FAQ: Answers to your top bot questions

In this help document, we will answer your frequently asked questions about bot traffic.

Q. Are all bots bad?

A: Bad bots get the most attention, like click bots and Distributed Denial of Service (DDoS) bots. However, not all bots are bad. Some are legitimate bots that are harmless and even beneficial. This can include

• Search engine crawlers, such as Google or Bing
• Online store speed, such as Shopify’s use of a Google Developer bot that runs a daily speed test on your Shopify store
• Marketing bots, such as SEMrush or AhrefsBot
• Voice engine bots, such as Alexa or Apple

Click here to learn more about bots.

Q. I found bots on my website. What should I do? 

A: We advise contacting your developer, technical team or a third party to determine if the bot is malicious or not and how to respond accordingly. Lucky Orange can only recommend ways to spot bots and block them from within Lucky Orange. We cannot offer recommendations to businesses should you experience a bot attack, and we recommend seeking additional assistance if needed. 

Q. Does blocking a bot in Lucky Orange block the bot on my website?

A: Blocking a bot within Lucky Orange only blocks our system from tracking the bot. This keeps your plan’s allotted sessions dedicated to track your visitors. Blocked bots will still have access to your website unless you work with a developer or third party tool to block bots from your website.

Q. How do you know if it’s a bot?

A: Bots have a very specific pattern of behavior when visiting a website. This includes:

• Abnormally high traffic from a specific source - this may be subtle, such as from a “good” bot or overwhelming, such as from a “bad” bot. A good bot, such as Shopify’s efforts to evaluate site speed, may only have 1-3 visits a day. A bad bot, such as a click bot, will show a massive and alarming number of visitors. These visits will usually be direct, though this isn’t always the case. You can see this from the Sources dashcard in your Dashboard. If looking for direct traffic, if will show the source as something like, “yourwebsite.com”
• Short duration - add the duration column to your Visitors’ Table to see visitors with a duration under 5 seconds with typically only one page visited. Here’s more information on using duration.
• Same location, browser and device - you can see this from the Visitor’s Table. According to Security Magazine, Mobile Safari is the top browser of choice. 
• Different device type displayed in the session player - as you watch a Session Recording of the bot, you’ll see that the visitor details will show a desktop whereas the Session Recording displays a mobile device. This is an example of User Agent (UA) spoofing. 
• Engagement, if there is any, won’t appear real - if you compare it with a recording of a known visitor, you’ll see vastly different behavior. If there is any engagement, it will be very rigid and direct to a CTA or link. 

Q: Do you have any examples of how Lucky Orange users spotted bot traffic?

A: For good bot traffic: Our latest example came from a user this year. This user had been suspended by Google for misrepresentation. After installing Lucky Orange, the user was able to see a Googlebot review the website and clicking on specific elements in the website’s footer. Using this information, the user was able to make appropriate changes, which meant adding their business address and contact page, which the bot confirmed to end their suspension. 

For bad bot traffic: Another user reviewed their Lucky Orange Visitors’ Table and noticed an alarming number of sessions associated with a group of IP addresses from the same location. A check of a suspected bot live on the site showed no engagement and nothing to indicate it was a real visitor. As more suspected bots poured in, the user was able to take the Session Recordings to alert the company’s technical team to put immediate security measures in place to block the suspicious traffic. Though the attempted Distributed Denial of Service (DDoS) attack slowed the website for a short time, it failed to crash the website and cost the company valuable sales in the process. Read more here.