“Is this a bot?” is the most expensive question in online business. Answer it wrong in one direction and you pay for fake traffic; answer it wrong in the other and you block real customers. The good news: you don't need to guess. There are concrete signals — and, just as important, a right way to combine them.

The one rule that matters

No single signal proves a bot. The right question is never “is this suspicious?” but “can I actually prove this is automated?” Real people trip individual checks all the time — a privacy VPN, an old phone, a corporate network. Block on one weak signal and you'll block humans. The signals below are strong together, not alone.

The signals that actually work

Notice the split: signals 1–4 you can get from the IP and request alone. Signals 5–9 need the live visit — the browser, the handshake, the behavior. That's why a bare IP lookup can flag the obvious cases, but only a live check catches the sophisticated ones.

The false positives that cost you customers

The most common way to get bot detection wrong is to punish real humans for looking unusual. Watch for these traps:

Start with the IP — free

See proxy, VPN, hosting, country and a 0–100 bot-risk score for any address in one second.

Open the IP Checker

Doing it automatically

Running these checks by hand doesn't scale — the point is to apply them to every visitor, instantly, without blocking real people. The PureGuard WordPress plugin does exactly that: it combines all nine signals live, blocks confirmed bots before your page loads, and is deliberately tuned to never hard-block a real visitor on a single weak signal.