While some bots are useful, like search engine crawlers that help discover your content, others can quickly inflate your traffic stats, skew analytics, and even cause unnecessary hosting overages.
In this guide, we’ll show you how to use Cloudflare’s free security tools like Bot Fight Mode, JavaScript and Managed Challenges, and other Cloudflare settings to help you reduce unwanted bot traffic, protect your WordPress site, and ensure your hosting resources are reserved for real visitors.
Set up Cloudflare for bot protection
You don’t need a premium account or complex setup to stop unwanted bot traffic with Cloudflare. The Cloudflare free plan offers several powerful features that can make a big difference.
Let us show you how to get started.
Connect your site to Cloudflare
If you host your WordPress site with Kinsta, you already benefit from powerful Cloudflare integration, including enterprise-grade performance and a global CDN. However, to access advanced security tools you will need to link your own Cloudflare account.
Fortunately, this process is quick and easy. We provide a detailed, step-by-step tutorial that walks you through the entire process, from adding your domain to configuring DNS records and name servers. Follow this guide to connect your site:
👉 How to install and configure Cloudflare on your WordPress site
Once your domain is connected and active on Cloudflare, you’re ready to enable features that will help protect your site from unwanted bot and scraper traffic, without impacting real visitors.
Enable bot battle mode
Once your site is connected to Cloudflare, one of the fastest and most effective ways to start filtering unwanted automated traffic is to enable Bot fighting mode.
This free Cloudflare feature helps detect and limit known bots that can crawl, scrape, or overload your website, even when they try to disguise themselves as human visitors.
Follow these steps to enable bot battle mode:
- In the left menu go to Security > Institutions.
- Under the Filter by section, choose Bot traffic.
- Find Bot fighting mode and enable it.
Once activated, you can monitor the results in your MyKinsta analytics as visits start to drop as Cloudflare filters more non-human requests before they ever reach your site.
If you’re on a paid Cloudflare subscription, you have access to Super Bot fighting modean improved version of the Bot fighting mode with more flexibility. It builds on the same technology but lets you choose how to handle different types of traffic, allowing JavaScript detections to catch headless browsers, stealthy scrapers, and other malicious traffic.
For example, instead of blocking all crawlers, you can configure the tool to block only “absolutely automated traffic” and allow “verified bots” such as search engine crawlers:
Set up JavaScript and managed challenges
Even with Bot fighting mode active, some automated crawlers or AI tools can still slip through, especially those that imitate normal browsing behavior.
From Cloudflare safety rules you can apply additional protection in the form of challenges, which verify that visitors are human before granting access.
You can apply JS Challenges sitewide, but for most WordPress sites they are best used on targeted paths, such as:
/wp-login.php(WordPress login page)/xmlrpc.php(common bot target)/wp-admin/(management part)
To add a JavaScript or managed challenge rule:
- Navigate to Security > Security rules.
- Click Create rule > Custom rules.
- Enter one Rule name (For example, JS challenge for wp login).
- Below When incoming requests matchconfigure:
- Field: URI path
- Operator: contains
- Value:
/wp-login.php
You can add more conditions if necessary by clicking Edit expressionand then you can add an expression like below:
(http.host in {"example.com" "www.example.com"} and
starts_with(http.request.uri.path, "/wp-admin") and
not cf.client.bot and
not http.request.uri.path contains "/wp-admin/admin-ajax.php")The above example focuses on the /wp-admin area, skips verified bots and excludes the AJAX endpoint used by WordPress plugins.
Below Then take actionchoose one of the following:
- JavaScript Challenge – performs a browser test for each visitor.
- Managed challenge – lets Cloudflare’s AI decide when to challenge, based on behavior and risk level.
Finally, click Apply to activate the rule. If you want to test it first, choose Save as draft.
Keep an eye on the results
Once you’ve enabled Bot Fight Mode or set up your own Cloudflare rules, it’s important to confirm that your changes are working and that the automated traffic that increased your visits is being filtered effectively.
Both Cloudflare and MyKinsta offer analytics tools to help you measure impact. Here’s how to use them together.
View Cloudflare’s security analytics
In your Cloudflare dashboard, go to Security > Analyses > Bone analysis.
This view provides a clear overview of how much of your overall site traffic is generated by humans versus bots.
Cloudflare assigns a bot score to each incoming request based on patterns, machine learning, and behavioral signals. These scores are grouped into traffic types, such as:
- Automated – They are clearly non-human bots.
- Probably automated – Suspicious, bot-like requests (e.g. headless browsers or AI scrapers).
- Probably human – Normal visitors using real browsers.
- Verified bot – Legitimate bots (such as Googlebot or PayPal).
The Bone analysis graph shows these categories in real time. You can use the filters (by country, IP address, browser or operating system) to identify where most automated traffic comes from.
Check MyKinsta analytics
Then open your MyKinsta dashboard > Analyses > Visits report.
Because Kinsta measures visits based on unique IP addresses seen every day (and not JavaScript tracking like Google Analytics), it provides an accurate view of all traffic reaching your site, including bots that slip through other filters.
After Cloudflare starts blocking automated requests, you should notice a drop in overall visits (as bots stop reaching your origin).
If you still see spikes, check your Top requests And Top client IPs reports to identify URLs or IPs that are requested repeatedly. These are likely candidates for new Cloudflare challenges or country blocks.
Summary
Managing unwanted bot traffic has become part of running a modern website. Cloudflare’s free tools let you quickly filter out automated crawlers and scrapers before they impact performance or inflate hosting usage.
For Kinsta customers, linking these Cloudflare protections to your hosting configuration helps your analytics accurately reflect real visitors and maintain consistent resource usage. If you want even more predictability, Kinsta’s new bandwidth-based plans offer an alternative to visit-based pricing.
Together, Cloudflare and Kinsta give you the visibility and control to focus on your content and users, instead of chasing bots.
Kinsta
Joel is a frontend developer and works at Kinsta as a technical editor. He is a passionate educator with a love for open source and has written more than 300 technical articles, mainly around JavaScript and its frameworks.
#protect #WordPress #site #unwanted #bot #traffic #Cloudflare