Book Sale! Save 20% on all books w/ code: WP2024
Web Dev + WordPress + Security

Redirect Stupid Bots to Existing Resources

In case you hadn’t noticed, I’m on another one of my posting sprees. Going through the past year’s worth of half-written drafts and collected code snippets, and sharing anything that might be useful or interesting. Here is a bit of .htaccess that brings together several redirection techniques into a singular plug-&-play code snippet.

Help stupid bots reach their destination

Most websites are swarming with bot activity. Good bots find useful resources and are on their way. Stupid bots are too stupid to follow links and instead make requests for resources that don’t even exist. As in 404 “Not Found” errors draining server resources 24/7. For common, easily found URLs. For example:

  • Bots requesting login.php on a WordPress site
  • Bots requesting favicons.png and similar files
  • Bots requesting robots.txt in weird locations
  • Bots requesting xmlrpc.php in weird locations

Observing the crawl behavior of such bots, it’s clear they’re not actually looking for the login page, site favicon, robots.txt, and so forth. Instead they’re looking for irregularities and inconsistencies, in order to exploit for nefarious purposes. Or maybe they actually are trying to find the site’s robots file, but are just too stupid (read: badly programmed) to find it.

Fortunately, such suspect behavior is easy to remedy with a touch of .htaccess. To give you an idea, here is a code snippet that helps misguided bots reach their apparently intended destinations.

<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_URI} !/wp/wp-login.php [NC]
	RewriteCond %{REQUEST_URI} (wp-login|login)\.php [NC]
	RewriteRule .* [R=301,L]
	RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC]
	RewriteCond %{REQUEST_URI} !/images/favicons.png$ [NC]
	RewriteCond %{REQUEST_URI} /favicon(s)?\.?(png|gif|ico|jpg)?$ [NC]
	RewriteRule .* [R=301,L]
	RewriteCond %{REQUEST_URI} /robots\.txt$ [NC]
	RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC]
	RewriteRule .* [R=301,L]
	RewriteCond %{REQUEST_URI} !/wp/xmlrpc.php$ [NC]
	RewriteCond %{REQUEST_URI} xmlrpc.php$ [NC]
	RewriteRule .* [R=301,L]

This code snippet may be added to your site’s public/root .htaccess file (or add via server config). Remember to replace each instance of with your actual site URL. Or you can simply remove to just use relative URLs, like /robots.txt and /wp/xmlrpc.php for example.

Once in place, the above code will redirect requests for non-existent resources to the actual file. Note that some of these rules are intended for WordPress sites, so remove the LOGIN and XMLRPC for sites not running WordPress.

Note: The examples above assume WordPress is installed in its own directory, /wp. So for WordPress sites not installed in their own directory, but rather installed in the site’s public root directory, simply remove all instances of /wp.

Regardless of the site, the main goal of the above code sample is to give you an idea of how to better manage traffic. With a few well-crafted Apache/.htaccess rules, you can help wayward bots find what they’re looking for, which in turn improves traffic quality and helps minimize exposure to any irregularities.

Related Posts

I’ve written tons of articles related to this topic. To read more, you can browse the archives and/or visit some of these choice posts:

Jeff Starr
About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
Digging Into WordPress: Take your WordPress skills to the next level.

One response to “Redirect Stupid Bots to Existing Resources”

  1. Here is a better way, redirects random/misdirected (404) requests for wp-login.php, and also login.php, /wp-admin/, /admin/, /wp-login/, and /login/. Redirects such requests to the actual login page.

    <IfModule mod_rewrite.c>
    	RewriteCond %{REQUEST_URI} !^/wp-admin/ [NC]
    	RewriteCond %{REQUEST_URI} !^/wp-login.php [NC]
    	RewriteCond %{REQUEST_URI} (wp-login|login)\.php [NC,OR]
    	RewriteCond %{REQUEST_URI} /(wp-admin|admin|wp-login|login)/?$ [NC]
    	RewriteRule .* /wp-login.php [R=301,L]
Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
BF Sale! Save 40% on all Pro WordPress plugins and books w/ code FRIDAY23
Sincerely trying to engage more on social media. I love the people not the platforms.
All free and pro WordPress plugins updated and ready for WP version 6.4!
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.