When Bots Attack

Reports show that over half of web traffic is actually created by automated programs. Over half of this bot traffic is estimated to be malicious. Spammers, hackers,  and brute force login attempts are commonplace and there are many ways to combat against them.

This method is less intrusive and is fairly effective way of protecting forms like logins and contact forms. It takes advantage of a bots lack of eyes to add an additional field to a contact form that is not visible to visitors, but that a bot would see and fill in.  Then on the server side script check to see if the field which should be empty was filled with any data essentially catching the bot red-handed.

Oversimplified Example:

<!DOCTYPE html>

<form action="formsubmissionpage.php" method="post">
Name: <input type='text' name='name' />
<input style='position:absolute;left:-5000px;' type='text' name='hp' />
Email: <input type='text' email='email' />
Message: <textarea name='msg'></textarea>
<input type='submit' />


and the server side…


      //mail sending script stuff
      //you fell for it haha silly bot 

This method is a widely used and very effective, but a lot more intrusive to the user.

Essentially they ask you to complete a task that a bot would have a hard time completing.  One important thing to remember is that not all captchas were created equal.  Some captchas are much easier for someone to create a bot that can get past it depending on where the captcha validation is and how machine readable the task is.  Right now one of the standards for this is Google’s reCAPTCHA pictured above.  Which implements difficult images with graphs and in addition keeps track of attempts from the IP address so it knows how hard to be on you for your next attempt.

Implementation Example Client-side:

    <title>reCAPTCHA demo: Simple page</title>
     <script src="https://www.google.com/recaptcha/api.js" async defer></script>
    <form action="?" method="POST">
      <div class="g-recaptcha" data-sitekey="your_site_key"></div>
      <input type="submit" value="Submit">

And Server Side:

  $privatekey = "your_private_key";
  $resp = recaptcha_check_answer ($privatekey,

  if (!$resp->is_valid) {
    // What happens when the CAPTCHA was entered incorrectly
    die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." .
         "(reCAPTCHA said: " . $resp->error . ")");
  } else {
    // Your code here to handle a successful verification

You will need to add a copy of recaptchalib.php OR
you can write your own that submits a post request to https://www.google.com/recaptcha/api/siteverify with parameters secret, response, and remoteip.  Then parse ‘success’ out of the returned JSON object and find out if the value is true or false.

Rate Limit
Limiting how many times a visitor can do a certain action is a great way to prevent spam and potential brute force attempts, however it does let a bot try at least a few times before locking it out or blocking it entirely.  This method typically involves logging a visitors IP when a task is completed such as submitting a form like sending mail, registering, or logging into the site.  When a person tries this action it may, in addition to the IP, also log the time of the visit and the number of visits in a certain time frame, this way it can determine if a person has exceeded that limit and act accordingly.  This method works best when accompanies by one of the other methods.

There are two types of firewalls that I know of,  application firewalls that check the request when it meets the application and checks the request to see if it looks shady and DNS firewalls that check the traffic the same way before it gets to the server.
Most servers will come prepackaged with application level security like ModSecurity, and applications like WordPress can have plugins like Wordfence that will also check the traffic and block offending IPs. One common DNS firewall is Securi.
If you have the option: