How can I protect my WordPress website from bots?

9 min read Knowledge Base

Protecting your WordPress website from bots is essential to maintain security, performance, and user experience. Even if Settings > General > “Anyone can register” is disabled, bots will still target common WordPress endpoints like /wp-login.php, /xmlrpc.php, /wp-json/, and form handlers to brute force logins, spam forms, scrape content, and probe for weaknesses.

What bots typically target in WordPress (common endpoints)

  • /wp-login.php and /wp-admin/ (brute force / credential stuffing)
  • /xmlrpc.php (brute force methods + pingback abuse)
  • /wp-comments-post.php (comment spam blasts)
  • /wp-admin/admin-ajax.php (endpoint probing and high-volume requests; used by themes/plugins too)
  • /wp-cron.php (resource abuse via repeated triggering)
  • /wp-json/ and /?author=1 (REST/author enumeration and probing)

Why bots can still spam your site even when “Anyone can register” is disabled

Disabling “Anyone can register” prevents legitimate user self-registration through WordPress’s standard registration flow. Bots typically aren’t relying on that setting. Instead, they attempt to:

  • Brute force logins via /wp-login.php or /xmlrpc.php (credential stuffing / password guessing)
  • Spam forms (contact forms, lead forms, quote requests, newsletter signups), even if they are created by your theme or plugins
  • Spam comments by posting directly to /wp-comments-post.php
  • Probe endpoints like /wp-json/ and /wp-admin/admin-ajax.php to find anything they can exploit

That’s why the most effective protection is a combination of form validation (reCAPTCHA) and server-level protections that block or rate-limit the most targeted endpoints.

Below are practical methods to reduce bot traffic and prevent spam, with a mix of WordPress-side steps and server-level protections. Items labeled Advanced are best handled by your hosting provider if you’re not comfortable editing server configs.

Troubleshooting: Identify what bots are hitting (using access logs)

This helps you choose the right fix quickly (block, rate limit, or add extra authentication).

Step 1) Find your access logs

  • Cloudways: check your application/server logs in the Cloudways console (or ask support to review request patterns).
  • cPanel hosts: look for “Raw Access” / “Access Logs” in cPanel.
  • Other hosts: ask support for the last 24–72 hours of access logs or a summary of top requested paths and top IPs.

Step 2) Filter for the common targets

Search your logs for these paths (or ask your host to do it):

  • wp-login.php
  • xmlrpc.php
  • wp-comments-post.php
  • admin-ajax.php
  • wp-cron.php
  • /wp-json/
  • ?author=

Step 3) Interpret what you see

  • Lots of hits to /wp-login.php with 200/302 responses: brute force attempts. Best fixes: Basic Auth (Advanced), rate limiting (Advanced), fail2ban/firewall bans (Advanced).
  • Repeated requests to /xmlrpc.php: XML-RPC abuse. Best fix: disable/block XML-RPC (Advanced).
  • High volume to /wp-comments-post.php: comment spam. Best fixes: disable comments, block endpoint (Advanced) if unused, or add CAPTCHA to comment forms.
  • Spikes to /wp-admin/admin-ajax.php: endpoint probing or load attempts (sometimes legitimate front-end features). Best fix: rate limit carefully (Advanced) and use a CDN/WAF.
  • Lots of requests to /wp-cron.php: resource abuse. Best fix: server-side cron configuration (Advanced) and/or rate limiting.
  • Requests to /?author=1 or /wp-json/wp/v2/users: user enumeration attempts. Best fix: block author enumeration patterns (Advanced).

Step 4) Confirm with a “top offenders” list

If your host can provide it, ask for:

  • Top requested URLs over the last 24–72 hours
  • Top IP addresses hitting those URLs
  • Any rate-limit/WAF events already triggered

1) Google reCAPTCHA

Google reCAPTCHA helps distinguish between human users and bots, preventing automated abuse of forms on your website.

Steps to Implement Google reCAPTCHA:

  1. Sign Up for Google reCAPTCHA:
    • Visit the Google reCAPTCHA website and sign up using your Google account
    • Register your website to get the reCAPTCHA API keys
  2. Configure Google reCAPTCHA:
    • If you are using Real Estate 7 theme default built-in forms, refer to this article
    • If you are using our IDX, refer to this article
    • If you are using Contact Form 7, refer to this article
    • If you are using Elementor Pro to build forms, refer to this article

2) WordFence

WordFence is a free comprehensive security plugin with a robust firewall and malware scanner to protect your website.

Steps to Implement WordFence:

  1. Install WordFence:
    • From your WordPress dashboard, go to Plugins > Add New
    • Search for “WordFence Security”
    • Install and activate the plugin
  2. Configure WordFence:
    • Upon activation, follow the setup wizard for initial configuration
    • Navigate to WordFence > Firewall
    • Enable the firewall and set it to “Extended Protection”
    • Configure rate-limiting rules to prevent bots from overloading your server
    • Go to WordFence > Tools > Live Traffic to monitor and block suspicious IP addresses
  3. Enable Login Security:
    • Navigate to WordFence > Login Security
    • Enable two-factor authentication and set up reCAPTCHA for login forms to prevent brute-force attacks

For detailed guidance on optimizing WordFence settings, refer to this article.

3) Cloudways Server-Level Bot Firewalls

Cloudways (our recommended hosting provider) provides automatic server-level protection against bots, adding another layer of security to your website without requiring manual configuration.

Steps to Benefit from Cloudways Bot Protection:

  1. Sign Up for Cloudways:
    • Visit Cloudways and sign up for an account. Use our referral code CONTEMPO20 for 20% off your first two months.
  2. Deploy Your Server:
  3. Automatic Bot Protection:
    • Cloudways’ bot protection is automatically enabled, providing out-of-the-box protection against malicious bots and ensuring your site’s security

4) Use a CDN with Bot Protection

Content Delivery Networks (CDNs) like Cloudflare offer bot protection features that can help filter out malicious traffic before it reaches your server.

Steps to Use a CDN with Bot Protection:

  1. Sign Up for a CDN Service:
    • Visit the Cloudflare website and sign up for an account
    • Add your website to Cloudflare
  2. Configure DNS Settings:
    • Update your domain’s DNS settings to point to Cloudflare’s servers
  3. Enable Bot Protection:
    • Go to the Firewall settings in Cloudflare
    • Enable bot protection and configure the rules to suit your needs

Integrate Cloudflare with Cloudways:

We recommend using Cloudways as your hosting provider because they offer an easy integration with Cloudflare, enhancing both security and performance. Once you open an account, open a live chat with Cloudways support and they can assist in setting up Cloudflare for you, or refer to this guide for detailed steps.

By choosing Cloudways, you benefit from both robust hosting and a straightforward Cloudflare integration process.

5) Regularly Update WordPress and Plugins

Keeping your WordPress core, Real Estate 7 theme, and plugins updated can prevent bots from exploiting known vulnerabilities.

Steps to Regularly Update:

  1. Enable Automatic Updates:
    • From your WordPress dashboard, go to Dashboard > Updates
    • Enable automatic updates for WordPress core, themes, and plugins
  2. Monitor for Updates:
    • Regularly check your WordPress dashboard for update notifications
    • Manually update any plugins or themes that require it

6) Advanced: Block the most targeted WordPress endpoints at the server

This is one of the most effective ways to reduce bot traffic because it blocks requests before WordPress/PHP runs. If you’re not sure how to implement these rules, your hosting provider’s support team can apply them for you.

A) Advanced: Disable XML-RPC (reduces brute force and pingback abuse)

Most sites do not need XML-RPC. Disabling it prevents a very common attack vector.

  • Target file: /xmlrpc.php
  • When to avoid disabling: If you rely on Jetpack features, the WordPress mobile app, or older integrations that require XML-RPC.

Apache (.htaccess) example:

<Files "xmlrpc.php">
  Require all denied
</Files>

Nginx example:

location = /xmlrpc.php { deny all; }

B) Advanced: Add Basic Auth in front of wp-login.php

This adds a second login prompt at the server level and stops most bot traffic immediately.

  • Target file: /wp-login.php
  • Optional: protect /wp-admin/ (useful for high-attack sites)

Best handled by hosting support (they can add Basic Auth rules safely for your server type).

C) Advanced: Rate-limit login and spam endpoints

Rate limiting protects performance and reduces brute force attempts without blocking real visitors.

  • Common targets:
    • /wp-login.php (brute force / credential stuffing)
    • /wp-comments-post.php (comment spam blasts)
    • /wp-admin/admin-ajax.php (often targeted; be cautious because themes/plugins may rely on it)
    • /wp-cron.php (sometimes hammered for resource exhaustion)

Best handled by hosting support (Nginx limit_req, Apache modules, or a WAF).

D) Advanced: Fail2ban / firewall bans for repeat offenders

Fail2ban (or similar tools) can automatically ban IP addresses that repeatedly fail login attempts.

  • Most useful when you see: high volumes of failed requests to /wp-login.php or /xmlrpc.php
  • Best handled by hosting support (requires server access)

7) Advanced: Prevent username discovery (reduces brute-force success)

Many bots try to discover valid usernames before attempting passwords.

  • Common probes:
    • /?author=1 (author enumeration)
    • /wp-json/wp/v2/users (REST API user discovery attempts)

Best handled by hosting support (block or return 403 for author enumeration patterns, and restrict sensitive REST API responses where appropriate).

8) Advanced: If you do not use public comments, block wp-comments-post.php

If comments are not used on your website, blocking the comment-post endpoint can reduce spam and unnecessary traffic.

  • Target file: /wp-comments-post.php

Nginx example:

location = /wp-comments-post.php { deny all; }

Apache: Your host can block this endpoint via rules without affecting normal page browsing.

9) Additional “no-plugin” WordPress hardening (quick wins)

  • Disable the built-in theme/plugin editor: add this to wp-config.php: 
    define('DISALLOW_FILE_EDIT', true);
  • Use strong admin usernames and passwords (avoid “admin” as a username)
  • Remove unused admin accounts and limit admin users to only the people who truly need it
  • Maintain correct file permissions (your host can confirm best-practice values for your environment)
  • Most effective (and simple): Disable /xmlrpc.php + add server-level rate limiting on /wp-login.php
  • Best for high-attack sites: Add Basic Auth to /wp-login.php + rate limiting + optional fail2ban/firewall bans
  • If spam is coming through forms: reCAPTCHA + CDN bot protection + consider blocking /wp-comments-post.php if comments are unused

If you’re unsure which approach is right for your site, ask your hosting provider’s support team to implement the Advanced items above. These server-level protections typically provide the biggest reduction in bot traffic because they stop requests before WordPress runs.