Posted on December 21, 2014

How to stop Spam bots attacking your Google Analytics webstats

By Neale Gilhooley, (updated 17/03/16 with a solution!)

Recently when poring over our own and clients Google Analytics data we have come across some very unwanted results, in the referrals column. At first you think someone is giving your site a huge traffic boost then under closer inspection you realise that your site data (not the website itself) is being spammed. Its called Referrer/Referral spam aka Ghost spam. You only find out when you see some of the referring sites such as:, Google Inc,, GaurdIan (not Guardian!) and various pages that look like forums. These are not sending traffic to your site they are auto bots and leave a trail to fool you into follow. Once you search for them you may hit a spam links page forwarded to some promo site or another, but most likely you will see numerous warning results on Google. Below you can see how 7 out of the top 10 results on our stats are ghost referrals (aka fake/spam).

Google analytics referrals

What enormous lengths to go to too spam people but what they do know if that real people read their analytics report and check on where traffic apparently comes from. And for these spammers it is automated.  They are not visiting your site only sending out a fake ping with a fake or promo URL to give that impression. This not only messes up stats and makes a mockery of the authenticity of results but cuts across so much of your data. It is already quite hard to explain to Clients exactly what a Referral site is, or how a Network is actually the name of a server, then these spammers come along and really digitally defecate across your webstats. Plus worryingly your bounce rate goes through the roof, a bad sign as far as Google is concerned (is this still the case?) as it can indicate a lack of engagement by your visitors due to your content.

What is Google doing to resolve this issue with their data? Good question, as yet we cannot find an answer for Google Analytics however they are more convened about scaring off advertiser dollars so see below for the TAG update, which may help.  For Analytics But here is what Google Webmaster Matt Coutts said “there is no authentication with referrals” in this YouTube video explaining in details how the spam occurs but not how to eradicate it.  So what’s the cure? (Updated section) This guy has solved this issue by showing you how to set up and apply a filter that will removed the referral spammers then apply it to your historic Google Analytics data > Scott Henderson, Search Commander 

You can block their IP addresses via your Google Analytics account but these spamming companies will perpetually mutate their attacks using different domain names and various IP addresses or IP deceivers to continue their practices and warp your webstats.

GA View settingsExcludeFor most Analytics users the easiest way is to block bots from your stats, log in and go to your Admin tab (top right on navigation), select Admin and then you will see three columns,select the right had side termed View Settings, then on the next screen scroll down to check the box for Bot Filtering Exclude all hits from all known bots and spiders, then don’t forget to click the blue Save button at the foot and you are done.

We will update this post as time rolls on, hopefully Google will implement a more permanent solution.

posted by Neale Gilhooley

See Matt Coutts explanation video here > Google Webmasters

If you are capable of adding coding to your site you can one-by-one block the most prolific referring spammer but for most people that is just too much effort, pity Google’s block button does not seem to hit the ones we want. Try this .htaccess Solution
If you are receiving spam within Google Analytics which is caused by spam bots actually visiting your website and triggering the Google Analytics JavaScript, then this solution is for you.

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC,OR] RewriteCond %{HTTP_REFERER} anotherdomain\.com
RewriteRule .* – [F]

Simply add this into your .htaccess file and add as many ‘RewriteCond’ lines as required for the bots you would like to block. There are a few pieces of terminology to explain in the above.
RewriteEngine on: This is always at the start of your .htaccess file
# Options +FollowSymlinks: This line is commented out as it often isn’t needed. Depending on how your web server is configured, you may need to uncomment this if you start to receive an error message of ‘500 Internal Server Error’. This means your server isn’t configured with FollowSymLinks in the ” section of the ‘httpd.conf’.
RewriteCond %{HTTP_REFERER}: Each of these lines will run the ‘RewriteRule’ if one of the conditions is met. For example in this case, if the referrer is from one of the spam domains that you want to bloc.
[NC,OR]: These flags at the end of the RewriteCond line should be present on all RewriteCond lines, except the final one. The NC flag stands for Non-Case-sensitive. The OR, stands for… or. So if this condition is met, or, the next condition is met, or the next one, etc.
RewriteRule .* – [F]: This rule will trigger if one of the rewrite conditions has been met. This rule is basically saying that anything that comes in will be shown the Forbidden message so that the page will never be loaded and the Google Analytics JavaScript will never be triggered.

UPDATE: Now Facebook, Google Bing and Yahoo are uniting to fight the bots.  However don’t get too excited as they are doing it along with many others to ensure that faith in the PPC and Banner Adverts is maintained as rather belatedly many global and national advertisers, ad agencies and media agencies are unhappy that so many ads are triggered or seen only by bots. And bots don’t have any spending power but they do cost the advertiser money from their budgets, pure wastage. So that is the reason that they’ve all joined TAG (the Trustworthy Accountability Group – as an “advertising industry initiative to improve the digital ecosystem”, wow that sounds so selfless and noble. Hopefully as a bi-product they can reduce spam, spambots, malware etc.

TAG aims press release:

The Drum article with industry quotes >