Kinsta on June 9 launched Bot Protection, a new feature built into its MyKinsta dashboard that gives WordPress site owners direct control over automated traffic - including AI crawlers - across all hosting environments. The feature ships at no additional cost and requires no support ticket to configure.

The timing is notable. Bots now account for 57.4% of all web traffic to HTML content, with humans at 42.6%, according to Cloudflare Radar data covering the seven-day window ending June 5, 2026. For WordPress operators running WooCommerce stores or content-heavy sites, the practical consequences have become difficult to ignore.

The scale problem Kinsta is responding to

Bot traffic has grown sharply over the past year. According to Kinsta's own infrastructure data, bots hit add-to-cart URLs on sites hosted on its platform 7.67 million times within a single 24-hour period. One crawler alone triggered 550 million requests across 30 days. These numbers are not exceptional outliers. They reflect a structural shift in how the web is accessed.

The problem is not limited to malicious actors. AI crawlers from OpenAI, Anthropic, Meta, Google, and ByteDance have expanded aggressively. AI crawler activity grew 300% in the last year, according to Kinsta. Separate analysis from Cloudflare's 2025 year-in-review found that AI bots accounted for 4.2% of all HTML requests across its network, while non-AI automated systems accounted for 47.9%. Human users generated just 43.5%.

For WordPress specifically, the damage is concentrated in places caching cannot reach. Dynamic endpoints - cart pages, filtered product listings, checkout flows - must process each incoming request because no cached version can serve them. Every bot request to those URLs consumes real server compute, regardless of whether the requester is a malicious scraper, a legitimate search engine, or a training crawler that will never convert. According to Kinsta, this results in analytics that no longer reflect reality, making it difficult to trust the data behind spending and growth decisions.

Research from Cloudflare and ETH Zurich published in April 2026 documented why caching infrastructure was not designed for this kind of traffic. AI crawlers tend to access rarely visited or loosely related content in sequential, complete site scans rather than concentrating on popular pages. More than 90% of pages processed by Common Crawl in any given month are unique by content - running directly against standard caching assumptions.

What the feature does

Bot Protection operates at the environment level within MyKinsta and offers four preset protection configurations, each applied independently per environment: Block Malicious TrafficBlock AutomationsChallenge Bots, and Challenge Everyone. Site owners can run different settings across staging, development, and production environments without affecting one another.

The feature includes a managed allow list that automatically covers common WordPress paths, WooCommerce routes, and trusted traffic sources. Custom exceptions are configurable by IP address, user agent, or request path. Verified search engine bots - including Google - are always permitted through regardless of the protection level selected. CAPTCHA challenges are powered by Cloudflare bot scores.

A dedicated Block AI Crawlers toggle allows sites to opt out of AI indexing entirely. This is a single-switch control that applies across all identified AI crawler types at once. Site owners do not need to individually configure rules for GPTBot, ClaudeBot, Bytespider, or other crawlers - the toggle handles all of them through Kinsta's managed ruleset, which is updated by Kinsta rather than requiring manual maintenance by the site owner. The decision to include this as an explicit toggle reflects a real tension in the market: research published in early 2026 found that publishers who blocked AI crawlers via robots.txt experienced a 23.1% total traffic decline without a corresponding reduction in AI citations, suggesting the consequences of AI blocking extend beyond simply turning off crawler access.

There is also an emergency mode: Challenge Everyone keeps a site live for human visitors during an active attack while challenging all other traffic automatically. This mode is designed for situations where bot volume is severe enough to threaten availability - a scenario that has grown more plausible as bot attacks on checkout flows have grown in frequency and sophistication.

Finally, a bot traffic analytics tab breaks down traffic by category - verified bots, AI crawlers, automated traffic, and likely humans - providing a live view of what is hitting the site and what is being blocked.

"Most bot management advice boils down to 'block everything' or 'leave it alone'. Neither works at scale," said Daniel Pataki, CTO at Kinsta. "Block too aggressively and you hurt your search visibility. Do nothing, and bots are consuming server resources on endpoints that will never convert. We built Bot Protection so site owners can make that call themselves at the environment level, without needing an engineer to do it. We handle the safe traffic automatically, so your plugins and automations keep working no matter what protection level you're running."

The self-serve design decision

The feature requires no support ticket and no engineer. That design choice addresses a specific complaint. "Customers are telling us that their analytics look fine, but their server costs keep climbing," said Roger Williams, community manager at Kinsta. "Bot traffic was driving it, and they had no good way to act without calling support or paying for another tool. Bot Protection puts that control directly in MyKinsta."

Several competing managed hosting providers charge separately for bot management. Kinsta includes Bot Protection on every plan at no additional cost. The company did not publish specific pricing comparisons.

Why this matters for marketers and advertisers

The connection to marketing is not incidental. Bot traffic hitting add-to-cart and checkout URLs at volume contaminates attribution data, inflates session counts, and triggers abandoned cart email sequences for contacts that were never real. When analytics data is corrupted at the infrastructure level, the decisions built on top of it - campaign budgets, bid strategies, creative tests - lose their empirical foundation.

The advertising industry has struggled with this problem for years at the impression level, but the same dynamic now applies at the server level for sites carrying WooCommerce or other dynamic commerce layers. If a bot hits an add-to-cart URL, it may trigger a retargeting pixel. If it triggers a checkout session, it may pollute conversion data fed into automated bidding systems. The downstream effects flow directly into paid media performance.

Microsoft Clarity added Bot Activity tracking in January 2026, exposing which AI systems crawl websites and how automated traffic affects infrastructure performance. Cloudflare launched AI Audit tools in September 2024, giving publishers analytics on AI bot activity with one-click blocking. Those tools operate at the CDN layer. Kinsta's approach operates at the managed hosting layer - closer to WordPress itself - which matters for dynamic WordPress endpoints that CDN caching cannot cover.

A separate and unresolved question is whether AI crawlers generate any commercial value for the sites they visit. Research by Botify covering approximately 200 retail and e-commerce websites found that for every single visit OpenAI's systems deliver to a retail site, those systems perform 198 crawls. Google generates one visit per six crawls. The crawl-to-visit ratio for AI platforms means server resources are consumed at a rate that is not proportional to any traffic or revenue return.

Context on Kinsta

Kinsta describes itself as a premium managed hosting provider for WordPress. According to the company, it supports more than 230,000 customers across 128 countries and brought on over 65,000 new sites in 2025. It holds a top G2 score and the number one ranking in G2's 2026 Best Software Awards for the Best Web Hosting Software Products category, jumping from eighth place out of 1,461 products in the category.

The company offers 24/7 support in ten languages, serving businesses ranging from small sites to Fortune 500 enterprises. Bot Protection is available immediately to all customers on all plans.

What the industry is watching

The broader bot problem is not a WordPress-specific issue, but WordPress's architecture makes it acutely vulnerable. The combination of plugin-heavy installations, uncacheable WooCommerce endpoints, and the sheer scale of WordPress's market share - which makes it an efficient target for automated scanning - has concentrated the pressure.

PPC Land has tracked the AI crawler build-up closely, documenting how GPTBot grew its share of AI crawling traffic from 4.7% in July 2024 to 11.7% in July 2025 according to Cloudflare data, and how training-related crawling reached nearly 80% of all AI bot activity in September 2025. The infrastructure responses from hosting providers, CDN operators, and analytics platforms are multiplying. Kinsta's Bot Protection feature is one more point of control in a growing set of tools.

What remains unresolved is the question of selective access. A site that blocks all AI crawlers may lose search visibility and, according to existing research, total traffic. A site that blocks nothing accepts the server cost. The four-tier model Kinsta has built is an attempt to create a middle ground - one where operators can tune protection to their own risk tolerance without needing a security specialist on staff.

Timeline

Summary

Who: Kinsta, a managed WordPress hosting provider with more than 230,000 customers across 128 countries.

What: Kinsta launched Bot Protection, a self-serve feature built into the MyKinsta dashboard. It includes four preset protection levels (Block Malicious Traffic, Block Automations, Challenge Bots, Challenge Everyone), a managed allow list covering WordPress and WooCommerce paths, a Block AI Crawlers toggle, an emergency lockdown mode, and a bot traffic analytics tab. The feature is included on all plans at no additional cost.

When: The feature was announced and launched on June 9, 2026.

Where: Bot Protection is available directly within the MyKinsta dashboard, configurable per hosting environment. It is available to all Kinsta customers globally.

Why: Bot traffic now accounts for more than half of all web traffic, with AI crawler activity growing 300% in the past year according to Kinsta data. Dynamic WordPress endpoints like cart pages and filtered product listings cannot be cached, meaning every bot request consumes server resources and corrupts analytics. Kinsta's infrastructure data found bots hitting add-to-cart URLs 7.67 million times in a single 24-hour period, and one crawler triggered 550 million requests in 30 days.