You've meticulously built your web application on Vercel, optimized it for performance, and launched it to the world. But when you check your analytics, you're shocked to see a flood of traffic from bots and crawlers that are absolutely devouring your resources. Even worse, you've started receiving warnings from Vercel about approaching usage limits on your Hobby plan, despite having only 350 monthly active human users.
These AI bots and crawlers aren't just passively browsing—they're "HORRIBLY HUNGRY" as many developers have discovered, consuming bandwidth and computing resources at an alarming rate. The result? Skewed analytics, degraded performance, and the looming threat of unexpected costs.
The Growing Bot Traffic Problem
Bot traffic now accounts for approximately 66% of global internet activity, with about 40% of that traffic being potentially harmful according to Barracuda Networks. This isn't just a minor nuisance—it's a significant challenge facing developers and businesses of all sizes.
For Vercel users, especially those on the Hobby plan, this presents a particular dilemma. As one frustrated developer noted: "AI bots and crawlers started sucking hard on my app... I started to receive warnings from Vercel about usage." What makes this situation even more frustrating is that many built-in protection mechanisms simply aren't effective enough.
Understanding the Bot Landscape
Before diving into solutions, it's important to understand what we're dealing with:
Types of Bot Traffic
Beneficial Bots: Search engine crawlers (Google, Bing), monitoring services, and social media bots that help index and promote your content.
Harmful Bots:
Scraper Bots: Steal your content and data
Click Bots: Generate fake clicks and engagement
Vulnerability Scanners: Probe for security weaknesses (like WordPress vulnerabilities on non-WordPress sites)
DDoS Attackers: Overwhelm your server with traffic
The challenge is that while you can deter "nice" bots with a properly configured robots.txt file, the malicious ones simply ignore these instructions. As one developer put it: "you can block the 'nice' bots with robots.txt, but evil ones won't care (like Alibaba)."
The Hidden Costs of Bot Traffic
Bot traffic isn't just an annoyance—it has real financial and performance implications:
Increased Resource Consumption: Bots can rapidly consume your bandwidth and computing resources, especially problematic on limited plans like Vercel Hobby.
Distorted Analytics: With upwards of 50,000 bot sessions per month reported by some users, your analytics become essentially meaningless. This makes it difficult to make informed decisions about your application.
Higher Operational Costs: As one developer discovered, "with Vercel's firewall, if you set a custom rule to deny based on user agent, you'll still be charged for that." This means even your attempts to block bots can end up costing you.
Degraded User Experience: When bots consume your resources, legitimate users may experience slower load times and reduced application performance.
Combining Vercel and Cloudflare for Effective Bot Management
There's a simple but powerful solution to regain control over your application: combining Vercel's firewall capabilities with Cloudflare's robust security features. Here's how to implement this strategy:
Step 1: Set Up Cloudflare as Your First Line of Defense
Cloudflare acts as a protective shield in front of your Vercel deployment:
Sign up for Cloudflare and add your domain
Enable Cloudflare's Bot Management features:
Bot Fight Mode (available on Free plan)
Super Bot Fight Mode (available on Pro plan, ~$20/month)
Configure Firewall Rules to challenge suspicious traffic:
(http.user_agent contains "bot" or http.user_agent contains "crawler") and not cf.client.bot
Set this rule to issue a challenge or block outright. This stops many malicious bots while allowing legitimate crawlers through.
Implement Country Blocking if you're seeing traffic from regions you don't serve:
ip.geoip.country in {"CN" "RU" "IR"} and not cf.client.bot
This example blocks traffic from China, Russia, and Iran while allowing legitimate search engine bots from these regions.
Step 2: Configure Vercel Firewall as Your Second Defense Layer
Vercel's Web Application Firewall (WAF) provides an additional layer of protection:
Set Up Custom Rules in Vercel's firewall to target specific bot patterns:
Navigate to your Vercel dashboard → Project Settings → Security → Firewall and create rules like:
user_agent matches "(?i)(alibaba|semrush|ahrefsbot)"
Implement Rate Limiting (requires Pro plan):
Limit requests per IP to prevent automated scraping
Set thresholds based on your legitimate user patterns
Use JA4 Fingerprinting to identify and block sophisticated bots that spoof their user agents
Step 3: Optimize Your robots.txt File
While not effective against malicious bots, a properly configured robots.txt file will help manage legitimate crawler traffic:
User-agent: *
Disallow: /api/
Disallow: /admin/
Disallow: /private/
Allow: /
# Slow down crawling
Crawl-delay: 10
# Specific instructions for aggressive but legitimate bots
User-agent: AhrefsBot
Crawl-delay: 30
User-agent: SemrushBot
Crawl-delay: 30
Step 4: Create a Bot Traffic Tarpit
An advanced technique is creating a "tarpit" to slow down aggressive bots:
Create a honeypot page (e.g.,
/resources/download.html) that's invisible to users but accessible to botsOn Vercel Edge Functions or Cloudflare Workers, implement code that detects bot signatures and then:
Serves deliberately slow responses
Returns massive, meaningless HTML documents
Creates redirect chains
This wastes bot resources while they're trying to crawl your site, making your application less attractive to automated scrapers.
Monitoring and Refining Your Bot Management Strategy
Even after implementing these protections, regular monitoring is essential:
Use Cloudflare Analytics to identify traffic patterns and bot activity
Monitor Vercel Usage Metrics to ensure you're staying within your plan limits
Filter Bot Traffic in Google Analytics using custom segments:
Regularly Review and Update Your Rules as bot patterns evolve
Cost-Benefit Analysis: Hobby vs. Pro Plans
For many developers, the question becomes: is it worth upgrading from Vercel's Hobby plan to Pro?
Hobby Plan Challenges:
Limited resources that bots can quickly consume
Basic firewall functionality without rate limiting
No persistent actions (formerly available but discontinued)
Pro Plan Benefits ($20/month):
Rate limiting capabilities
Higher resource limits
Better protection against unexpected overage charges
Similarly, Cloudflare's Pro plan ($20/month) offers significantly enhanced bot protection compared to the free tier.
For a site with moderate traffic and bot issues, the combined cost of approximately $40/month for Vercel Pro and Cloudflare Pro is often justified by:
Reduced resource consumption
Better analytics data
Improved user experience
Protection against unexpected overage charges
When to Consider Self-Hosting
If bot traffic becomes unmanageable despite these measures, some developers opt to move from Vercel to self-hosted solutions:
"Self Host instead of Vercel for full control," suggested one developer dealing with aggressive bot traffic.
Using a VPS with Nginx allows for more granular control over traffic using custom configurations:
# Example Nginx configuration to block bad bots
if ($http_user_agent ~* (AhrefsBot|SemrushBot|MJ12bot|YandexBot)) {
return 403;
}
# Rate limiting
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
However, this approach requires more technical expertise and ongoing maintenance.
Conclusion
Bot traffic management is increasingly becoming an essential skill for developers deploying applications on platforms like Vercel. By combining Cloudflare's protective capabilities with Vercel's firewall settings, you can effectively shield your applications from resource-draining bot activities while preserving performance for legitimate users.
Remember that bot management is not a set-it-and-forget-it solution—it requires ongoing monitoring and adjustment as bot techniques evolve. Start with the strategies outlined in this article, measure their effectiveness, and refine your approach based on your specific traffic patterns and application needs.
Whether you choose to remain on the Hobby plan with enhanced protections or upgrade to Pro for additional capabilities, taking proactive steps to manage bot traffic will result in better application performance, more accurate analytics, and ultimately a better experience for your human users.
