it’s constant – doesn’t care if your site’s viral or a ghost town.
I’ve covered Valley hype for 20 years. Remember when every startup swore ‘AI-powered personalization’? Same game: buzz to mask the grind. Who profits here? Cloud providers laughing as you scale for fake traffic. WAF vendors (hello, Cloudflare) raking in premiums for ‘bot management.’ You’re the mark.
But.
Why Shared Intel Crushes Solo Defenses
The original dive smartly pivoted to aggregation. Track IPs across sites. Classify patterns – WP probes, XMLRPC, etc. Flag repeats, block smarter.
Evolved into a threat network. One site’s bad actor? Blacklisted everywhere. Confidence scores rise with repeats. No more per-site whack-a-mole.
My twist? This echoes 1990s email spam wars. Back then, solo filters failed; shared blacklists (Spamhaus-style) won. Predict this: without open threat datasets, indie devs drown in noise. Bigcos build moats, small fry burn cash. In five years? Expect commoditized ‘log hygiene’ services – $10/month to nuke 80% junk. Cynical? Nah, just seen the playbook.
Outcomes post-filter? Crystal metrics. Logs readable again. Real users shine through.
That’s the play. Test your own logs. Beta’s open if you’re game.
Who’s Cashing In on Your Bot Nightmare?
Follow the money, always. Automated scanning? It’s a volume game. Bots from bulletproof hosts (those Eastern Euro IPs scream it) probing millions daily. Goal? Snag weak configs, stuff creds, pwn boxes for crypto miners or ransomware.
You? Paying bandwidth bills. Time sunk on alerts. Devs tweaking .htaccess at 2am.
Historical parallel: Early webhost boom. Everyone ignored bots till DDoS blackmails hit. Now? Same cycle, stealthier.
Blocklists help. Fail2ban, CrowdSec – fine starts. But shared data? Game-over for noise.
Short para.
Deep dive: Patterns evolve. Today’s /wp-login.php is tomorrow’s /nuxt/login or whatever JS framework du jour. Bots scrape CMS detectors fast. Static sites? Still hit for /admin.
Credential stuffing? Leaked creds from 20 breaches ago, rotated endlessly.
Mitigate: Cloudflare Workers for JS challenges. Nginx rate-limits. But aggregate intel scales best.
I’ve yelled this at conferences. Crickets from audience – too busy chasing ‘growth hacks.’
Will Bots Ever Stop Hammering Sites?
Nope. Internet’s open bar. Exposed HTTP? Fair game.
Shift left: Zero-trust paths. API gateways only. But for public sites? Expect 70-90% non-human forever.
Prediction: DevTools will bake ‘bot cull’ modes. Vercel/Netlify buttons: ‘Sanitize Logs – $5/mo.’ Mark my words.
🧬 Related Insights
Frequently Asked Questions
What percentage of website traffic is actually bots?
Around 79% in raw logs from this analysis – WordPress probes, XMLRPC, PHP scans dominate.
How do I check my own site for bot traffic?
Pull raw access logs (no analytics). Group by paths like /wp-login.php, /xmlrpc.php. Tally non-human patterns.
Can shared IP blacklists stop this?
Yes – track across sites, classify behaviors, block repeats. Cuts noise dramatically.
