I created a new .com website, and it became an instant hit. After a week, Cloudflare sent me a greeting for surpassing the first 1,000 page views. In fact, the website had already received over 4,000 page views. In less than a month, the site had already garnered over 30,000 page views. Except none of these views were actual people.
The URL was not intended to have any content or visitors – I simply bought the domain via Cloudflare for local use in my home lab, and the SSL certificate, which was a separate story.
I deployed a single 1.26KB blank HTML file. The site had no content, no CSS, no JavaScript – nothing to attract legitimate visitors, just one text line: “Why are you here?”
After a few days, I got this email:
It gets even crazier. The stats for the last 30 days say that the website attracted 21,620 visits from around 1,400 unique “visitors” and has even more pageviews – 30,560 – meaning that these “visitors” come back and download the “rich” content several times a day.
A third of this traffic comes from Hong Kong, and another third from the United States, with the remainder coming from other countries.
Despite its microscopic size, the site consumed 63.43 megabytes of bandwidth.
This seemed scary. Imagine the website was a bit larger, like 1 megabyte, which is not that extravagant. The website’s traffic would already be at 30GB, exceeding the bandwidth limit provided by many of the cheapest hosting plans.
The innocuous-looking “Why are you here?” page could become even harmful to my wallet if I hosted a simple short video clip, potentially inflating cloud charges without my even noticing.
All new website owners should be aware of this potential risk – you’re starting with huge traffic, without getting anything in return.
Bots everywhere
Over the past 12 months, bot requests comprised 30% of total internet traffic, according to the Cloudflare Radar data.
The US is the worst “offender,” with 39.4% of bot traffic share, followed by Germany (6.4%) and Singapore (4.2%).
Tech experts confirm that a high volume of automated traffic hitting newly registered domains is becoming the new norm. Bots flow to new domains almost immediately upon creation.
“Bots do not need to guess your domain name. When you register a site and create a security certificate, that record usually goes onto a public list. Scanners monitor these lists constantly. Ideally, do not launch a site without a firewall or bot protection service in place,” Ben Foster, CEO at The SEO Works, told Cybernews.
However, even accounting for bots, a thousand visits every day seemed high to the expert. Sometimes higher traffic can be inherited if the domain had a previous history. But mine didn’t.
Terrence Ngu, Founder and CEO at Hashmeta, explains that bots monitor public Domain Name Service (DNS) records and SSL certificate logs, scan entire IP ranges, and probe links from other sites and platforms. Small, unknown sites are typically discovered by general scanners within hours or days.
“It’s very common – especially for new corporate or informational sites – to see a sudden spike of automated traffic when you first go live,” Ngu said.
“In many cases, that surge is a one-off or short burst, then it settles into a steady background level.”
Larger top-level domains (TLDs), such as .com, are often targeted more aggressively, but over time, all TLDs will eventually be swept. Bots tend to get more aggressive in probing popular startups, crypto or SaaS-related sites, or those trending on social media.
“We watch traffic patterns across tens of thousands of newly registered names, and even empty sites tend to attract a surprising amount of automated traffic almost immediately. The moment a domain starts resolving, it enters the wider ecosystem of scanners, crawlers, and monitoring systems,” confirms Joe Alagna, Chief Strategy Officer at it.com Domains.
What are these unwanted visitors looking for?
The army of bots visiting websites comprises a mix of different types of scanners, each looking for distinct things.
“You’re seeing a mix of benign crawlers, search indexing bots, scrapers, and more aggressive scanners hunting for misconfigurations,” said Ebenezer Allen, CEO at Westlink Academy, a workforce tech training provider.
“Broadly, they’re hunting for three things: a weakness to exploit, data to copy, or a feature they can abuse: logins, forms, one-time passwords, messaging, etc.”
Legitimate bots include search engine crawlers, uptime monitors, and, increasingly, AI bots that collect data, as well as other commercial bots such as price scrapers or similar applications.
Most traffic comes from Amazon, Google, Microsoft, and other big tech crawlers, according to Cloudflare Radar.
“A lot of what you're seeing comes from security and threat-intelligence scanners cataloging new domains, looking for open directories, default admin interfaces, misconfigured CMS setups, or anything that hints at a vulnerability,” Alagna adds.
A third category consists of malicious bots seeking spam and abuse opportunities, attempting to create accounts, submit forms, target administrative panels, or even snatch the domain when it expires.
“It’s normal – but unnerving,” Allen concludes.
Owners pay for bandwidth, but there are more risks
Exceeding hosting provider limits is one of the very real risks that new website owners face, tech pros warn.
“When new owners experience sudden traffic, it can result in actual expense to them because an example site containing a 50MB ‘hero’ video or 200MB onboarding animation can exceed its 10GB per month hosting allowance in less than two days if it receives the same amount of high-volume aggressive crawling,” cautions Billie Argent, Co-Founder and UX Director, at Passionates Agency.
This can cause direct financial harm if users are not careful with pay-as-you-go cloud service plans and other APIs.
“We've seen people accidentally burn through their hosting quotas because bots kept requesting a single big file,” Alagna said.
The experts also warn about false analytics – automated traffic artificially inflates figures, making them unreliable. Is it a viral hit or merely a target for a botnet?
Ngu mentioned even more immediate dangers. If a bot identifies actual vulnerabilities or misconfigurations, attackers can exploit these to leak data, abuse accounts, API keys, or sensitive documents. Persistent probing nearly guarantees that inadvertent mistakes will be picked up by scanners.
“One pattern we see more often now is bot abuse of OTP flows. The site sends OTPs via SMS or WhatsApp for login or signup. Bots hammer the OTP endpoint. The business gets hit with a huge, unexpected bill for SMS/WhatsApp OTP messages, with no real users behind it,” Ngu said.
How to protect your website?
If you only plan to host a blank or small HTML page, bot traffic is just an interesting data point. However, before deploying an actual website, it is essential to plan defense measures in advance.
Security experts recommend protecting a website using Cloudflare or another CDN with a Web Application Firewall (WAF) from day one, enabling bot filtering, rate limiting, and IP reputation checks.
“New site owners need baseline protection. At minimum, I recommend enabling bot filtering (e.g., Cloudflare’s Super Bot Fight Mode), limiting access to admin paths, and monitoring traffic closely during the first 60–90 days,” said Allen from Westlink Academy.
Curious what others think about this story? Contribute your thoughts to the debate below.
All important admin panels, dashboards, and other internal tools should be protected using strong authentication and access controls, and never left publicly accessible.
“Keep heavy assets behind caching or restricted URLs so that they are not hammered by opportunistic bots,” Alagna said. “Make sure your analytics is configured to separate humans from automated systems. Otherwise, you are going to misinterpret what is happening on your site.“
According to Ngu, additional security measures involve changing default login URLs so they’re not accessible via standard /wp-admin or /login endpoints, and adding friction, such as CAPTCHA checks, to all key forms. Analyze logs for strange spikes or potential abuse patterns.
Ernestas Naprys is a senior journalist at Cybernews. Ernestas has been untangling the complexities of cybersecurity at Cybernews since 2023. With over 10 years of journalism experience, he specializes in reporting on data breaches, leaks, vulnerabilities, hacking, privacy and information security. Naprys has covered significant stories on phone background activity, dangerous app permissions, and malicious Chrome extensions. Prior to joining Cybernews, he reported on technology, economy, finance, business, and investing for leading Lithuanian media outlets. Naprys was recognized as Journalist of the Year in Lithuania for his professionalism in analyzing EU investments. He holds a Bachelor's degree in Business Information Management from Vilnius University. When not investigating the latest cybersecurity threats, Naprys can be found tinkering with electronics, wielding his soldering iron, or playing various musical instruments.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked