An number of my book blogging friends have been getting weird, inflated stats on our blogs over the last few months. I’ve had the odd one, but then it got sustained on my book blog (stats pictured above) and, as I pay for that one, I was able to engage with a “Happiness Engineer” (probably a real person using AI-generated or standard text).
I was worried my content was being stolen or bots were trying to do something, perhaps a Denial of Service attack. WordPress claim this is down to re-indexing. Anyway, I asked if it was OK to share our conversation and they said it was. So here goes:
YouTue, Feb 17, 11:56 AM
My pro account (librofulltime.wordpress.com) is experiencing higher than normal traffic and I believe it’s being scraped by bots. Mainly North America. This has happened to my free account, too. What is WordPress doing to stop this, as I’m concerned about denial of service attacks and my content being stolen?
WordPress.comTue, Feb 17, 11:58 AM
Hello! You are now connected to a Happiness Engineer. I’m here to help. Please wait a moment while I review your conversation and check your account.
YouTue, Feb 17, 12:00 PM
Thanks!
WordPress.comTue, Feb 17, 12:02 PM
Thank you for sharing your concerns about the increased traffic and potential bot scraping on your Pro account, librofulltime.wordpress.com, as well as your free account. It’s important to keep your site secure and your content protected.
WordPress.com proactively employs multiple systems to detect and mitigate malicious traffic, including bots and potential denial of service attacks. Some of these measures include:
– Automated traffic filtering and rate limiting to prevent abuse
– Use of security monitoring and firewalls at the server level
– Blocking IP addresses identified as sources of suspicious activity
– Ongoing updates to security policies and tools to adapt to new threats
For your specific situation, here are a few steps you can take to further enhance protection:
1. Enable two-factor authentication on your account to secure login access.
2. Review and restrict user roles and permissions if you have multiple contributors.
3. Use plugins or built-in WordPress.com tools that help monitor suspicious activity and block unwanted bots.
YouTue, Feb 17, 12:03 PM
Thank you. I already do 1 and I am the only contributor. What tools can I access from wordpress.com that will help monitor and block unwanted bots, please?
WordPress.comTue, Feb 17, 12:07 PM
Thank you for letting me know that two-factor authentication is enabled and that you are the sole contributor to your site. That definitely helps with securing access.
Regarding tools available on WordPress.com to monitor and block unwanted bots, here are some options you can explore:
– Site Stats and Traffic Insights: Your WordPress.com dashboard includes traffic analytics that can help you identify unusual spikes or traffic from suspicious sources. These insights can be a first clue to bot activity.
– Jetpack Security Features: Since WordPress.com includes Jetpack features, you benefit from Jetpack’s security modules, such as brute force attack protection and downtime monitoring. These help protect your site from malicious bot traffic and attacks.
YouTue, Feb 17, 12:08 PM
I already look at my traffic analytics as that’s how I know I have a spike and the country it’s coming from. How do I initiate Jetpack’s security modules, please?
WordPress.comTue, Feb 17, 12:10 PM
It’s great that you are already monitoring your traffic analytics closely—it’s a key step in spotting unusual activity.
Regarding Jetpack’s security features on WordPress.com, the good news is that many of these protections, such as brute force attack protection and downtime monitoring, are automatically active for all WordPress.com sites, including your Pro plan. There is no need for a separate setup or activation; these modules work in the background to help safeguard your site from malicious activity.
WordPress.comTue, Feb 17, 12:10 PM
It’s great that you are already monitoring your traffic analytics closely—it’s a key step in spotting unusual activity.
Regarding Jetpack’s security features on WordPress.com, the good news is that many of these protections, such as brute force attack protection and downtime monitoring, are automatically active for all WordPress.com sites, including your Pro plan. There is no need for a separate setup or activation; these modules work in the background to help safeguard your site from malicious activity.
YouTue, Feb 17, 12:12 PM
So is there nothing else I can do to protect my site? My stats are rendered useless now, which is a shame.
YouTue, Feb 17, 12:14 PM
and I’m worried my site is in danger or my content being stolen.
WordPress.comTue, Feb 17, 12:18 PM
As I mentioned previously, WordPress.com has built-in protections in place to handle high traffic and automated bot activity. Our platform is protected by network-level firewalls, rate limiting, and DDoS mitigation systems that automatically detect and block abusive or malicious traffic, including scraping attempts and denial-of-service attacks.
Because these protections operate at the infrastructure level, most bot traffic is filtered before it ever reaches your site, and it won’t affect your site’s availability or performance.
Regarding content scraping, WordPress.com actively monitors abusive behavior and blocks known bad actors. While it’s not possible to prevent all automated access on the open web, our systems are designed to significantly reduce harmful scraping and protect your content.
If you’re seeing unusual traffic patterns in your stats or have specific IP ranges or examples you’re worried about, feel free to share them and we can take a closer look.
YouTue, Feb 17, 12:19 PM
That’s what I started off by telling you! I have had unusual patterns on my paid account librofulltime.wordpress.com
YouTue, Feb 17, 12:20 PM
I usually get about 450 hits per day maximum. From 12 Feb I’ve had over 2,700 per day, 15,000 on 14 Feb.
YouTue, Feb 17, 12:21 PM
I have also had a spike of 19,400 on my libroediting.com free site on 13 Feb.
YouTue, Feb 17, 12:21 PM
That usually gets similar numbers. I was getting a lot of Chinese hits from it a month or so ago but these are US.
WordPress.comTue, Feb 17, 12:24 PM
Thank you for sharing this. As the next step, I recommend checking Referrers in Your Stats: Look at the referral sources in your WordPress.com stats dashboard to see if any unusual external sites or bots are sending traffic.
YouTue, Feb 17, 12:25 PM
Yes, I keep an eye on that – it’s majority Search Engines but for example on 14 Feb there were only 265 from there, one each from other sources.
YouTue, Feb 17, 12:25 PM
Referrers
Views
Search Engines 265
WordPress.com Reader 8
perplexity.ai 1
zurefy.com 1
gemini.google.com 1
Facebook 1
bookjotter.com 1
YouTue, Feb 17, 12:26 PM
or would one of the ones with 1 then spread out across the site from there? I know bookjotter and gemini but not the others. Is it gemini mining the site for its LLM?
WordPress.comTue, Feb 17, 12:30 PM
Great question — what you’re seeing there is normal and not an indication of a coordinated scrape or attack.
When stats show a referrer with “1 view”, that usually means a single page request, not a crawler spreading across the entire site. If a bot or scraper were systematically crawling your content, you’d see hundreds or thousands of hits, often without meaningful referrer data, or a sudden spike across many pages.
Regarding the specific sources:
- Search Engines (265) → standard indexing activity (Google, Bing, etc.).
- gemini.google.com (1) → this is typically a preview or fetch request associated with Google services. It does not indicate full-site mining or training activity.
- perplexity.ai (1) → usually a user-generated lookup or preview, not bulk crawling.
- zurefy.com / bookjotter.com (1) → likely a single referral click or automated preview; these are not behaving like aggressive scrapers based on the data shown.
WordPress.com already blocks known abusive crawlers and large-scale scraping at the network level. If Gemini, Perplexity, or similar services were crawling your site at scale, it would appear as significantly higher, sustained traffic, which isn’t happening here.
So in short:
- No evidence of an LLM scraping your site
- No indication of a denial-of-service risk
- No spreading crawl from those single referrers
YouTue, Feb 17, 12:35 PM
OK, thank you. So why have I got so many hits on that day? It’s not organic, I know that, I’ve had these two sites for years and years and I’ve had organic growth on librofulltime slowly.
YouTue, Feb 17, 12:35 PM
And the days around it.
YouTue, Feb 17, 12:36 PM
This is the top ones from that day – most of those posts are ones that are not particularly popular normally.
The Iris Murdoch Society Conference 2024 137
State of the TBR – October 2023 106
A rare DNF half-way through! 92
I’ve not disappeared! 87
Book review – Candice Carty-Williams – “Queenie” plus Book Confessions #amreading #bookconfessions 84
State of the TBR – April 2022 82
Book review – Anne Tyler – “The Accidental Tourist” #AnneTyler2021 79
Book review – Barbara Kingsolver – “Demon Copperhead” 78
Book review – Gertrude Bell – “The Desert and the Sown” 78
YouTue, Feb 17, 12:37 PM
to be clear, and to quote you, this is what I’m getting: “you’d see hundreds or thousands of hits, often without meaningful referrer data, or a sudden spike across many pages.”
YouTue, Feb 17, 12:38 PM
e.g. the top one Iris Murdoch Society Conference I got a few hundred hits the days after I published it, then 6 or 7 per month until this day.
YouTue, Feb 17, 12:39 PM
A Rare DNF half-way through typically gets 1 or 0 hits per month, now 253 this month.
YouTue, Feb 17, 12:40 PM
Nothing in the referrals to back up or explain these high hits. Feb 14 I have 1.31 views per user on average, if that helps.
WordPress.comTue, Feb 17, 12:41 PM
Thanks — that helps clarify it. This pattern fits search engine re-indexing, not scraping or an attack. Older posts that normally get very low traffic can briefly spike when search engines re-evaluate them, which is why you’re seeing activity on posts that are usually quiet.
The key indicators here are:
- Traffic attributed to Search Engines, with no suspicious referrers
- Views spread across many different posts, not one URL being hammered
- A short-term spike rather than sustained growth
- An average of ~1.3 views per visitor, which is typical of crawler behaviour (humans usually view more pages)
If this were scraping or LLM harvesting, you’d see persistent, repetitive hits, higher volumes per page, or missing referrer data. Based on what we’re seeing, this is benign indexing activity, and nothing harmful is happening.
YouTue, Feb 17, 12:42 PM
OK, thank you, that is reassuring.
WordPress.comTue, Feb 17, 12:44 PM
You’re very welcome — I’m glad I could help reassure you 
YouTue, Feb 17, 12:46 PM
If it’s OK, I will copy this and share on my blog as I have a few friends who have had similar issues recently.
WordPress.comTue, Feb 17, 12:47 PM
Thank you for asking! You’re absolutely welcome to share the information from our conversation on your blog. It’s great to hear you want to help others who might be experiencing similar issues.
If you or your friends have any further questions or need assistance with anything else on WordPress.com, please don’t hesitate to reach out. It’s always a pleasure to support your site and your community!
Well, I’m not sure I am convinced or reassured. I should have told them that 99% of the hits are coming from desktops rather than tablets or phones, though not sure what that would have done. I’m sharing this to spare someone else the long task of having this conversation, and also wondering if anyone else has had this conversation and the same or different results!
LibroEditing proofreading, editing, transcription, localisation 