How to protect your WordPress site from unwanted bot traffic with Cloudflare

The web is busier than ever, with not just human visitors, but an increasing wave of automated bots, crawlers, and AI tools constantly scanning websites for content and data.

While some bots are helpful, such as search engine crawlers that aid in discovering your content, others can quickly inflate your traffic metrics, skew analytics, and even trigger unnecessary hosting overages.

In this guide, we show how to use Cloudflare’s free security tools, like Bot fight mode, JavaScript and managed challenges, and other Cloudflare settings to help you reduce unwanted bot traffic, protect your WordPress site, and ensure your hosting resources are reserved for real visitors.

Setting up Cloudflare for bot protection

You don’t need a premium account or complex configuration to stop unwanted bot traffic with Cloudflare. The free Cloudflare plan offers several powerful features that can make a big difference.

Let’s walk you through how to get started.

Connect your site to Cloudflare

If you’re hosting your WordPress site with Kinsta, you’re already benefiting from a powerful Cloudflare integration, including enterprise-grade performance and a global CDN. However, to access advanced security tools, you need to connect your own Cloudflare account.

Fortunately, this process is quick and straightforward. We offer a detailed, step-by-step tutorial that guides you through the entire process, from adding your domain to configuring DNS records and nameservers. Follow this guide to get your site connected:

How to install and configure Cloudflare on your WordPress site

Once your domain is connected and active on Cloudflare, you’ll be ready to enable features that help protect your site from unwanted bot and scraper traffic, without impacting real visitors.

Enable bot fight mode

Once your site is connected to Cloudflare, one of the quickest and most effective ways to start filtering out unwanted automated traffic is by enabling Bot fight mode.

This free Cloudflare feature helps detect and mitigate known bots that may crawl, scrape, or overload your website, even when they try to disguise themselves as human visitors.

To turn on bot fight mode, follow these steps:

1. From the left-hand menu, go to Security > Settings.
2. Under the Filter by section, choose Bot traffic.
3. Find Bot fight mode and toggle it on.

After activation, you can monitor results inside your MyKinsta analytics, as the visit counts begin to drop since Cloudflare filters more non-human requests before they ever reach your site.

If you’re using a paid Cloudflare plan, you have access to Super Bot fight mode, an enhanced version of Bot fight mode with more flexibility. It builds on the same technology but lets you choose how to handle different traffic types, enabling JavaScript detections to catch headless browsers, stealthy scrapers, and other malicious traffic.

For example, instead of blocking all crawlers, you can configure the tool to block only “definitely automated traffic” and allow “verified bots” like search engine crawlers:

Set up JavaScript and managed challenges

Even with Bot fight mode active, some automated crawlers or AI tools can still slip through, especially those that imitate normal browsing behavior.

Cloudflare’s security rules allow you to apply additional protection in the form of challenges, which verify that visitors are human before granting access.

You can apply JS Challenges site-wide, but for most WordPress sites, they’re best used on targeted paths such as:

• /wp-login.php (WordPress login page)
• /xmlrpc.php (common bot target)
• /wp-admin/ (admin area)

To add a JavaScript or Managed Challenge rule:

• Navigate to Security > Security Rules.
• Click Create rule > Custom rules.
• Enter a Rule name (for example, JS Challenge for wp-login).
• Under When incoming requests match, configure:
  • Field: URI Path
  • Operator: contains
  • Value: /wp-login.php

You can add more conditions as needed by clicking Edit expression, and then you can add an expression like below:

(http.host in {"example.com" "www.example.com"} and 
 starts_with(http.request.uri.path, "/wp-admin") and 
 not cf.client.bot and 
 not http.request.uri.path contains "/wp-admin/admin-ajax.php")

The example above targets the /wp-admin area, skips verified bots, and excludes the AJAX endpoint used by WordPress plugins.

Under Then take action, choose one of the following:

• JavaScript Challenge – runs a browser test for every visitor.
• Managed Challenge – let Cloudflare’s AI decide when to challenge, based on behavior and risk level.

Finally, click Deploy to activate the rule. If you want to test it first, choose Save as Draft.

Monitor the results

Once you’ve enabled Bot fight mode or set up your own Cloudflare rules, it’s important to confirm that your changes are working and that the automated traffic that inflated your visits is being filtered effectively.

Both Cloudflare and MyKinsta offer analytics tools that enable you to measure the impact. Here’s how to use them together.

Check Cloudflare’s security analytics

In your Cloudflare dashboard, go to Security > Analytics > Bot Analysis.

This view provides a clear breakdown of how much of your total site traffic is generated by humans versus bots.

Cloudflare assigns a bot score to every incoming request based on patterns, machine learning, and behavioral signals. These scores are grouped into traffic types such as:

• Automated – Clearly non-human bots.
• Likely automated – Suspicious, bot-like requests (for example, headless browsers or AI scrapers).
• Likely human – Normal visitors using real browsers.
• Verified bot – Legitimate bots (like Googlebot or PayPal).

The Bot Analysis graph displays these categories in real-time. You can use the filters (by country, IP address, browser, or operating system) to identify where most of the automated traffic originates.

Check MyKinsta analytics

Next, open your MyKinsta dashboard > Analytics > Visits report.

Because Kinsta measures visits based on unique IP addresses seen each day (and not JavaScript tracking like Google Analytics), it provides an accurate view of all traffic hitting your site, including bots that slip through other filters.

After Cloudflare starts blocking automated requests, you should notice a drop in total visits (since bots no longer reach your origin).

If you still see spikes, review your Top Requests and Top Client IPs reports to identify any URLs or IPs that are repeatedly requested. These are likely candidates for new Cloudflare challenges or country blocks.

Summary

Managing unwanted bot traffic has become part of running a modern website. With Cloudflare’s free tools, you can quickly filter out automated crawlers and scrapers before they impact performance or inflate hosting usage.

For Kinsta customers, pairing these Cloudflare protections with your hosting setup helps your analytics accurately reflect real visitors and maintains consistent resource use. If you’d like even more predictability, Kinsta’s new bandwidth-based plans offer an alternative to visit-based pricing.

Together, Cloudflare and Kinsta provide you with the visibility and control to focus on your content and users, rather than chasing down bots.

The post How to protect your WordPress site from unwanted bot traffic with Cloudflare appeared first on Kinsta®.