Real-time
website
bot protection

BotHunt analyzes dozens of behavioral and technical signals in real time: mouse movements, keystroke timing, scroll patterns, form-filling speed and sequence, canvas and WebGL browser fingerprints, TLS handshake fingerprint (JA3/JA4), ASN and IP reputation, device characteristics. Decisions are made through a composite heuristic risk assessment — no single signal is used in isolation. The check runs in 4–12 milliseconds and is fully invisible for legitimate visitors: no CAPTCHA, no delays, no changes to the user experience. A base rule set works out of the box, while extended scenarios are available through the community rule marketplace or your own custom configurations tailored to each site.

No. In DNS mode, traffic flows through the BotHunt edge — filtering happens before the request ever reaches your server, so the protection adds zero load to your site. In agent mode, the signal script is injected on the fly by the agent itself, weighs under 5 KB, loads asynchronously and never blocks rendering — there are no third-party CDN requests. Average decision time is around 12 milliseconds and the check is invisible to the user. If our servers become unreachable, both the agent and the edge run in fail-open mode: your site keeps responding to visitors as usual, just without the extra request check — meaning an outage on our side will never cause downtime on your project.

Yes, there is an official BotHunt plugin for WordPress — one-click install directly from the WP-admin plugin directory, no theme-file edits required. After activation and entering the API key, protection starts immediately with pre-configured rules for typical threats: comment spam, brute force on /wp-login.php, WooCommerce product scraping. Tilda, Bitrix, Shopify, OpenCart, MODX, and any custom-built site are also supported — they connect via DNS, with no code or template changes required. All rules and analytics live in a unified dashboard regardless of CMS, and the WordPress plugin auto-updates. Full integration takes under 5 minutes.

The response is fully configurable to fit your use case. By default, the bot receives a 403 Forbidden or 429 Too Many Requests status. Alternative actions include: redirect to a custom block page, interactive CAPTCHA challenge (for borderline cases), or silent logging without blocking — a monitoring mode for calibrating new rules on real traffic. Every attempt is stored and accessible in the dashboard with filters by IP, ASN, country, bot type, and target URL. Different reactions can be configured per site section — for example, hard blocking on /api/* endpoints and a lightweight challenge for public pages.

Detection accuracy is 99.9%, with a false-positive rate below 0.1%. The system decides based on a combination of 40+ signals rather than a single indicator, so users on VPNs, Tor, corporate proxies, or mobile networks behind CG-NAT pass the check correctly. If a request has a borderline risk score, a lightweight challenge is shown instead of a hard block — no distorted-text CAPTCHA. In the dashboard you can instantly whitelist any IP, subnet, ASN, or country. A log-only mode is also available for the first few days after onboarding — so you can verify system behavior on your real traffic without any risk to customers.

Pricing starts at $9/month for protection of 1 site with unlimited traffic and request volume. Studios and agencies get bulk pricing: 5 sites for $29/mo ($6/site), 20 sites for $79/mo ($4/site), or 100 sites for $149/mo ($1.49/site). Every plan includes the full feature set: behavioral detection, custom rules, community rule marketplace, real-time analytics, and email support. The first 14 days are free on any plan — no credit card required — so you can evaluate protection quality on your own real traffic. Payment by bank card or invoice for legal entities via ЮKassa.