Stopping and Directing Web Spiders

The Real Cost of Uncontrolled Crawling

When visitors arrive at a website, many of them are not human. They are bots - automated programs that read pages, follow links, and sometimes store data for later use. For most site owners, a handful of well-behaved crawlers - those that index content for Google, Bing, or other search engines - are a welcome presence. They help your pages appear in search results, bring organic traffic, and improve your site’s visibility. But the web is a mixed bag. Not every crawler serves a useful purpose, and a handful of malicious or poorly designed bots can eat away at your bandwidth and server resources.

Consider a typical web server that handles 1,000 page requests per hour. If a rogue crawler requests every page on your site 20 times an hour, that adds 20,000 requests in addition to legitimate traffic. In the cloud, this can translate to extra bandwidth costs, or in shared hosting, to a denial‑of‑service situation where real users experience slowdowns. The worst offenders are offline browsers like Teleport Pro or WebStripper, which aim to download an entire site to let users navigate it without an internet connection. While some users might have legitimate offline needs, many use these tools to copy content, replicate your layout, or even steal proprietary data.

Beyond the obvious bandwidth drain, malicious crawlers can create security headaches. They often search for common vulnerabilities, submit spam through search forms, or probe for hidden admin panels. Even if your site is secure, the sheer volume of requests can make intrusion detection systems flag legitimate traffic as suspicious, causing false positives that waste time and resources.

It’s easy to ignore the impact of these crawlers if your site receives only modest traffic. But as your audience grows, the cumulative effect can become significant. A sudden spike in server load, a surge in error logs, or unexpected bandwidth charges should prompt you to investigate the origin of the traffic. Checking your server logs for repeating user‑agent strings - such as “WebZip/4.0”, “Teleport/3.5”, or generic “Wget/1.15” - is the first step. Once identified, you can decide how aggressively to block them and what level of protection your site requires.

In the next section, we’ll cover a lightweight technique that is easy to implement and works best for keeping search engine spiders out of private sections of your site. It’s a good starting point before moving on to the more comprehensive robots.txt file.

The First Line of Defense: Meta Tags

Meta tags sit inside the <head> element of an HTML page. They give browsers and bots small hints about how the page should be treated. The most relevant meta tag for crawler control is <meta name="robots" content="…">. By using specific values - such as index, noindex, follow, or nofollow - you can instruct compliant bots whether to index the page and whether to follow links found on it.

For example, the following snippet tells a well‑behaved crawler that it may display the page in search results but should not follow any of the links from that page:

Conversely, if you want a page to stay out of search engines entirely, but still allow users to see it, you can use:

Many popular search engines - Google, Bing, Yahoo - respect these tags. However, a large number of offline browsers ignore them because their primary goal is to mirror the site’s structure, not to comply with webmaster guidelines. That means meta tags are a best‑effort approach: they can keep search engines from crawling sensitive sections, but they won’t stop a determined bot from downloading your pages.

Because meta tags apply to a single page, they’re most useful for protecting content that you only want to hide from search engines. For instance, if you have a private member area, a testing page, or a draft article that’s not ready for public view, adding noindex, nofollow keeps it out of the search index while still allowing visitors with the correct URL to access it. If the page is part of the public site but you want to discourage search engines from crawling it - perhaps to reduce duplicate content or to keep it out of search results during a redesign - noindex, nofollow is the right tool.

To apply this tag site‑wide, you can add it to a common header file that every page includes. That way, every new page inherits the same crawling instructions without needing manual updates. Remember to keep the meta tag between the opening <head> and closing </head> tags to ensure it’s read by the browser and crawlers alike.

While meta tags can reduce the crawl budget on specific pages, they’re not a substitute for a well‑structured robots.txt file. The next section will show how to use robots.txt to control access across the entire site, and how it works alongside meta tags.

The Power of Robots.txt

Unlike the page‑specific meta tags, the robots.txt file provides a single, server‑level rule set that tells crawlers which directories or files they can or cannot access. It lives in the root directory of your domain - so for example, https://www.example.com/robots.txt - and is automatically read by any crawler that respects the Robots Exclusion Protocol.

A typical robots.txt file starts with a User-agent directive followed by one or more Disallow or Allow lines. Here’s a minimal example that blocks a known malicious bot called “Teleport Pro” and all other bots from accessing the /cgi-bin/ directory:

The asterisk (*) stands for “any bot.” By default, a disallow of / prevents that bot from seeing any page on your site. If you want to allow a search engine bot but disallow a spam crawler, you can write separate blocks for each user‑agent.

When creating the file, keep these rules in mind:

• Always include at least one User-agent line. An empty file can cause some search engines to assume you want to block everything.
• Leave a blank line between blocks. Some crawlers parse the file line by line, so a missing line can merge directives incorrectly.
• Use the exact spelling and capitalization of the user‑agent as it appears in your logs. WebZip/4.0 is different from webzip/4.0
• Place the file in the web server’s document root, not in a subfolder. For shared hosts, this may mean uploading via FTP to the folder that contains index.html
• Don’t rely on robots.txt to enforce security. It’s a courtesy file; any well‑intentioned bot can ignore it.

  Because robots.txt is public, malicious actors can read it and then simply switch user‑agents to bypass your restrictions. That’s why you should combine it with other safeguards - firewall rules, rate limiting, and meta tags - especially for highly valuable or sensitive content.

  For a real‑world example, you can view the robots.txt used by ThinkHost at http://www.thinkhost.com/robots.txt. It blocks a handful of aggressive bots while allowing major search engine crawlers to index the site. While it’s not a complete policy, it demonstrates how to start protecting a website from bandwidth theft and duplicate content issues.

  In the next section we’ll explore how to combine meta tags and robots.txt for the best coverage, ensuring that both search engines and offline browsers behave as you intend.

  Combining Meta Tags and Robots.txt for Optimal Coverage

  Relying on a single method to control crawler behavior rarely yields comprehensive protection. Meta tags operate on a page‑by‑page basis, while robots.txt governs access at the folder or site level. Together, they cover both the granular and global aspects of crawling.

  First, create a robots.txt file that blocks known aggressive bots and disallows sensitive directories. For instance, you might disallow /private/ for all bots, while still allowing Googlebot to index the rest of the site. A typical snippet might look like this:

  User-agent: *
Disallow: /private/
Disallow: /tmp/
Disallow: /cgi-bin/

User-agent: Googlebot
Disallow:

  Here, every crawler is prevented from crawling the three specified directories, but Googlebot receives no restrictions, letting it index your public pages normally. Once the robots.txt file is in place, add meta tags to the HTML pages that you want to keep out of search engines but still accessible to users. For example, a staging page might have:

  Because meta tags override robots.txt for pages that the crawler can still reach, you get a layered approach: the crawler is blocked from sensitive folders, but if it does reach a staging page by following an external link, it won’t index it.

  When you want to prevent a page from being indexed and stop crawlers from following any links on that page, use the combined directive noindex, nofollow. In contrast, if you want a page to be indexed but discourage link following - for instance, a page that contains a list of internal URLs that you don’t want crawled - you can use index, nofollow

  It’s also possible to use robots.txt to specify crawl delays. Search engines like Google respect the Crawl-delay directive, giving you a way to throttle the frequency of requests from a particular bot. A line like Crawl-delay: 10 tells Googlebot to wait 10 seconds between requests. Combine this with a Disallow rule for heavy sections, and you can reduce the load on a shared host significantly.

  When implementing these techniques, always test your configuration. Google Search Console’s robots testing tool lets you check how Googlebot will interpret a given page or URL. Likewise, the Bing Webmaster Tools provides a similar testing environment for Microsoft’s crawler.

  By layering meta tags, robots.txt, and, where possible, HTTP authentication on highly sensitive directories, you create a robust defense that deters both casual bandwidth hogs and more sophisticated web strippers.

  Detecting Malicious Bots and Fine‑Tuning Restrictions

  Even the most carefully crafted robots.txt file can be bypassed if a bot changes its user‑agent string or if a new crawler emerges. Therefore, continuous monitoring of server logs is essential. Look for repeated requests that follow a predictable pattern - e.g., a single IP address requesting thousands of pages per minute. A typical log entry might read:

  192.168.1.42 - - [12/May/2026:10:22:31 -0400] "GET /index.html HTTP/1.1" 200 1024 "-" "Teleport Pro 1.0"

  In this example, the bot is identified as “Teleport Pro 1.0.” Once you identify the offending user‑agent, add a rule to your robots.txt that disallows it. If you can’t find the user‑agent in logs, but you notice a sudden spike in traffic from a particular IP range, consider adding a firewall rule to block that range.

  Many hosting providers expose a simple “IP block” feature in their control panel. For a more granular approach, you can create an .htaccess rule that denies access to specific agents:

  RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} Teleport Pro [NC]
RewriteRule .* - [F,L]

  The NC flag makes the comparison case‑insensitive. The F flag returns a 403 Forbidden status, while L stops processing further rules. This method blocks the bot at the HTTP level, preventing it from ever reaching your application code.

  When blocking agents, remember that many malicious bots fake well‑known user‑agents to masquerade as search engines. Thus, blocking the user‑agent alone may not be enough. Pair it with IP filtering or rate limiting to reduce the risk of bypass. Tools like UptimeRobot to monitor server uptime and bandwidth usage. If a particular bot is driving bandwidth spikes, update your restrictions accordingly. By combining polite directives with vigilant monitoring, you maintain a healthy relationship with search engines while safeguarding your server resources.