AI bots can be blocked by adding their user-agent name to the disallow directive in the robots.txt file.

What Happens If I Don’t Have a Robots.txt?

Search engine web crawlers will index every page on your site. This can result in irrelevant content being indexed which can negatively impact your page rankings.

What is the Difference Between Robots.txt and Meta Tags?

Robots.txt controls access to your site at a directory level. Meta tags manage crawling and indexing behavior for individual pages.

The Web’s Bot Problem Isn’t Getting Better: Insights From the 2025 Global Bot Security Report

Bot management Agentic AI Cyberfraud

DataDome’s mission is to free the web of fraudulent traffic. The Global Bot Security Report is one of the ways we work toward this goal, providing fact-based insights into how effectively websites defend themselves against automated threats worldwide.

For the 2025 edition, we used our Vulnerability Scan to analyze ~17,000 popular websites and measure their resilience against common forms of automation. This year, we also broadened the scope to evaluate how AI crawlers are interacting with our customers’ websites, and the growing challenge for businesses concerned about large-scale scraping and the loss of proprietary content.

The results not only reveal key trends but also expose critical protection gaps, offering a clearer picture of the evolving bot, cyberfraud, and AI-driven threat landscape. Unfortunately, many of this year’s findings reinforce an ongoing concern: the majority of websites are still unable to block even the simplest automated attacks.

This widespread exposure to even very simple bots means businesses are extremely vulnerable to the far more sophisticated, AI-powered bot attacks we’re seeing in 2025. AI agents are rewriting the rules of online engagement and fraud. Traditional defenses, built to spot static automation, are collapsing under this complexity. And it’s not just about stopping fraud. It’s also about maximizing the opportunities hidden in AI traffic while still defending against the threats they present. Security must now operate at AI speed, with detection that is smart enough to decipher between an AI with bad intent vs. good.

Key findings from the 2025 report

In testing nearly 17,000 popular domains with the DataDome Vulnerability Scan, we found that the majority of websites remain vulnerable to bot attacks. In many cases, vulnerability rates have actually worsened since 2024.

Most sites still fail to detect and block simple bots. In 2025, 61.2% of 16,900+ tested websites were unprotected, 36% were partially protected, and only 2.8% were fully protected. This means 3 out of 5 domains remain fully unprotected against simple bot attacks.

Full protection rates have worsened since 2024. Compared to 2024, the percentage of fully protected websites dropped sharply, from 8.4% in 2024 to 2.8% in 2025. However, there has been an increase in domains that scored as partially protected (26.4% in 2024 and now 36% in 2025). Partial protection means that at least one type of bot was detected, but not all of them.

AI-driven bots now frequently target high-value endpoints. In 2025, 64% of AI bot traffic touched forms, 23% touched login pages, and 5% reached checkout flows, introducing new fraud, compliance, and security risks. The rise of agentic AI and LLMs makes it essential to assess intent, since not all AI traffic is bad. The outdated ‘bot or not’ model no longer applies.

LLM crawlers surged in volume. LLM crawler traffic more than 4X’d between January and August of 2025 across DataDome’s customer base. OpenAI’s GPTBot alone made over 1.7 billion requests to DataDome customer websites in August 2025.

Businesses are moving to block AI crawlers. 88.9% of robots.txt files in our dataset explicitly disallow GPTBot, making it the most-referenced AI crawler by far. This points to a broader trend: businesses are increasingly blocking AI traffic amid growing concerns over content theft and data misuse.

High-risk industries remain exposed. In 2025, the weakest sectors were Government, Non-Profit, and Telecoms, showing the lowest levels of bot protection. Meanwhile, Travel & Hospitality, Gambling, and Real Estate led the way with the highest combined rates of full and partial protection.

Bot protection tools from popular vendors are inconsistent. Across widely used vendors, detection rates for our test bots ranged from just 6% to 42%—revealing major gaps in real-world effectiveness, even among providers claiming bot mitigation as a core capability. (DataDome was excluded from this comparison.)

The most-trafficked websites are among the least protected. Only 2% of domains with over 30M monthly visits were fully protected, suggesting that scale alone does not translate to better protection.

Bigger doesn’t mean safer. Even among the largest organizations (10,001+ employees), just 2.2% of their domains were fully protected, with 61% unprotected.

Some bots are far harder to detect than others. Detection remained weakest for advanced, anti-fingerprinting bots, which were only blocked by ~7% of targets—leaving most organizations highly vulnerable to account takeover, carding, and advanced scraping attacks. Fake Chrome and Curl bots were detected just 21% of the time, while 79% evaded defenses.

Read the full report

The full 2025 Global Bot Security Report is available now, offering a deeper dive into these trends and the strategies you need to adopt to keep pace. Get your complimentary copy today.