More traffic and overseas visitors than I would expect

My monthly analytics report shows that my site gets a lot of visitors from overseas and quite a high amount of data transfer. My website is just for a single location garage so I wouldn’t even expect any interest in it from 50 miles away never mind around the globe. Are the reports accurate and is this just down to bots or is it something I need to address?

1 Like

I’m pretty sure it’s bots. And not the helpful kind.

You may consider a firewall rule to Challenge any Non-YourCountry visitors, but allow known (helpful) bots:

1 Like

Thank you. I have added this firewall rule - does this look ok?

Almost. Take a closer look at mine.

1 Like

Thanks for responding, I have since edited the settings and uploaded a new screenshot. Am i still missing something.

It looks like I have the rule working and it has already seen a bit of activity.

clicking on the events I am seeing quite a few related to the Jetpack wordpress plug in, a microsoft bing bot and a couple of cloud server hosts, is the rule doing what it’s supposed to?

The Bing Bot may be fake, as real ones are allowed through as a Known bot. The JetPack one needs a closer look to see if it’s something you want to allow. In which case, you’ll have to add some sort of “NOT” exception to your rule.

I apologise for my lack of knowledge but what does the js challenge do?
Some of the firewall attempts have used the following paths:
/xmlrpc.php
/.git/HEAD
/404javascript.js
/404testpage4525d2fdc
/wp-login.php
/wp-content/plugins/angwp (don’t recognise this as one of my plug ins)
/wp-admin/includes/class-wp-filesystem-import.php

should I be concerned given or are these just speculative attempts

JS Challenge tests for an actual browser visiting the site. As you’re a local shop, there might be someone out of the country who is genuinely curious, so JS Challenge will still easily let them visit the site. But bots most likely won’t get through:

But that traffic is typically the bad stuff I see blocked. xmlrpc is a bot attempting direct logins to the back end, plus probing for known vulnerabilities and unintended data disclosures.

Yes I can see many of the blocked ones are for xmlrpc.

There is a lot of data transfer on my monthly analytic report report and google searching the ASN / ip addresses of those blocked attempts has some results that makes me feel uneasy.

How would I check what data is being transferred?

What I did notice while going through each of the reporting tabs of my cloudfare dashboard, is that “traffic served over TLS” appears (to me) to be a very high number over 24 hours for v1.2 at 17.5k as my website does not have any form of ecommerce which google appears to be suggesting is what TLS 1.2 is for.

That’s just website traffic. Some of it requested by bots, and some by humans. Your server logs would show more about what’s actually getting through, but I generally don’t worry about it, other than the annoyance of bot traffic.

TLS is for HTTPS connections. It’s a Good Thing.

I have a site I host on my web server that would have nationwide hits/clients, but it’s not one that would have many visitors. Yet, I get thousands of hits per day, some from overseas and also in the US. I’ve been told by Cloudflare support that it’s normal and just bots, but it’s WAY more than other sites are getting. The reason I moved it to Cloudflare was because it was so much traffic that it was killing the performance of my web server. Maybe it attracted attention somehow and other sites don’t. I’ve had to leave it in “I’m being attacked mode” for a few years now since it’s constantly being hit. I’ve limited the countries that can connect to it. I suppose I can try the rule you proposed sdayman and block traffic NOT in the US rather than blocking every other country.

If anyone has any feedback, it would be appreciated. I can out up some numbers if you want to see how many hits I get per day, per month, etc.

I’m waiting to see how the changes I made to the firewall rules have affected my analytics report at the end of the month. I do however still seem to be getting many more visitors from overseas than i would expect going by the 24 hour report.
My firewall rule has had 527 attempts in the last 24 hours but my bandwidth does appear to be well down if I multiply the last 24 hours by 31 days against the previous months report I received by email.

I am restricted by what reports I can run in order to compare the firewall rule with no option on the free plan to select custom dates etc.so I will have to wait for the next report to come through