In the last year we have observed a rapid increase in the number of bots targeting Magento 2 website with spam bots been the most frequent.

Spam bots target forms that sends emails. Magento 2 spam bots mostly create fake user accounts and fake newsletter subscribers . The aim of spam bots is generally to get your website to send mail on the behalf of an hacker/Spammer , Search your website for vulnerabilities , gain access to your website data/resources and collect your email address. Spam bots can harm your website reputation , slow down your website thus  creating a poor user experience for legitimate customers . Bots can also have a negative effect on your SEO.

There is no foolproof ways to keep bot of your website as hackers develop new methods everyday . Below are some steps to eliminate  almost all bots,  if you have implemented the steps below and you still continue to have issue send us a message so we can do a custom audit on your website.

Create a WAF for your magento2 server

Commercial website firewall can be expensive if you are not willing or able to invest in a commercial WAF have your devops implement a a opensource web application firewall like modsecurity . If you need a graphical interface for modsecurty install waf-fle in the early days of implementing your firewall constantly monitor your access and error logs to ensure that your rules are blocking IP Addresses with suspicious behavior .

Do security Scans at least one a Month

There are several companies offering monitoring services for your websites at commercial prices. Magereport provides a free service to give you quick insights on the security of your magento store . Scanmyserver provides a free service service that can help you to identify vulnerabilities on your website . Its important that your Magento website have all the latest patches and your magento extesions are up to date.

Additional form validation

Have your web developer do additional validation on all your forms both on the server and the client side . for example the first name field should only allow letters to be entered there should be no links in this field . you can also limit the number of characters allowed in a field based on your local .


All forms that can trigger a email should include Recapacha . Recapacha is not necessary for your check out forms as this may decrease conversion. Bots that made it pass your firewall will be prevented from filing out forms once recapacha is installed . Take a look a your recapacha admin at least once a month to get insights on the amount of failed attempts .