How to protect your Wordpress site from bad user agents

A bad user agent is accepted as any new/old web browser, bot program, webcrawler, downloader, scraper, etc. that seeks out to negatively request your Wordpress/web site. Some do as their names imply, like a download master, which will actually download a whole site or a fat directory, sometimes repeatedly just to cause high bandwidth cpu usage on you site. Other more devastating bombs, injections, hotlinking attacks, can actually cause your whole Wordpress site to break or fail, although most likely your web host will suspend your account and files before hand anyway.

Truth is, if you own and operate a Wordpress site and haven't performed a few stupid awesome tricks, your site could be getting hit by a few nasty bad user agents right now! Personally, I still monitor all my Wordpress site(s) traffic logs just to find new stuff to block out. If you don't block out the purely malicious requests then your Wordpress site will undoubtedly suffer at some point as it grows, common nuances include; terribly slow load times, high server resource usage and loads, possible web hosting account suspension, possible site breakage, and probably the most unfriendly-high hosting bills (depending on your web hosting plan).

Bad user agents can cause crazy size hosting bills, blacklisted ip addresses, site failure, just anything dirty to ruin your investment and potential.

There a number of effective and free methods to block bad user agents from your Wordpress site. Assuming that your Wordpress site is on an Apache Linux web server (if you aren't sure or don't know ask your web hosting provider) you should take advantage of your .htaccess file in your public or www directory.

Create or modify an .htaccess file in your web root, put some hot code like this in it:

RewriteEngine on

RewriteCond %{HTTP_USER_AGENT} ^.*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).*$ [NC]
RewriteRule . - [F,L]

Generally speaking, start on the first line with turning the RewriteEngine on, this literally does as it implies, then you specify the condition which in this case is the user agent. Then specify what type of bad user agent we want to block from loading our Wordpress site altogether, separate each with a vertical pipe |. Finally the RewriteRule which is basically where you want the baddies to go instead loading/seeing your Wordpress site, in this generic case we are showing them a basic error page which will prevent them from loading anything juicy.