Website Security with BotScope
Malicious bots disguise themselves. They spoof Googlebot UAs, scan /wp-admin, /.env, /phpmyadmin/ or flood your login with credentials. BotScope identifies them by behaviour — not by the UA string, which is lying anyway.
🛡️ Three-stage scanner detection
1
Path heuristic
Requests to .env, .cgi, wp-config.php, phpmyadmin, actuator, git/config → flagged as probe paths.
Requests to .env, .cgi, wp-config.php, phpmyadmin, actuator, git/config → flagged as probe paths.
2
Status filter
4xx on probe paths + POST requests with 4xx → confirmed scanner.
4xx on probe paths + POST requests with 4xx → confirmed scanner.
3
IP reputation
An IP that had ONE scanner hit gets flagged for ALL its further requests as scanner. Even when it normally fetches / or /robots.txt in between.
An IP that had ONE scanner hit gets flagged for ALL its further requests as scanner. Even when it normally fetches / or /robots.txt in between.
🌐 Cross-customer reputation
BotScope maintains a global scanner IP list. An IP that scans customer A is automatically identified as known-malicious for customer B — scanners mostly come from the same botnets.
📊 Real-world use case
Scenario: A Magento shop is hit by 12,000 scan attempts per day on /.git/config.
BotScope finding:
247
distinct IPs
18
countries
96%
fake Googlebot UAs
3
hosting clusters
Action: Block these 247 IPs in iptables → server load −8%, no more scan traffic.
🚨 What you can permanently detect with BotScope
- 🔓 Brute-force login
High 401 rate on /wp-login.php or /admin/ - 🎭 Credential stuffing
POST bursts with application/x-www-form-urlencoded + rotating IPs - 💉 SQL injection
Path contains UNION, SELECT, 1=1 - 📁 Path traversal
../, %2e%2e%2f in URLs - 🤖 Fake Googlebot
UA = Googlebot, but IP not in official Google ranges → flagged as Google Unofficials