Bot detection
Your server shouldn't waste a single cycle on bots.
Behavioral scoring across 20+ independent signals. Proof-of-work challenges for suspicious traffic. Automatic bans that propagate across all servers in 30 seconds. Running before your application even loads.
14 days free. No credit card. No commitment.
Score 0-100
Threat scoring
JS challenge
Proof-of-work
Auto-ban
Cross-server
Sound familiar?
Signs bot traffic is wasting your server resources
If any of these sound like your site, automated traffic is likely consuming a significant share of your server capacity.
Unexplained CPU spikes
CPU usage that doesn't correlate with real visitor growth. Bots hammering PHP endpoints consume the same resources as real users.
Slow page loads with few visitors
Pages take seconds to load even with light traffic. Your server resources are being consumed by something other than real visitors.
Excessive login attempts
Hundreds of POST requests to wp-login.php or xmlrpc.php in your access logs. Credential stuffing bots target these endpoints relentlessly.
404 errors for paths that don't exist
Requests for /solr/admin, /.env, or /wp-config.php.bak. These are vulnerability scanners probing your server.
High bandwidth, low engagement
Analytics show 10,000 daily visitors but your server logs show 50,000 requests. The gap is automated traffic.
Database exhaustion during off-peak
Connection pool exhaustion at 3 AM when nobody should be visiting. Bots don't sleep.
Your dashboard
See exactly where your traffic goes
The aggregate traffic panel on your dashboard breaks down total requests, traffic quality, bandwidth, and unique visitors at a glance.
Requests
Overall traffic
Traffic quality
389k bots filtered
Bandwidth
Visitors
Traffic quality score
The percentage of requests from legitimate visitors. A site receiving 847k requests but only 458k from real users has 54% traffic quality. The rest was bots, scrapers, and scanners that got filtered.
Bandwidth you actually save
Blocked bots don't consume bandwidth, CPU, or database connections. Those 389k filtered requests would have consumed roughly 11 GB of bandwidth and thousands of PHP executions.
Real-time monitoring
Watch your traffic as it happens
The live traffic panel streams real-time data for any subdomain. See exactly who's hitting your site, how fast it responds, and where the traffic comes from.
Requests/sec
Unique IPs
Avg response
Bandwidth
Requests over time (5 min)
Status codes
Top IPs
Top paths
Real-time streaming
Watch requests flow in as they happen. Spot unusual spikes, suspicious patterns, and bot attacks the second they start.
Per-subdomain view
Switch between subdomains to isolate traffic patterns. See which sites are getting hit and how they respond.
IP geolocation
Click any IP for full geolocation details. See country distribution and identify suspicious traffic sources at a glance.
How it works
Multi-layered detection and response
Two detection layers, 20+ scoring signals, and automated enforcement. Bot traffic is stopped before it reaches your application.
Threat scoring (0-100)
Every IP gets a score computed from 20+ independent signals including rate patterns, scanner behavior, cookie handling, challenge outcomes, and more. No single signal can trigger enforcement alone. Scores update every 10 minutes.
Edge detection
A second detection layer runs inline with every request, in microseconds, before PHP loads. Evaluates request rate, headers, TLS fingerprint, and path patterns. Catches attacks the scoring engine hasn't seen yet.
Proof-of-work challenge
Not a CAPTCHA. No traffic lights, no checkboxes. A computational puzzle runs silently in the browser in about 2 seconds. Bots that can't execute JavaScript never reach your site.
Honeypot traps
Paths like /.env and /.git/config that no legitimate visitor would request. One hit on a critical trap triggers an instant challenge. No score accumulation needed.
Progressive response
Proportional to the threat. Suspicious IPs get rate-limited. Malicious ones face proof-of-work challenges. The worst offenders are automatically banned with a flat 403.
Cross-server intelligence
When an IP is banned on one server, the ban propagates to every server in the fleet within 30 seconds. Attackers can't escape by targeting a different site.
Adaptive scoring
The scoring engine learns from real outcomes. Solved challenges likely mean a real browser. Unsolved challenges likely mean a bot. Adjustments are capped at 20 points in either direction. Rules always have the final word.
Dashboard and whitelisting
Monitor threats, view full signal breakdowns for any IP, review score history. Whitelist specific IPs or /24 subnets to bypass enforcement on your domains.
Not just blocking
Why scoring beats blocklists
Static blocklists go stale within hours. Behavioral scoring watches what every IP actually does and responds in real time.
Real-time behavioral analysis
IPs are scored based on what they actually do, not static lists that are outdated the moment they're published. We use blocklists as one signal among many, never as the sole reason to block.
Proportional response
Rate limiting for mild threats, proof-of-work challenges for confirmed bots, full bans for the worst offenders. The response matches the threat.
Cross-server propagation
An attacker banned on one server is banned everywhere within 30 seconds. Threat intelligence is shared across the entire fleet in real-time.
Scoring signals
No single signal can ban an IP. Multiple signals must fire together. IPs above 80 are automatically banned. Scores decay when malicious activity stops.
The escalation path
How the layers reinforce each other
The system tightens automatically. It doesn't loosen until the traffic proves it should.
New IP arrives
The system has never seen it. It passes edge checks and is randomly selected for a challenge to build behavioral data.
Challenge served
If the visitor is human, their browser solves it in 2 seconds and they continue normally. A cookie is set to bypass future challenges.
Bot fails challenge
The failed challenge is recorded. On the next scoring cycle, the IP picks up points for having an unsolved challenge.
Score climbs to suspicious
The IP enters the watched tier. Now every subsequent request gets challenged. Not randomly, every time.
More failures, higher score
More failed challenges, more signals, stricter enforcement. The score climbs further with each cycle.
Banned across all servers
The IP crosses into the blocked tier. Flat 403, propagated to every server in the fleet within 30 seconds.
WordPress protection
Built for the attacks WordPress sites actually face
Most of the websites we host run WordPress. We see every common attack pattern daily and built specific defenses for each one.
wp-login brute force protection
Credential stuffing bots generate hundreds of POST requests per hour from rotating IPs. The scoring engine detects repeated login failures, and combined with rate detection, attacking IPs are challenged or banned within a few scoring cycles.
xmlrpc.php abuse blocking
XML-RPC allows multiple login attempts in a single request, making it a favorite for brute force and DDoS amplification. Rate detection catches the volume patterns, and behavioral scoring flags the repetitive POST-only traffic.
Plugin vulnerability scanning
Automated tools cycle through known CVEs for popular plugins, probing paths like /wp-content/plugins/revslider/. These hit honeypot traps and scanner detection, generating scoring signals that compound quickly.
Logged-in admins are always exempt
Legitimate WordPress admin sessions bypass rate limiting and edge detection entirely. We identify logged-in users by their WordPress authentication cookies, so admins are never affected.
Different layer, different signals
This is origin-level protection
This is not a replacement for Cloudflare, Sucuri, or any CDN. Those services filter traffic before it reaches your server. We run on the server itself, catching what gets through, or serving as the first line of defense if you don't use a CDN at all.
With a CDN
We catch bot traffic that passes through CDN filters using signals only visible at the origin.
Without a CDN
Every request hits your origin directly. Our system is the first and last line of defense.
Score decay
Scores aren't permanent. IPs that stop suspicious activity see scores decay within 24-72 hours.
Honest limitations
What we don't catch
No bot detection system catches everything. We're not going to claim otherwise.
Sophisticated headless browsers
Stealth-configured Puppeteer instances that solve challenges, rotate IPs, and mimic human patterns. These exist but are rare and expensive to operate at scale.
Low-and-slow bots
One or two requests per hour with perfect browser signatures. If a bot looks and behaves exactly like a human, there's no signal to detect.
Zero-day attack patterns
Patterns the rules haven't been written for yet. Adaptive scoring helps catch new patterns, but it takes time to learn them.
We stop the 90-95% of bot traffic that wastes measurable server resources: the scanners, the brute forcers, the scrapers, and the credential stuffers. That's the traffic that slows down your sites and costs real money.
Pricing
Simple, transparent pricing
Every plan includes managed WordPress, SSH access, daily backups, and enterprise-grade security. Start with a 14-day free trial.
Startup
Great for growing businesses
$94.99 billed annually
- 1 website
- 10 GB storage
- ~10,000 visits/month
- 5 MySQL databases
- 250,000 inodes
- 5 FTP users
What's included:
SSL & Domain
- Free SSL certificate
- Temporary subdomain
WordPress
- 1-click WordPress
- Managed WordPress
- Free WordPress migration
Advanced
For professional websites
$179.99 billed annually
- 5 websites
- 20 GB storage
- ~110,000 visits/month
- 10 MySQL databases
- 500,000 inodes
- 10 FTP users
Everything in Startup, plus:
Performance
- Memcached
Pro
Maximum performance and features
$274.99 billed annually
- 10 websites
- 40 GB storage
- ~200,000 visits/month
- 20 MySQL databases
- 750,000 inodes
- 20 FTP users
Protection included
Active from day one
Bot detection is built into the platform and included in every plan. No plugins to install, no rules to configure. It's already running.
Questions
Frequently asked questions
Bot detection is one layer of our security architecture. We also run SELinux in enforcing mode, container isolation, real-time malware detection, and a web application firewall.
See the full security architecture