Stop Bad Bots blocks legitimate visitors

Bill, thanks for the quick reply. The Block Engine was set to Conservative. The visitor log was empty. I guess it was cleared when we deactivated the plugin. Now I see mostly “Blocked Fake Browser” as reason. I will check the log when it happens again.

I wonder how you can detect “faked browsers”? I suppose these are unknown user agents?

Yes, we are using Conservative mode and we are running 6.66. So far no new complaints after restarting the plugin. If it happens again, I will take a closer look at the user agent, browser, etc. and post here again.

Thanks a lot for the help! Great plugin!

I think I found the issue now. The log entry is “Blank user agent” and it happened when a Javascript script on our page tried to open a PHP script on our site.

I also see that you block many RSS readers. This is an example FeedDemon/4.5 (http://www.feeddemon.com/; Microsoft Windows). Is is it possible to whitelist certain URLs (like /feed/)?

I read your FAQ about feeds, but didn’t find any relevant information there. Or do you really suggest that I go through the bot table and whitelist all known RSS readers myself? I see many popular RSS readers in the Visits Log. These are all legitimate readers that are blocked by your plugin. A RSS reader is essentially just a web browser.

And your plugin certainly did block legitimate readers because their browsers executed some of our JavaScript scripts. Only after I disabled the empty user agent setting, did this stop.

It is expected and wanted that Open Source software is modified. Your Visits Log does not contain all the information I need. For instance, I need to know if a user was logged in or not because different scripts are then executed. I also need to know which visits were not blocked for troubleshooting. Is seems you log this information in the corresponding database table but not in the Visits Log displayed in the frontend.

I will probably modify your plugin to make sure RSS readers are not blocked when they access the feed. We also block at the IP level because if you only block at the HTTP level as Stop Bad Bots does, you can’t really avert DDOS attacks or save resources because all the PHP code is executed even if you deny access. So not much is gained that way except that you make a few bot owners a little unhappy.

You even block blog publishing software like Ulysses with the “Conservative” setting on. How can a blog editing software coming from a private IP that accesses a single page possibly be a bot? With a conservative configuration I expected that you only block user agents where you are sure that they are bots, but it seems more like you block anything that you can’t identify. This approach is doomed to fail. Many have tried (including Google) to distinguish bots from humans automatically and have failed. That’s why you see captchas everywhere.

Your plugin would be much more useful if you only block known bots or those that identify themselves as bots. This way, site owners could save resources by blocking known bots that are useless for them without risking to block legitimate readers. Those other “bad” bots with fake user agents can’t be stopped anyway.

The minimum you could do to only block unknown bots bots that access hundreds of pages within a few minutes.