Up to 60% of web traffic is automated. Scrapers, form spammers, and AI crawlers skew your analytics, submit fake leads, and steal your content — yet most tools count them as real users.
How it works
Three steps to full visibility
01
🏷
Register your site — 30 seconds
Open the dashboard, enter your domain, and choose your site type. You get a personalised script tag with your site ID pre-filled — no manual substitution needed.
02
👀
Paste your snippet before </body>
Copy the one-line script tag from the dashboard and paste it into your site. Under 5 KB, loads in the background, works on any website or blog.
03
🔥
See who's real — and fight back
Your dashboard shows a live feed of every visit, scored by bot likelihood. Set rules to block, rate-limit, or redirect bots without touching code again.
Invisible links, hidden endpoints, and pixel images that only automated crawlers follow. One hit = bot, no false positives.
🧠
Session behavior
10-minute session memory per visitor. Detects retry after denial, burst form submissions, and path probing sequences bots leave behind.
🚨
DDoS precursor detection
Classifies threats as probe → pre-DDoS → active abuse by combining endpoint scanning, datacenter ASNs, and cross-IP fingerprint reuse. Alerts you before an attack peaks.
🕵️
Residential proxy detection
Flags traffic routed through known proxy providers (BrightData, Oxylabs, Luminati, Smartproxy…) even when the IP looks residential.
🛡️
Route-aware scoring
Automatically stricter on login, checkout, and admin paths (up to 1.5× score multiplier). Lenient on static assets. No manual config needed.
Response
Automatic enforcement — no manual rules needed
botfighter scores every request 0–100. The enforcement ladder activates automatically based on score and route — no bot rule setup required out of the box.
0–30
Human
Allow through, visit logged
31–69
Suspicious
Soft PoW challenge on forms, auth & admin routes
70–84
Bot
Block when at least one strong signal fires (honeypot, webdriver, headless)
85–100
Confirmed bot
Block unconditionally — honeypot hits always reach this tier
All thresholds and actions are overridable with custom bot rules. Weak signals (no plugins, fast click) can never trigger a block alone.
Add to layouts/partials/footer.html before </body> → rebuild.
☁️
Vercel / Netlify / CF Pages
Works alongside any CDN or edge provider — client-side detection means no server-side dependency.
🌍
See what's attacking the web right now
Live leaderboard of the most common bot names, countries, and attack types — aggregated across all botfighter-protected sites. No personal data, no domain names.
botfighter hosted at api.botfighter.dev: €5/month.
Common questions
Frequently asked questions
Will it slow my site?
No. The script is under 3 KB gzipped and loads asynchronously in the background — it has zero impact on your page load speed or Core Web Vitals score.
Is it GDPR-compliant?
Yes. botfighter does not set cookies and does not store any personal information (no names, emails, or IP addresses). Behavior analysis is done anonymously using hashed session identifiers that expire at the end of each browser session.
Do I need my own Cloudflare account?
No. botfighter runs entirely on our infrastructure — just paste the snippet. No Cloudflare account, no backend setup required.
How much does it cost?
€5/month. We handle all infrastructure — no setup, no server costs on your end.
How does it detect bots without being invasive?
Real human visitors leave natural behavioral traces — small variations in how they move the mouse, how fast they interact, what browser features they have enabled. Automated visitors (robot browsers, scrapers) behave differently. botfighter scores each visit using these behavioral patterns without ever reading personal content.
What happens when a bot is detected?
By default, botfighter records the visit and shows it in your dashboard. You can optionally set rules to automatically block, redirect, or serve a custom response to bots — all configurable from your dashboard without touching code.