Kinsta, a managed WordPress hosting provider, yesterday published a report analyzing more than 10 billion HTTP requests across its hosting infrastructure, finding that AI crawlers sent 3.75 million requests to a single WordPress shopping cart page in a 24-hour period - and that across all tracked bots, the total for add-to-cart URLs reached 7.67 million hits within the same window. The findings reframe the AI bot discussion from a content attribution problem into a measurable infrastructure and e-commerce performance problem.

The headline numbers

The report, published on June 18, 2026 and available at kinsta.com/ai-bot-traffic, draws on Kinsta's own infrastructure logs rather than third-party estimates. That distinction matters. Most industry datasets measure bot traffic at the network edge, where the numbers reflect request volume but not what those requests actually cost in compute terms. Kinsta's data sits closer to the WordPress execution layer, where the costs become concrete.

Three figures stand out from the analysis. A single bot sent 3.75 million requests to WordPress shopping cart URLs in one day. Across all crawlers observed on the platform, that total rose to 7.67 million add-to-cart hits within 24 hours. A separate misbehaving crawler generated 550 million requests in a single calendar month before infrastructure rules caught and stopped it. According to Kinsta, the 3.75 million figure - attributed to a ClaudeBot-identified crawler in the data visualised in the report - translates to roughly one request every 23 milliseconds, sustained continuously around the clock, with each request treated as a new, uncached transaction by the server.

The scale puts these numbers in a different category from routine background crawling. They describe a system under stress that may not be visible at all to the site's owner.

Why cart pages are the worst target

Not all web pages are equal from a server cost perspective, and that gap is central to why this report matters. Static pages - blog posts, product descriptions, most marketing content - can be served from cache. The server returns a pre-built version of the page, the compute cost per request stays low, and even high crawl volumes remain manageable.

WooCommerce endpoints break that model. Pages like /cart/checkout, and URLs containing ?add-to-cart= parameters cannot be served from cache in any conventional sense. According to Kinsta, every request to these paths triggers a distinct sequence of work on the server. A PHP thread is reserved for the full duration of the request. The dynamic page issues fresh database queries on every load. Cart and checkout pages also create or validate user sessions, adding overhead that applies regardless of whether the requesting entity ever completes a purchase. For a bot that will never convert, those session costs are pure waste.

The significance compounds when considering that PHP workers are a finite resource. Under sustained bot load, available threads deplete. Legitimate shoppers waiting to check out encounter queued requests and slower page loads - or failed transactions entirely. The problem is silent from a conventional analytics perspective. Standard web analytics tools filter bot traffic out of dashboards. The impact on checkout performance may register only as a vague uptick in abandoned carts or an unexplained increase in page load times. There is no obvious explanation in the data that points to a bot stuck in a loop.

How the loops start

According to Kinsta, most AI crawlers are not attacking in any deliberate sense. They are following links. Modern e-commerce sites, particularly those running WooCommerce, generate large numbers of URLs that appear distinct to a crawler but represent the same underlying page to a human visitor. A product page with a color filter applied becomes a different URL from the same page without it. Add a size parameter and the URL changes again. Introduce a sort order, a pagination offset, a stock filter - each generates another unique string that a bot following links records as a new destination it has not yet visited.

The Kinsta report illustrates this with a concrete example from its infrastructure logs. What a human recognises as a single product page becomes a sequence of six or more distinct URLs as query string parameters accumulate - /product, then /product?color=red, then /product?color=red&size=M, and so on. The bot follows the first link, which generates a variation, which the bot follows, which generates another. It has no mechanism to detect that it is traveling in circles. Some of these loops ran undetected for multiple days before infrastructure-level rules identified and stopped them.

The observer from Cloudflare with a long background in data insights, David Belson, is quoted in the Kinsta report framing the source of the problem. According to the report, Belson noted that "there's the person who didn't know what the hell they were doing yesterday, but vibe coded a bot today and let it loose - they're not even bothering to check robots.txt." The comment underscores that a significant fraction of problematic bot behavior is not coordinated or malicious; it is careless automation scaled to a size that creates real damage. Belson is also quoted in the report on the general principle: "You can't just spray and pray... you've got to act like a responsible end user. You can't be hammering a website with requests."

The scale of the broader shift

The Kinsta findings arrive against a backdrop of rapidly escalating bot traffic across the web. According to Cloudflare Radar data referenced throughout industry coverage, bots now account for 57.4% of all HTML web traffic, with human visitors at 42.6% - a crossing of the majority threshold that happened faster than most observers had projected.

The Kinsta report cites the Akamai Digital Fraud and Abuse Report 2025, which documented a 300% increase in AI bot traffic over one year. It also references TollBit's State of the Bots Q4 2025 report, which tracked the share of web visits attributable to AI bots moving from roughly 1 in 200 at the start of 2025 to 1 in 31 by year-end. That is a dramatic shift in a short period.

AI crawlers consumed 4.2% of all HTML requests across Cloudflare's network in 2025, with the figure ranging between 2.4% in early April 2025 and 6.4% in late June - nearly a threefold swing within a single year. GPTBot from OpenAI grew 305% between May 2024 and May 2025. According to the Kinsta report, 80% of AI crawling activity is purely for model training, generating no referral traffic back to the sites that incur the infrastructure costs.

The breakdown of which crawlers generated the most add-to-cart hits on Kinsta's platform is notable. The Kinsta report's infrastructure data attributes the largest share to ClaudeBot, at 3.75 million requests, followed by BLEXBot at 1.84 million, GPTBot at 0.98 million, Googlebot at 0.71 million, and AhrefsBot at 0.39 million.

The presence of Googlebot in that list is worth specific attention. Cloudflare and ETH Zurich researchers documented in April 2026 that even well-behaved crawlers can get caught in the same URL variation traps. The Kinsta report makes the same point directly: even Googlebot - the crawler that site owners absolutely cannot afford to block - got trapped in the identical pattern on some of the sites in its dataset. Blocking Googlebot to reduce server load would eliminate search visibility, which is why Kinsta's framework recommends path-specific restrictions for that crawler rather than blanket exclusion.

The SEO dimension

There is a separate cost that the report identifies beyond immediate server performance. Crawl budget is a finite resource. Search engines allocate a certain number of requests to a given site within a given period. When bots - including the search engine's own crawler - burn that budget on near-infinite variations of the same dynamic URL, they spend less of it discovering and indexing pages that actually matter for rankings.

Google has explicitly identified faceted navigation and parameter-heavy URLs as sources of crawl inefficiency. Each variation looks new, so crawlers keep requesting them, consuming the available crawl budget and reducing the attention available for genuinely distinct content. According to Kinsta's analysis, bot behavior directly affects both infrastructure costs and content discoverability, and the interaction between these two effects is what makes the problem hard to characterize and harder to remedy.

The crawl-to-visit ratio data that Botify published in March 2026 adds another dimension. For every single visit that OpenAI's systems deliver to a retail website, those systems perform 198 crawls. Google generates one visit per six crawls. The disparity illustrates that AI crawlers consume server resources at a rate entirely disproportionate to the commercial value - if any - they return to the sites they visit. For e-commerce operators, that ratio is not merely a philosophical concern; it is a line-item cost in CPU usage, database queries, memory allocation, and bandwidth.

The decision framework Kinsta proposes

Rather than advocating for blanket bot blocking, the Kinsta report introduces a framework organized around what type of site is being operated and what outcome the operator is trying to protect. The report argues that the right approach depends on the specific site, its traffic patterns, and its priorities - and that no single policy applies everywhere.

Daniel Pataki, CTO of Kinsta, is quoted in the report on the foundational infrastructure point: "From an infrastructure perspective, there's no such thing as 'just bot traffic.' Every request is real work. At scale, inefficient crawling stops being a traffic problem and becomes a resource problem."

For a WooCommerce store specifically, the report recommends blocking all crawlers from /shop?add-to-cart= and /checkoutpaths via robots.txt. For AI training crawlers - GPTBot, ClaudeBot, Amazonbot - the report recommends a WAF-level challenge at those endpoints, on the basis that cart and checkout pages offer no meaningful training data and carry high server costs per request. Unverified bots with no identifiable purpose should be blocked from store endpoints entirely. Internal automation tools - order sync services, stock management systems, uptime monitors - should be explicitly whitelisted by IP range to ensure they continue functioning.

The report also flags a specific technical risk in WooCommerce configurations: session tokens and quantity suffixes in URL parameters generate loop-prone variants. Auditing WooCommerce permalink settings to reduce parameter sprawl is listed as a direct mitigation step.

The broader tension the framework addresses is one that Cristian Lopez, Managing Editor at HostingAdvice, articulates in the report: "The misconception is thinking bot traffic is a simple 'block or allow' problem. In reality, it's about policy, visibility, and economic control."

Agentic traffic is next

The report closes by looking beyond current crawling patterns to what is already beginning to appear in infrastructure logs. Agentic traffic - automated tools built to take actions on websites, not merely read them - is a distinct category from content crawlers. Where a training crawler reads a product page and leaves, an agent may add items to a cart, initiate checkout flows, query inventory systems, or interact with AJAX-powered interfaces.

According to Kinsta, Google has already announced a dedicated user-agent to log when its AI agents interact with websites. The responsible platforms identify themselves, respect crawl delays, and avoid hammering endpoints that serve no purpose. Others will not.

HUMAN Security data published in April 2026 found that automation was growing eight times faster than human traffic, and that most analytics platforms were designed for a human-centric internet and offer no structured view into how AI crawlers, search agents, or agentic commerce flows interact with a site. The Kinsta report's observation that add-to-cart endpoints are already the most-hammered targets takes on a specific significance in this context: those are exactly the endpoints that agentic commerce systems would need to access to complete purchases.

The Shopify myshopify.com architecture issue documented in April 2026 showed that even comprehensive defensive configurations could be rendered ineffective when bots bypassed the primary domain and sent requests directly to a platform subdomain. For WooCommerce operators, the parallel risk is bots - whether training crawlers stuck in loops or agentic systems acting intentionally - hitting endpoints that the hosting layer is not configured to protect.

What the data means for marketing and advertising teams

The Kinsta report has specific relevance for marketing professionals managing paid campaigns and conversion measurement. Checkout page performance is a direct input into paid search and paid social conversion rates. If a WooCommerce checkout page is running slow because PHP workers are exhausted by bot loops, the advertiser's cost-per-acquisition figures are being distorted by infrastructure conditions that have nothing to do with campaign quality. A campaign that appears to have a poor conversion rate may, in part, be running against a checkout flow degraded by 3.75 million bot requests per day.

Similarly, session-level data from checkout pages contributes to audience building and remarketing lists in most advertising platforms. Bot-generated sessions that look like abandoned checkout visits could pollute those lists, driving remarketing spend toward non-human traffic that will never convert regardless of ad spend or creative quality.

Microsoft Clarity's Bot Activity dashboard, launched on January 21, 2026, surfaces which AI systems are crawling a site and in what volumes - giving operators a measurement layer before any enforcement decision. But measurement alone does not reduce PHP worker exhaustion. The Kinsta data shows that by the time a pattern has generated 550 million requests in a month, having a dashboard to observe it is not sufficient. The infrastructure response has to happen earlier.

Kinsta launched its own Bot Protection feature on June 9, 2026, as PPC Land reported, building the controls directly into its MyKinsta dashboard at no additional cost. The feature includes four preset protection levels, a Block AI Crawlers toggle, and path-specific rules for cart and checkout endpoints. That timing - nine days before this report's public release - suggests the feature and the underlying data were developed in parallel as part of a coordinated effort to both quantify the problem and offer a remediation path.

Timeline

Summary

Who: Kinsta, a managed WordPress hosting company with more than 230,000 customers across 128 countries, which analyzed its own infrastructure logs to quantify AI bot behavior on WordPress sites.

What: A research report documenting that AI crawlers sent 3.75 million requests to a single WooCommerce add-to-cart page in 24 hours; that total add-to-cart bot hits across the platform reached 7.67 million in the same window; and that one misbehaving bot generated 550 million requests in 30 days before a rule stopped it. The report argues the core problem is not the volume of bot traffic but the specific endpoints being hit - cart, checkout, and search pages that bypass server-side caching and require PHP execution and database queries on every single request.

When: The report was published on June 17, 2026.

Where: The findings are drawn from Kinsta's managed WordPress hosting infrastructure and apply specifically to WordPress sites running WooCommerce or other plugin-heavy e-commerce configurations.

Why: AI crawlers are increasingly trapped in query-string parameter loops on e-commerce sites, generating millions of requests to uncacheable endpoints that exhaust PHP workers, slow checkout flows for real customers, and consume crawl budget that search engines would otherwise spend on content that matters for rankings. The problem is largely invisible in standard analytics dashboards, which filter bot traffic out of session data, and it has direct downstream effects on advertising conversion measurement and remarketing audience quality.