Bot Traffic Escalation Redefines WordPress Security as an Infrastructure Imperative.

A recent report by Kinsta has unveiled a significant shift in the nature of automated traffic, indicating that bot activity is no longer a peripheral security concern but a fundamental infrastructure challenge for WordPress site owners. The "AI & Bot Traffic Report," which meticulously analyzed over 10 billion requests across Kinsta’s managed infrastructure, highlights a burgeoning problem where sophisticated crawlers are targeting dynamic endpoints, bypassing cache mechanisms, and creating traffic patterns that mimic broken automation at an unprecedented scale. This evolution necessitates a more integrated and robust approach to bot protection, leading to the introduction of Kinsta’s specialized bot protection tool.
The Escalating Threat: Bot Traffic as an Infrastructure Challenge

For years, bot traffic was largely viewed through the lens of SEO (search engine crawlers) or basic security threats (malicious bots attempting exploits). However, Kinsta’s findings, supported by broader industry trends, reveal a dramatic transformation. Modern bots, including both benign AI crawlers and more nefarious actors, are increasingly adept at interacting with websites in complex ways. They exploit dynamic endpoints, which are resource-intensive to process, get caught in query-string loops that generate endless requests, and skillfully bypass caching layers designed to offload server strain. This behavior directly impacts server performance, inflates hosting costs, skews analytics data, and poses a persistent denial-of-service risk, even if not explicitly malicious.
The report’s analysis of billions of requests underscores that the sheer volume and sophistication of this automated traffic can overwhelm traditional defenses and place immense strain on a website’s underlying infrastructure. Unlike legitimate search engine bots that generally adhere to robots.txt directives and crawl judiciously, many of these new-generation bots, particularly those associated with AI training or aggressive scraping, exhibit "broken automation at scale." This means they often behave erratically, making excessive requests or targeting non-existent URLs, consuming valuable server resources without contributing to legitimate site function. This growing complexity has propelled bot protection from an optional security add-on to an essential component of modern web operations, especially for platforms as widely adopted as WordPress.
Kinsta’s Strategic Response: A WordPress-Centric Solution

Recognizing this critical shift, Kinsta, a prominent managed WordPress hosting provider, has launched its proprietary bot protection solution. This built-in tool is designed to empower WordPress site owners to identify, manage, and mitigate unwanted automated traffic directly from their MyKinsta dashboard. The development of this solution was informed by extensive internal data and customer feedback, particularly from a recent "Bot Traffic Reality Check webinar" where many questions arose regarding the efficacy and integration of Kinsta’s offering with existing solutions like Cloudflare. Laszlo Farkas, Kinsta’s Director of Engineering, and Daniel Pataki, Kinsta’s CTO, provided crucial insights into the architectural decisions and strategic positioning of the new tool.
Differentiating Bot Protection: Kinsta vs. Cloudflare
A common point of confusion for site owners is understanding the relationship between Kinsta’s bot protection and Cloudflare’s various offerings, especially since Kinsta’s hosting stack itself leverages Cloudflare for CDN, WAF, and DDoS mitigation. Kinsta explicitly states that its bot protection operates on the same foundational infrastructure and utilizes Cloudflare’s detection engine. However, as Laszlo Farkas clarifies, "We use the same infrastructure as Cloudflare. We have the same knowledge and same options as Cloudflare, but we have the deep expertise to have a better default sets we can give our customers to handle WordPress traffic." This distinction is critical: Kinsta layers its own WordPress-specific classification rules on top of Cloudflare’s bot scoring. For instance, an AI crawler exhibiting unusually high request volumes might be reclassified by Kinsta as an "excessive-rate AI crawler" and subsequently challenged, even if Cloudflare’s generic list might deem it a verified bot. This tailored approach is possible because Kinsta’s solution is finely tuned for the unique traffic patterns, endpoints, and integrations prevalent in the WordPress ecosystem.

Cloudflare itself offers a tiered approach to bot protection, each with varying levels of control and operational complexity:
-
Cloudflare Bot Fight Mode: This is the simplest option, available on all Cloudflare plans, including the Free tier, as a basic on/off toggle. While easy to activate, its main drawback is a lack of granular control. It applies domain-wide and cannot be bypassed or customized with WAF custom rules or Page Rules, as it does not operate on Cloudflare’s Ruleset Engine. This can be problematic for WordPress sites with legitimate automated traffic (e.g., API clients, monitoring tools, plugin integrations) that might be inadvertently challenged.
-
Cloudflare Super Bot Fight Mode: Available on Pro, Business, and Enterprise plans (without the Bot Management add-on), this tier offers more control. Users can define actions (allow, challenge, block) for broad traffic categories such as "definitely automated," "likely automated," and "verified bots." Crucially, it runs on the Ruleset Engine, allowing for WAF custom rules to create specific exceptions. However, it still lacks per-endpoint targeting and the granular, per-request bot scoring found in Bot Management.

-
Cloudflare Bot Management and Custom Rules: This represents Cloudflare’s most flexible and powerful bot protection solution, offered as an Enterprise add-on. It assigns a 1-99 bot score to every request and enables highly customized actions through WAF custom rules or Workers. Users can leverage various signals like bot score, URI path, country, ASN, IP range, headers, and user agent to craft precise rules. For example, a low-scoring request on a login page could be challenged, while a public blog remains unaffected. This level of control, however, demands significant expertise in understanding traffic patterns, building and testing rules, monitoring results, and continuous tuning.
The Kinsta Advantage: Tailored for WordPress
Kinsta bot protection strategically positions itself between Cloudflare’s basic Bot Fight Mode and the highly complex Bot Management. It offers a managed, WordPress-specific layer of protection that leverages Cloudflare’s underlying detection capabilities while simplifying the operational burden for site owners.

Key features and advantages of Kinsta’s solution include:
- Four Protection Levels: Instead of a simple toggle, Kinsta offers four preset levels (Off, Low, Medium, High) that can be applied per environment. This allows for fine-tuning, such as running a stricter setting on a production site while keeping a staging environment more permissive. Challenges issued by Kinsta’s system are typically non-intrusive (browser-based checks, background validation) and, once cleared, persist for at least 10 days for the same browser and IP.
- Detailed Traffic Classification: MyKinsta Analytics provides comprehensive insights into how every request is classified and handled. Categories include "likely humans," "verified bots," "likely bots," "unclassified traffic," "automated traffic," "malicious traffic," and "excessive-rate AI crawlers." This granular view, coupled with information on whether requests were allowed, challenged, or blocked, helps site owners understand the true nature of their traffic. This is crucial because "automated" does not inherently mean "unwanted"; legitimate tools often generate automated requests.
- Managed Allow List for WordPress Automations: WordPress sites inherently rely on various legitimate automated processes, from REST API requests and scheduled tasks to plugin integrations and e-commerce workflows. Kinsta’s "Allow typical WordPress automations" feature enables a managed allow list of trusted WordPress endpoints and services, preventing stricter bot rules from disrupting essential site functions. Users can also add specific custom exceptions by IP address, path, or user agent. This reduces the need for individual customers to independently identify and whitelist critical integrations.
- Dedicated AI Crawler Control: Kinsta explicitly separates AI crawler management from general bot protection. A specific "Block AI crawlers" toggle allows site owners to entirely block AI crawlers, including verified ones, without affecting legitimate search engine crawlers like Googlebot or Bing. This distinct control acknowledges that AI crawler traffic, while automated, often requires a different management strategy than overtly malicious bots.
- Bulk Controls Across Environments: For agencies and users managing multiple WordPress sites, Kinsta’s platform supports bulk actions. Protection levels, AI crawler blocking, and WordPress automation allowlist settings can be adjusted across multiple environments simultaneously from the WordPress sites list, streamlining management tasks.
- Integrated WordPress Hosting Support: Bot traffic issues are rarely isolated. They can often intertwine with other WordPress stack elements, such as plugin conflicts, misconfigured integrations, or legitimate marketing campaigns. Kinsta’s bot protection is supported by the same team that understands the customer’s entire hosting environment, eliminating the need to correlate data and troubleshoot across multiple vendors. This integrated support model simplifies problem resolution and ensures a holistic approach to site health.
Navigating Dual Protections: When to Use One or Both
A frequently asked question, especially during the "Bot Traffic Reality Check webinar," concerned the advisability of running Kinsta bot protection alongside a self-managed Cloudflare account that also has bot features enabled. While technically possible, Kinsta strongly advises against it. Laszlo Farkas noted, "Technically, they work together, but I generally wouldn’t recommend enabling both… Running both can also introduce unnecessary friction. For example, a visitor could end up seeing multiple managed challenges instead of just one at their first visit." Daniel Pataki reinforced this, stating, "You can use both, but there’s no real reason to. It’s much safer just to use one or the other." The primary downside of dual activation is increased friction and redundant challenges for legitimate visitors, not necessarily a broken setup.

Furthermore, Kinsta recommends against placing any other CDN, reverse proxy, or WAF (like AWS, Microsoft Azure, Sucuri, or Fortinet) in front of a Kinsta site with its bot protection active. When another service handles traffic first, Kinsta loses visibility into the real origin of each request, compromising the accuracy of its bot detection and classification capabilities. If a site owner is currently running a self-managed Cloudflare account with custom bot or WAF rules in front of a Kinsta site, it is highly recommended to consult Kinsta Support to determine the best configuration and avoid potential conflicts or diminished protection.
Monitoring and Insights: Data-Driven Decision Making
When it comes to monitoring bot traffic, both Cloudflare and Kinsta offer distinct advantages. Cloudflare provides extensive flexibility for forensic investigation, allowing users to drill into individual requests with custom filters based on almost any request attribute. This makes it an excellent tool for identifying patterns and investigating specific incidents. However, Cloudflare’s bot analytics are often based on sampled data, which can affect the accuracy of exact traffic numbers.

Kinsta, conversely, reports on 100% of requests hitting the site, providing aggregated hourly and daily statistics directly within MyKinsta. This makes Kinsta the more reliable source for accurate, platform-level traffic counts and trends over time, even if it lacks Cloudflare’s granular, ad-hoc filtering for deep forensic analysis. Therefore, the choice of monitoring tool depends on the specific need: Cloudflare for deep incident investigation and Kinsta for accurate, long-term traffic metrics.
Architectural Nuances: Where Protection Layers Operate
Kinsta bot protection operates at the edge, specifically at Layer 7 (the application layer) of the OSI model, where HTTP requests are evaluated. This is the same layer where many advanced WAF and bot protection systems function. When both a customer’s Cloudflare protection and Kinsta bot protection are active on the same request path, Cloudflare’s processing logic generally executes first, followed by Kinsta’s. This sequential processing further underscores why overlapping the two rarely adds significant value; by the time a request reaches Kinsta’s logic, Cloudflare has already made its own decision regarding its nature.

Strategic Choices for Site Owners: Selecting the Right Defense
The optimal bot protection strategy hinges on the level of control desired and the resources available for ongoing management.
- Managed WordPress Protection (Kinsta): For most WordPress site owners, particularly agencies managing multiple clients, teams without dedicated security personnel, or businesses prioritizing core operations over security minutiae, Kinsta bot protection offers an ideal managed solution. It provides robust, WordPress-specific protection without demanding continuous maintenance of complex rules.
- Full Control (Cloudflare Advanced Tools): Cloudflare’s advanced bot controls (Super Bot Fight Mode with WAF/custom rules, or Bot Management) are suitable for organizations with specific, highly complex traffic patterns, dedicated security teams, and the expertise and time to build, test, monitor, and maintain custom bot management strategies. This approach offers unparalleled precision but comes with a significant ongoing operational cost.
In nearly all scenarios, choosing one primary bot protection layer is recommended to avoid unnecessary friction and redundancy.

The Future of WordPress Security: An Evolving Landscape
The landscape of web traffic is continuously evolving, with automated systems, AI tools, and various crawlers becoming increasingly prevalent. As Daniel Pataki articulated during the webinar, bots are a "double-edged sword," capable of both causing performance, cost, and analytics issues, while also contributing to the web’s utility. The increasing sophistication of bot traffic demands that WordPress teams adopt proactive and adaptive strategies for non-human traffic management. Kinsta bot protection addresses this need by offering a managed, WordPress-aware starting point with flexible protection levels, specific AI crawler controls, and integrated analytics. This ensures that WordPress site owners can effectively navigate the complexities of modern bot traffic, safeguarding their infrastructure and focusing on their core business.
To delve deeper into these insights, interested parties can access the "Bot Traffic Reality Check webinar" recording, review Kinsta’s comprehensive "AI & Bot Traffic Report," or activate Bot Protection directly from their MyKinsta dashboard to gain immediate visibility into the automated traffic affecting their sites.







