How to stop bad traffic to website – reduce visits on Kinsta: bots, AWS, crawlers
Disclosure: This post may contain links to affiliate partners and products, that I have selected manually and would or have bought myself. I will get a commission if you decide to purchase anything after clicking on these links – at no cost to you.
I have tested Kinsta for my authority site nimblecamper.com and realised, that 70% of the visits I had to pay for were bad traffic – bots and bad crawlers. I have since moved away from Kinsta because of this reason (they charge you by visits, not bandwidth primarily, so you have to pay for a higher tier just because of this bad traffic). I am now on Rocket.net and couldn’t be happier – read why here.
But here’s everything I tried to reduce the number of useless/bad visits that Kinsta was counting against my plan.
How to reduce unwanted visits on Kinsta
Note that .htaccess doesn’t work on Kinsta – it’s an NGINX server, so you have to ask Kinsta support to implement most solutions using NGINX syntax. Usually, wherever you find a .htaccess solution, there will be an NGINX version too.
- first things first – visits are not requests
- you can have many requests, but those are not necessarily counted as visits. Some are (legitimate visitors to your website, legitimate bots), and some are blocked. For example, I have blocked my /wp-login.php page with a server-level password, so no one can actually visit it. But all the attempts to visit it are counted as requests. Requests do not count against your plan unless they lead to a visit (i.e. a request is fulfilled).
Ways to block bad traffic to your website
- request Kinsta support to block access from countries that are not important to your website. For most bloggers, this will be most of Asia, Africa, South America, and perhaps some east European countries too.
- request Kinsta support to password protect your /wp-login.php and /wp-admin/
- request Kinsta support to block unwanted crawlers (Kinsta have a list of typical unwanted crawlers, ask to review that and they’ll implement it)
- block all Amazon AWS traffic (or country-specific AWS traffic) – most of it are bots, crawlers and not real users, but these visits eat up a lot of your plan. For me, it was over 30% of daily visits!
- how to block AWS IPs / traffic?
- Wordfence allows you to block all AWS traffic this way:
- how to block AWS IPs / traffic?
- use the Hostname custom pattern blocking rule.
-----> Press the Custom Pattern button on the Firewall >> Blocking page.
-----> In the Hostname option you can use the example wildcard shown:
*amazonaws.com
-----> You then need to enter a block reason and then press the button to create the blocking rule.
- But – there’s a caveat: Wordfence will serve an HTTP response 503 for all manual rules like that (if you manually add IPs to be blocked, using the below hostname rule or if you set “immediately block any non-existing username login attempts”. Unfortunately, Kinsta still counts all 503 as visits. They don’t count 403 as visits. I inquired Wordfence about this and they plan to serve different responses, like 429 for temporary blocking/rate limiting, and 403 for permanent blocks. But until then, you need to work out how to serve 403 instead of 503
- If you are blocking IPs – do it in Kinsta’s IP Deny section, not via Wordfence. That way they won’t count as visits.
- one way of blocking AWS is downloading all their IPs and pulling out the IPs into a list, then pasting them into the Kinsta IP Deny section. More on AWS IPs and how to filter them here.
There might be more things you can try of course, but these were the most obvious recommendations I found and still they didn’t reduce much of the bad traffic – so I decided that Kinsta wasn’t for me and started looking for alternatives – that’s when I found Rocket.net and I couldn’t be happier. Been with them for months now and it’s all I wanted – good services, a super fast website (backend and frontend), and very helpful support. More about this decision in this post: