“If You Don’t Control Your Web Traffic, Someone Else Will”: New Report Shows 51% Of Internet Traffic Is Bots

Posted:
If You Dont Control Your Web Traffic Someone Else Will New Report Shows 51 Of Internet Traffic Is Bots
Jordan Sprogis

Writer: Jordan Sprogis

Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 200 articles geared toward industry pros and newcomers alike.

See Full Bio »
Close
Lillian Castro

Editor: Lillian Castro

Lillian Castro

Lillian Castro, Senior Editor

Lillian brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

See Full Bio »
Close
Cristian Lopez

Reviewer: Cristian Lopez

Cristian Lopez

Cristian Lopez, Contributing Expert

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

See Full Bio »
Close
Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.

Key Takeaways

A new report by Imperva confirmed what many web providers have already long suspected: Bots now rule the web.

According to the 2025 Bad Bot Report, Imperva found that bots make up 51% of all internet traffic, and 37% are bad bots.

APIs appear to be their favorite targets, directly threatening the very tools web hosting platforms use to power and personalize their customers’ user experiences.

We broke down the most important findings for web hosting providers and what they can actually do to keep their platforms and customers safe.

Bad Bots Are Coming in Droves

For the sixth year in a row, bad bots are becoming more prominent: In 2023, bad bots accounted for 32% of all internet traffic; by 2024, it grew to 37%.

It’s frightening news for web hosts that manage large volumes of traffic.

Customers’ data is directly in the crosshairs, too: Account takeover (ATO) attacks jumped 79% between June and November 2024 compared to the same period in 2023.

…But Not All Bots are Bad

Bots have an expected negative connotation, but Imperva’s research proved that some are worth keeping around.

Pie chart titled 'Global internet traffic profile in 2024'
Source: 2025 Bad Bot Report by Imperva

Good bots play an important role in the internet’s infrastructure: They act as search engine crawlers (like Googlebot and Bingbot), which index web content so users can find relevant pages in their search results.

There are also the good bots that most providers or web builders use on a daily basis, like performance monitors to track uptime or SEO tools that analyze site content for optimization.

Of course, there’s always a margin for error.

Imperva reminds its readers that good bots’ presence alone can inadvertently skew metrics by inflating pageviews, distorting ad campaign data, and making certain content appear more popular than it actually is.

The key is to stay on top of your metrics and know how to distinguish between human traffic, good bots, and bad bots.

A Focus on the U.S. and High-Risk Industries

If you’re a U.S.-based web host serving high-risk industries, it’s time to pay attention.

Bar chart titled 'Top 5 most targeted countries worldwide'
Source: 2025 Bad Bot Report by Imperva

Because of America’s massive online economy and its heavy concentration of financial and tech giants, the U.S. leads the world in bot activity, accounting for 53% of all global attacks.

Brazil and the UK trail far behind at just 6% each, although Europe isn’t off the hook yet.

In 2024, the UK ranked as the most targeted country in the EMEA region, with 31% of all bot attacks, likely driven by the region’s growing fintech hub.

Industry-wise, the landscape is shifting: For the first time, the travel industry has overtaken retail as the most attacked sector, accounting for 27% of all bad bot activity in 2024.

The financial services sector faced the brunt of that threat, making up 22% of all account takeover attacks, followed by telecom and ISPs (18%) and computing and IT (17%).

APIs Are The Magic Backdoor

APIs have increasingly become more susceptible to cyberattacks, making up 44% of all bot attacks, which is up 55% from last year.

Pie chart titled 'Top Browsers Impersonated By Bad Bots in 2024'
Source: 2025 Bad Bot Report by Imperva

About one-third of API attacks are linked to data scraping, which is where bots extract sensitive or proprietary information from web hosting clients.

What’s worse is that bots are increasingly becoming more sophisticated: Now, they’re masking themselves, better known as “spoofing.”

Thanks to AI, even simple bad bots are getting smarter: 46% now use Chrome to blend in with legitimate traffic by faking their browser identity.

APIs also act as an entry point to the entire account, which may explain why 14% of all logins in 2024 were attempts at account takeovers.

With this in mind, providers should prioritize re-securing their endpoints immediately.

AI Is Truly Two Sides of a Coin

Whether for customer-facing tools or for backend efficiency, nearly every web hosting provider now relies on automation. But cybercriminals are turning the same AI technologies into weapons.

Pie chart titled 'Bot Attacks by AI Tool'
Source: 2025 Bad Bot Report by Imperva

Unlike regular bad bots, AI-powered bots use AI/ML to mimic human behavior, such as analyzing data and adapting to patterns, which helps them bypass traditional detection methods.

Tools like ByteSpider Bot and ChatGPT User Bot are increasingly being used in these attacks.

ByteSpider Bot, for example, is a trusted web crawler, but Imperva found it was spoofed in 54% of AI-enabled attacks.

That’s a big problem for web hosts that rely on “whitelisting” (automatically trusting known bots) because it lets disguised bad traffic sneak through.

Interestingly, most AI-driven attacks are done by human cyberattackers. Not to say that bad bots don’t play a role: In 2024, they made up 16% of all AI-driven attacks.

But if you factor in business logic abuse (where bots mimic legitimate behavior), that number climbs to 41%.

What should this tell web hosts? Traditional security and bot management tools are no longer enough.

What Can Web Hosting Providers Do?

Society has officially hit the point where George Orwell would be rolling in his grave: It’s Man vs. Machine, and tech is taking the upper hand.

But Imperva’s report came packed with recommendations on what companies and providers can do to better secure their platforms and guarantee data security.

You can download the report here, but here’s the summary:

  • Identify Common Risks: High-traffic events, like product launches, attract bot traffic. Use real-time bot detection and traffic analysis to distinguish legitimate users from bots.
  • Secure Your Apps and APIs: Secure APIs and mobile apps with strong MFA, access controls, and multi-layered bot mitigation strategies.
  • Deploy Threat Reduction Tools: Minimize abuse by validating user-agents, limiting access from known proxy sources, and detecting automation tools (Imperva noted Puppeteer, Playwright, and Selenium).
  • Understand Your Baseline: Establish baseline traffic patterns so you can spot bot activity by identifying anomalies, such as high bounce rates or sudden traffic spikes.
  • Monitor Traffic in Real Time: Set up alerts for failed logins, checkout failures, and unusual API requests to detect attacks as they happen.
  • Stay Aware of the Landscape: Stay informed about global data breaches and use good practices, like Zero-Trust and MFA, to protect against credential stuffing and account takeover attacks.
  • Use Your Own Bots: Leverage AI/ML-driven tools, user behavior analysis, and continuous monitoring to adapt to evolving bot threats and secure API endpoints.
  • Keep Them Guessing: AI-powered bots recognize patterns, so don’t roll out all your defenses at once. Be strategic with your security upgrades so they can’t predict your next move.

It’s as Imperva wrote in its report: “If you don’t control your web traffic, someone else will.”

About the Author

Jordan Sprogis
Jordan Sprogis
Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 200 articles geared toward industry pros and newcomers alike.

View Jordan Sprogis's Full Profile »