Bot Protection
Protect your site from malicious bots, scrapers, and automated attacks.
Enabling bot protection
- Go to your site's Access tab
- Under Bot Protection, toggle it on
- Click Save
How it works
When bot protection is enabled, WebStadia challenges suspicious visitors with a lightweight JavaScript check:
- A visitor requests your site
- WebStadia checks their user-agent and cookies
- If the visitor is suspicious (known bot user-agent, no previous verification), they receive a JavaScript challenge page
- Real browsers execute the JavaScript and get a verification cookie automatically — this happens in under a second
- Bots that can't execute JavaScript are blocked
Allowlisted bots
The following legitimate bots are always allowed through, even with bot protection enabled:
- Search engines — Googlebot, Bingbot, Yahoo Slurp, DuckDuckBot, Baiduspider, Yandex
- Social media — Twitterbot, Facebook, LinkedIn, WhatsApp, Telegram, Discord
- Monitoring — UptimeRobot, Pingdom
This ensures your SEO and social media previews are not affected.
What gets blocked
- Content scrapers
- Spam bots
- Vulnerability scanners
- DDoS bot traffic
- Generic HTTP libraries without JavaScript support
Notes
- Bot protection uses a lightweight JavaScript challenge, not a CAPTCHA — real users won't notice it
- The verification cookie lasts for the browser session
- Bot protection does not affect API endpoints, only your site's HTML pages