Although I think bots should be free to access the same content as humans do, I have a suggestion for your fuzzer anti-bot-spray:

It won't work on the more sturdy samples, but maybe try a GZIP bomb on https streams: https://www.infosecmatter.com/metasploit-module-library/?mm=...

Could there be legal repercussions for doing this?

It's your server and someone is accessing it. It's up to you what you serve them.

If you want to be clear, you can put the gzip bomb behind a link that says "do not click, gzip bomb". The bot won't know the difference.

Pre "guy views html source gets home raided for haxx0ring" I'd have said "you silly!"

Now... I'd say "there shouldn't be, it's your server, people can chose to access it or not, but if the right kind of fool comes along, there's no knowing where the stupid ends."

There are some very cool ways of doing these tarpit. This for example: https://nullprogram.com/blog/2019/03/22/

I blocked almost all wp-login bots just using bot fight mode in Cloudflare few months ago along with some CF page rules to run an interstatial. It seems to losing effectiveness over time though, and since I do have WP-login, I wonder how I can implement something like your idea.

Maybe rename the legit login and put this in its place, but that would cause issues for redirects from the legit login link...

Change your login path to something like /custom-admin. Then create a page rule to captcha any attempt to access /wp-login. What traffic other than bots is going to go to the old login page? You can change the login link to go to the new page.

or better yet /custom-admin-07a4b58e-3880-11ec-904e-ba0baece2ff4

There are some popular WP plugins that takes care of changing the wp-login path

Every time I read about ssh tarpits I wish I had a reason to set up one in my VPS. Alas it's much easier to use the VPS provider's network access rules to block all incoming traffic to tcp/22 that isn't from my IP.

> "And I remembered another nice trick which someone else came up with, zip bomb the bots :-)"

Just curious, is it legal to host a zip bomb on your website? I would think it would be classified under some kind of Cyber crime....

Legality aside, your web hosting provider may consider it as malicious software / cyberattack activity that breaks their TOS.

Why would that be? It's not even executable code: someone would need to 1.actively request it, 2.actively save it somewhere 3.actively try to extract it.

If the zip bomb explicitly targets bots it becomes not only a zip bomb, but a mitigation tailor-made to prevent abuse of your platform. Phrase it as the latter and it is probably okay.

It’s a bad idea.