Bottle is a bot throttling plugin. It consists of a set of tools that can be used to reduce server load when excessive bot requests are made to a website.
It works by performing a variety of checks on each HTTP request made to WordPress, and throttling sessions or IPs when thresholds are exceeded. These include:
-
Too many sessions per IP. Since some bots don’t bother with cookies, Bottle sets a JWT session cookie for each request. If a single IP address creates too many new sessions within a given timeframe, it is likely a bot, and will be throttled.
-
Too many requests per session. Bottle calculates a request rate for each session. Bots that exceed that rate will be throttled.
-
Too many requests per IP. Bottle calculates a request rate per IP. For bots that don’t process cookies (and therefore sessions), this can throttle abusive IPs.
-
Overall request rate. Bottle can throttle specific sections of a website that are being abused by bots. (For instance, the courses catalog.) This is useful when a large website is being scraped by a bot network with rotating IPs.
-
Excessive 404s. If bots are scanning a website, or are misconfigured, excessive 404s can be time-consuming for WordPress to process. Bottle can either throttle all 404 requests, or can block 404s for static files (i.e. images) only.
When a client is throttled, Bottle can outright throttle it with a 429 response, or can serve a JavaScript-based cryptographic puzzle. If a client is legitimate, it will automatically compute the puzzle’s solution and submit it to the server for verification. (No user input is required.) After it has proven its human-ness, Bottle will permit that user entry to the site. At the moment, some bots, but not all, will solve these puzzles.
When a throttle condition is reached, Bottle terminates WordPress processing, which substantially reduces server load when under attack. Throttles end automatically at the end of their respective measurement windows.
Bottle is not a firewall and will not block or sanitize malicious attacks. However, since such attacks are typically performed in large quantities, Bottle can be effective at slowing such attacks and reducing server load, keeping the website operational for legitimate users.
Overall, Bottle is a set of tools designed to reduce server load with minimal disruption to real users.