Bits n Bobs | Blog

Fake Web Traffic Is Taking 36% Of Your Business


If we add up all of the computers that have been programmed to visit sites without any human involvement, it would amount to about 36% of all internet traffic.

That’s 36% that you will never see any profit from, despite any investments you make, which is a hefty chunk.

Reid Tatoris at MediaPost has stated that only 15% of impressions ever have the possibility to be seen by a real person, which means that if you spend £10,000 on your ad budget, only £1,500 has the chance to actually be seen by a real human.

How Can My Web Traffic Be Fake?

But what does this mean, exactly, and how does it affect my eCommerce business?

There are four main types of fake web traffic:

  1. Bot Traffic – this is where automated bots, or ‘spiders’ operate like real users. they are used to raise the traffic levels of a scam website, generate artificial web content and collect email addresses for phishing scams. Captcha forms are often used to prevent spam bots but these can also turn away real users.
  2. Ad Insertion – There are a number of ways ads can be used by spammers:
    1. Spam bots will insert links into your content without your permission, gaining traffic when a user clicks through to them. Additionally, clicking on these ads will often leave Trojan viruses on your computer to gather your personal data.
    2. Ads will get hidden underneath other ads in an attempt to trick ad networks into serving higher-paying ads on their site
    3. Ads are compressed into tiny 1×1 pixels which then are accidentally clicked by the user and it takes them to a fraudulent website
  3. Re-targeting Bots – Here the bots go to the homepage of a website to get retargeted with ads. The bot then visits a fake website to generate fraudulent ad clicks. These bots have become so adept at mimicking real human behaviour that marketers may end up spending more to target these ‘customers’ when in fact they are targeting bots.
  4. CMS Hacking – 2014 was notorious for this as big names such as WordPress and Drupal were hacked, leading to back-doors being created, customer information being stolen and Trojan programmes left behind. Once a hacker gets into your CMS, they can do a lot of damage, some of which you might not even notice until it is too late.

There are also fraudsters who set up fake websites with the intention of hosting adverts. These fakers use spam bots to increase traffic to the website and so entice advertisers to buy advertising spaces.

The scam is that the advertisers have no idea that the ‘traffic’ the website appears to be drawing in is robotic and not the real potential customers they were hoping to target.

How To Spot Fake Traffic

If your website has suddenly received a high flow of traffic and you think it could be fake, head over to your Analytics.

Things to look out for include:

      • A lot of traffic directed at just one page – you can also check IPs and see if the same domain is responsible for the majority of the traffic
      • High levels of traffic from one area of the world where you don’t have any clients/business presence in. This doesn’t just apply to countries – check cities and language as well and look for patterns or sudden spikes
      • The majority of users using the same browser – although there is a slim chance this could happen, it is doubtful that 99.9% of your users are all using Chrome for example. Natural traffic will look more diverse.
      • Check with other websites for common spam sites (Moz has listed a few in this article). Often spammers will change their website once enough people become wise to it, so check with trusted sources whenever possible to keep on top of the latest spam IPs
      • If your traffic is showing high bounce rates but very low times spent on pages, this is often an indicator of fake web traffic

Keep in mind that all of the points laid out above are simply indicators of fake web traffic and you may need to examine two or more of them to be sure.

How To Reduce Fake Traffic

There are a number of things you can do to reduce or block fake web traffic, before and after it has hit your website.

Keeping on top of activities like this will definitely help to reduce the overall impact it has.

Excluding specific domains from Analytics Referral traffic

You can exclude certain website domains so that any traffic from those sites is automatically removed. Google Analytics has a really simple system in place which is pretty effective.

Head to your Admin section and then find your Tracking Info in the Property column:


Once you have clicked Tracking Info, select ‘Referral Exclusions List’ from the drop down menu:


Once you are in here, you can add Domain that will be excluded from now on:


Although this solution might seem like a winner at first, it does have some loopholes.

      • You can block domains in a straightforward fashion, but to block sub-domains, you’ll need to use a ‘wildcard’. For example, if you were getting spam traffic from, you’d need to type in * into the Domain section. A wildcard will block all domains and subdomains but you should just be able to enter a single subdomain such as “”. That’s still a domain in its own right, even though it’s a subdomain of
      • Secondly, if the fraudster leaves their current host, someone else can get hold of the old IP. So if you block that particular IP, it could be passed on to someone else, and they might be a real potential customer. Plus, the original spammer can just set up a new IP and start all over again.
      • Thirdly, if the spammer is using a phishing technique, the domain they are using could be perfectly legitimate and therefore if you block it, you’re potentially blocking future customers as well.
      • And finally, if the spammer uses a VPN and/or Proxy, they can change their IP address at the click of a button.


You can go deeper and block users from accessing any pages on your website via .htaccess.

Assuming you are using an Apache server, you can use a code, like the one below, to block a domain from getting anywhere near your web traffic.

As an example, here is a code used to block visitors referred from

RewriteEngine on
RewriteCond %{HTTP_REFERER} semalt\.com [NC]
RewriteCond %{HTTP_REFERER} semalt\.semalt\.com [NC]
RewriteRule .* - [F]

RewriteCond %{HTTP_REFERER} rankings-analytics\.com [NC]
RewriteCond %{HTTP_REFERER} rankings-analytics\.rankings-analytics\.com [NC]
RewriteRule .* - [F]


There is a WordPress plugin called Wp-Ban which allows you to block spam based on IP, IP range, host name, user agent and referrer URL.

Although this is not useful for most eCommerce sites, this is a handy and quick plugin for any WordPress website.

You can also get WordPress plugins that respond to what appear to be fake web traffic if you’re seeing a lot of activity from a single IP address. The plugin acts like a firewall and, when it sees something it views as malicious, can automatically block access for a certain period of time.


The truth is, there’s no simple answer to this problem. If there was, everyone would be employing it by now and fake web traffic would be non-existent.

If people don’t know about fake traffic. of course, they’re ignorant of the need to answer a problem they’re not aware of. It’s like keeping Windows updated; Windows updates have been available for years but it’s only recently that people have cottoned on to the fact that they need to implement it.

What you can do is continuously monitor your traffic, remove issues as and when you find them and be vigilant at all times.

The harder we make it for spammers to operate online, the better our eCommerce future starts to look.