My site was the subject of a bot swarm
Here's how I blocked the bots
Here's how I blocked the bots
On the following Sunday, I took a look at the website traffic.
950 requests in 24 hours.
Not bad, I thought — until I saw the breakdown:
I only do business in the UK.
So… what exactly was going on in Seychelles?
Within 10 minutes, I’d made a few changes:
→Blocked Seychelles by country in Cloudflare WAF
→ Blocked the specific IP address
→ Turned on Bot Fight Mode
→ Set a rate limiting rule: “Block if more than 30 requests to the same page in 10 seconds”
Result?
The bots were stopped dead.
My analytics became readable again.
And UK visitors — the ones I actually serve — could browse normally.
If you’re running a small business website, especially one that targets a specific country or region, it’s easy to overlook where your traffic is coming from.
But if 70% of your traffic is from a bot farm in Seychelles, that’s a problem.
You can’t trust your traffic numbers. Bounce rate, time on site, and conversion data become meaningless when most of it comes from junk bots.
Even if you’re on free hosting or a CDN, bot traffic uses up bandwidth, server time, and could even trip usage limits.
Some bots are harmless. Others are scanning for vulnerabilities, scraping your content, or attempting brute-force logins.
Search engines track site engagement. If 80% of your “traffic” bounces immediately, that sends bad signals to Google.
You won’t know which pages are actually performing or how real visitors behave if bots dominate your traffic.
I wasn’t expecting this kind of traffic so soon — especially not from outside the UK. But this experience taught me a few things:
The first step is for us to have a chat