Managing Bot Attacks and Building a VPS Fortress

Managing Bot Attacks

Managing Bot Attacks and Building a VPS Fortress

Managing bot attacks can feel, at first, like you’re under siege from an invisible army – new IPs, strange user agents, and CPU spikes that always seem to hit at the worst possible moment. For a long time, I assumed that “serious” bots would rotate through fresh IP addresses every day, and that the only realistic response was constant firefighting.

What I actually discovered was very different. By tightening up our VPS configuration, using tools like CSF and IPSET intelligently, taming our own cron jobs, and setting sensible rate limits, we turned a noisy, unstable environment into a calm, predictable VPS fortress. The bots didn’t disappear – they just stopped being able to hurt us.

In this article, I’ll walk through how we approached managing bot attacks on a busy WordPress and WooCommerce stack, what really made the difference, and why the server now starts each day quietly instead of on fire. If you’re running your own VPS and you’re tired of unexplained load spikes and swap usage, this practical, experience-based guide is for you.

Managing Bot Attacks Starts with Understanding the Real Problem

Before you can start effectively managing bot attacks, you have to understand what’s really happening on your VPS. When I first started digging into our own situation, it felt as though the server was being hammered by a constantly shifting swarm of “super bots” – always new IPs, always something different. The reality was much more mundane, and far easier to control.

Once I began looking at load, memory, swap and the top IPs hitting each site, a pattern emerged. A small number of data centre ranges were sending a lot of junk traffic, a few legitimate crawlers like Google and Bing were doing their normal work, and the rest of the load was coming from our own stack: WordPress, WooCommerce, scheduled tasks, image jobs and imports. In other words, the VPS wasn’t just being attacked – it was also quietly attacking itself through badly timed or unnecessary jobs.

That shift in perspective was crucial. Instead of assuming we were helpless against a clever, ever-changing opponent, we treated it as a practical engineering problem: reduce pointless internal load, identify noisy external sources, and only then bring in firewall tools and rate limiting. Managing bot attacks became less about panic and more about steady, systematic tuning of the VPS.

Tame Your Own Stack Before Blaming the Bots

One of the biggest surprises, when I began seriously managing bot attacks, was discovering how much of the pressure on the VPS was self-inflicted. It wasn’t just “them out there” – it was “us in here” as well. Multiple WooCommerce sites, image optimisation jobs, product imports, backups and WordPress cron tasks were all quietly lining up for resources at the same time. When a wave of junk traffic arrived on top of that, the server didn’t stand a chance.

The first real win came from getting brutal about timing and necessity. I moved away from relying on default WordPress cron and set up proper system cron jobs at sensible intervals, staggered across sites. Heavy jobs like product imports and bulk image compression were scheduled for quieter periods instead of all trying to run whenever a visitor happened to land on a page. Some tasks were simply disabled because they added noise without delivering any real business value.

Once those changes were in place, the difference was remarkable. CPU load stopped spiking at random, swap stopped creeping up so quickly, and the baseline became predictable. Only then could I see which incoming IPs were genuinely abusive, and which ones were just landing on a VPS that was already overloaded. Managing bot attacks became much easier once my own stack was no longer contributing to the chaos.

Use CSF and IPSET to Block Where It Hurts

Once the internal load was under control, the next step in managing bot attacks was to stop wasting PHP and WordPress resources on traffic that never should have reached them in the first place. That meant moving the fight down the stack: away from plugins and .htaccess rules, and into proper VPS security tools like CSF and IPSET. Instead of arguing with every bad request at application level, we started dropping whole groups of repeat offenders at the firewall.

In practice, that meant watching the Apache SSL logs for patterns. The same data centre ranges kept turning up with anonymous user agents, strange paths or clearly automated behaviour. Rather than play whack-a-mole with individual IPs, we began blocking at the subnet level – whole /24 ranges that were doing nothing useful for any of our sites. CSF and IPSET made that easy: once a range was identified as hostile or noisy, it was added to a deny list and instantly stopped consuming connections and CPU.

At the same time, we made sure not to shoot ourselves in the foot. Good crawlers such as Google, Bing and Meta were whitelisted so that our firewall configuration didn’t undermine SEO or visibility. The result was a VPS fortress where junk bots simply never reached Apache or PHP at all, while legitimate traffic flowed normally. Managing bot attacks became less about firefighting and more about curating who was even allowed to knock on the door.

Rate Limiting: Managing Bot Attacks Without Breaking Real Visitors

Firewall blocks are powerful, but they are only part of managing bot attacks effectively. The next layer of defence was rate limiting: putting hard limits on how many connections a single IP could open, and how quickly those connections could arrive. This is where CSF’s CONNLIMIT and PORTFLOOD settings came into their own, especially on ports 80 and 443.

Instead of trying to spot every bad bot by user agent or URL pattern, we defined what “sane” behaviour looks like and enforced it. A normal human visitor or search engine crawler does not need to open dozens of concurrent connections or hammer the site with a burst of requests in a few seconds. When an IP tried to do that, the rate limits kicked in and simply refused to entertain the excess traffic. The pleasant surprise was that this reduced server noise dramatically without upsetting real users.

Combined with our other changes, this meant the VPS no longer cared whether a bot changed IP occasionally. As long as each IP was forced to behave within sensible limits, managing bot attacks stopped being a frantic race to keep up. Instead, we defined fair rules for everyone and let the firewall enforce them automatically.

Daily Checks: Managing Bot Attacks with Calm, Not Panic

The last crucial piece in managing bot attacks was building a simple, repeatable way to see what was happening on the VPS each day. Instead of logging in only when something was on fire, I started running a short daily script over morning coffee: CPU load, memory and swap usage, disk space, top processes, and the most active IP addresses in the Apache SSL logs. It takes a minute or two, but it completely changes the way you feel about your server.

Very quickly, a pattern emerged. Load averages sat well below the number of CPU cores, memory usage was stable, and swap hovered at a steady level instead of climbing relentlessly. The IP list showed a mixture of familiar ranges: search engines, cloud providers and the occasional noisy address. When something unusual did appear, it stood out immediately – and could be blocked or rate limited long before it became a serious issue.

That routine turned “mystery outages” into predictable, manageable behaviour. Instead of worrying about hidden attacks, I could see at a glance when things were normal and when they were not. Managing bot attacks stopped feeling like guesswork and became part of a straightforward daily health check for the VPS fortress.

What We Learned About Bots – And Why the Fortress Holds

After all of this work on managing bot attacks, the biggest surprise was how ordinary most of the threat really is. The bots did not endlessly reinvent themselves or arrive from brand new providers every day. Instead, the same data centre ranges and low-effort scripts kept turning up, knocking on the same doors in slightly different ways. Once we tightened the VPS, cleaned up our own jobs, and enforced sane limits at the firewall, those bots became far less frightening.

The lesson is simple: you do not need a perfect security system to run a stable VPS hosting WordPress and WooCommerce. You need a reasonably lean stack, disciplined cron and task scheduling, proper firewall tools like CSF and IPSET, fair rate limiting, and a short daily check that tells you what the server is really doing. Put together, these pieces create a VPS fortress where bad bots are managed, not feared, and where your real visitors and search engines can get on with their business in peace.

If you are running your own server and feel as if you are constantly on the back foot, managing bot attacks may be less about buying another plugin and more about taking control of the VPS itself. A few well-chosen changes can turn daily firefighting into a quiet, predictable routine – and that, in the long run, is what real security feels like.

A Final Word on Managed VPS Myths

One last precaution is worth stating plainly: we run all of this on a managed VPS, and it is still entirely up to us to deal with managing bot attacks and performance. The provider keeps the hardware and base platform running, but they do not tune your firewall, stagger your cron jobs, analyse your logs or decide which IP ranges should be blocked. The common Internet wisdom that “no technical skills are required to run a managed VPS” is, in my experience, complete nonsense.

If you are not prepared to look under the hood even a little – to run basic checks, review logs and make informed changes – then you are usually better off on good quality shared hosting, where that responsibility truly sits with someone else. A VPS gives you power and flexibility, but it also hands you the keys to security and stability. Treat it as a fortress that you actively manage, not a magic box that someone else will protect for you.

CONTACT SYDNEY BUSINESS WEB NOW!

get started online NOW with your ONLINE BUSINESS ENGINEERING

Call Us
Email us

Further Reading

Cloudflare: Managing Bots


About the author 

Rowley Keith MBA BSc (Hons)

Professional Engineer, Web Guru, former Para, miner and Merchant Navy Officer. MBA and BSc (Hons). Proud Australian. Founder of Sydney Business Web, Thornton NSW.

You may also like