Battling Bots: How We’re Keeping LJTalks Safe Without Blocking Legit Members

In the World of Web Development, There’s One Thing We All Dread—Bots.

As I’ve been building and refining my website, I’ve been doing my best to make sure it’s a great space for legitimate users to interact, subscribe, and join my community. But over the past few days, I’ve faced an unexpected (but interesting!) challenge: keeping bots at bay.

How Did the Bots Get In?

It all started when I noticed some suspicious registrations. While I was doing my regular tests, I began seeing odd accounts—users who signed up but had names that looked more like random characters than actual people. No email verification, no logins, and yet they kept coming!

This is a common problem across the web: bots make up around 42.3% of internet traffic, with malicious bots accounting for 27.7%, according to Imperva’s 2023 Bad Bot Report. Bots registering for your site aren’t just annoying—they’re potentially harmful, slowing down your server or even paving the way for spammy content. So, I knew I needed to take action—but how do you fight back against the bots without pushing away legitimate users?

Step 1: Honeypots and reCAPTCHA

The first step I took was adding honeypots to both the contact form and the registration form. Honeypots are hidden fields that only bots (and not real users) will fill out. If a bot tries to fill out the hidden fields, I catch it and silently deny the registration.

Next up was reCAPTCHA. I experimented with versions that weren’t too intrusive for users but still effective at blocking bot submissions. With this combination in place, things started improving. Now, the honeypot system catches over 90% of bots attempting to register, while legitimate users aren’t even aware that extra measures are in place.

Step 2: Rate Limiting

Once the honeypots and reCAPTCHA were up and running, I introduced rate limiting to the user registration form. Rate limiting allows us to restrict how many requests any user or IP address can make within a short period. If a bot tries to hit the signup form with multiple requests per second (or even per minute), they get blocked automatically.

This was a major step forward. By blocking suspicious activity early on, we cut down bot-generated spam by nearly 80%.

Step 3: Tracking Sources and IPs

One of the more interesting steps I’ve taken is tracking where users are coming from. For every registration attempt, I now capture the referrer URL (where the user came from) and the IP address. If a new user is legitimate, great! If not, I can check the source and see if there’s a pattern to where these bots are coming from.

This simple tracking gave me more visibility into what’s happening behind the scenes. Bots from suspicious referrers and IP addresses are now quickly identified and blocked, further improving the site’s security.

The Balance: Keeping Legit Users Happy

Of course, all these defences have to come with a balance. I don’t want to annoy legitimate users with endless captchas or have them blocked because of rate-limiting. So, I’ve made sure to fine-tune everything to be as user-friendly as possible.

The rate-limiting is set high enough that regular users shouldn’t ever feel it, but bots trying to hit the site hard get caught. Similarly, honeypots work behind the scenes, so real users won’t even know they exist.

Lessons Learned

At first, dealing with bots was annoying—just another distraction from getting the fun parts of the site up and running. But as I dove deeper, it became a really interesting challenge! It’s not just about stopping bad actors but about finding the right balance between security and usability.

Here are a few takeaways:

Always track user activity: Knowing where sign-ups are coming from (referrer and IP) gives you visibility into who might be legitimate and who’s a potential bot.

Layer your defences: Combining reCAPTCHA, honeypots, and rate-limiting gives you multiple lines of protection.

Keep user experience in mind: Your real users should never feel like they’re jumping through hoops to sign up. Everything needs to work seamlessly for them, while still keeping the bots out.

And that’s the story of how I’m keeping LJTalks safe while welcoming legit members. If you’re building your own project and finding yourself in a similar spot—don’t worry. There are plenty of tools to fight back against bots, and once you understand the tricks, it can even be kind of fun!

Tracking: Why It’s About Security, Not Spying

Let’s talk about tracking. It’s a word that tends to raise eyebrows, and I completely get it. In today’s world, privacy concerns are everywhere. Many of us are suspicious when we hear that websites are “tracking” something about us, and that’s completely understandable. But I want to be clear about what we’re doing and why we’re doing it.

For LJTalks, tracking user activity—like capturing the referrer URL and IP address when someone registers—has one main goal: security. It’s all about making sure that the people joining the community are real, legitimate users, not bots or bad actors trying to mess with the site.

Why Do We Track Referrers and IPs?

When someone signs up, I capture:

Referrer URL: This tells me where the person came from—whether it’s a social media post, a Google search, or another website. If I see suspicious patterns, like users coming from odd or untrustworthy sources, it gives me a clue that they might be bots.

IP Address: This is another useful piece of information. Bots often use fake or unusual IP addresses, so tracking IPs helps me catch them before they can cause trouble.

That’s it. I’m not interested in where you go after you leave the site or anything invasive like that. I only track what’s necessary to keep the site safe and make sure that real people—people like you—are protected.

What Does This Mean for Legitimate Users?

For legitimate users, this tracking actually improves your experience. By keeping bots and spam out, I can focus on creating a community that’s safe, welcoming, and free from the annoyances that often plague other sites. It helps keep things running smoothly, ensuring the website remains responsive and functional for everyone who wants to join and interact.

It’s a balancing act, though. I’m committed to doing the bare minimum necessary to ensure the site’s security and to protect your privacy. I don’t want to track more than I need to—just enough to keep the bad actors away and the good ones engaged.

Why You Shouldn't Worry

When people think of “tracking,” they often picture invasive surveillance or companies selling their data to advertisers. But that's not the kind of tracking I’m talking about here. My focus is solely on protecting your experience and making the site better for everyone.

Here’s what I’m not doing:

I’m not selling your data.

I’m not tracking your browsing habits outside of LJTalks.

I’m not storing unnecessary personal details about you.

Instead, I’m using this information to identify unusual behaviour—like bots registering in bulk—and prevent those patterns from disrupting the experience for legitimate users.

Transparency and Your Trust

At the end of the day, I want you to know that your trust is my priority. I’m being upfront about what I’m doing because I believe that’s the right thing to do. If you ever have concerns or questions about how I handle security and privacy, I’m always open to discussing it. My tracking efforts are entirely in service of creating a better, safer community for real people, and nothing more.

Facing Similar Issues?

Are you dealing with bots too? Subscribe to LJTalks for more tips and insights on securing your website and creating a safe online community!