How to Exclude Bot Traffic in Google Analytics 4

Bot traffic can wreak havoc on your Google Analytics data, skewing your metrics and making it hard to see what’s really moving the needle. Seeing huge, unexplained traffic spikes is confusing and untrustworthy. This article will show you exactly how to identify and exclude bot traffic in GA4, so you can finally get a clear picture of how real customers are interacting with your site.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

What is Bot Traffic and Why Should You Care?

Bot traffic is any activity on your website that doesn't come from a human. Think of it as automated scripts visiting your pages. These bots can range from relatively harmless to genuinely malicious.

There are generally two types of bots:

• Good Bots: These are the bots you want, like search engine crawlers (e.g., Googlebot). They index your content so your pages can appear in search results.
• Bad Bots: These are the troublemakers. They can include content scrapers, spam bots clicking your ad links, or malicious scripts looking for security vulnerabilities.

Bad bot traffic can completely poison your data integrity. Here’s why it’s a problem:

• Inflated Metrics: Bots can artificially inflate your session count, user numbers, and pageviews, making your top-level numbers look impressive but ultimately meaningless.
• Skewed Engagement: Since bots typically land on a page and leave immediately, they often have a 100% bounce rate (or a 0-second engagement time in GA4 terminology). This drags down your site-wide average engagement metrics.
• Misleading Campaign Performance: Imagine launching a new ad campaign and seeing an immediate flood of traffic. You might think it's a huge success, only to realize later that most of those clicks came from bots, with no real conversions to show for it.

In short, if you don't filter out bad bots, you're making decisions based on faulty data. That's a surefire way to waste time, money, and effort.

How to Find GA4's Built-In Bot Filter

The good news is that GA4 comes with a built-in feature designed to automatically filter out traffic from known bots and spiders. This setting uses Google’s own data combined with the IAB/ABC International Spiders & Bots List to identify and exclude common bot signatures. For most accounts, this feature is enabled by default, but it's always a good idea to double-check.

Here’s how to check if it's active:

1. Navigate to the Admin section of your GA4 property (the gear icon in the bottom-left).
2. Under the Property column, click on Data Streams.
3. Select the specific web data stream you want to check.
4. Under the Events section, click on Configure tag settings.
5. On the next screen, click Show all to expand the settings menu.
6. Click on Identify internal traffic. The setting is in here for bot-filtering too.
7. Ensure the checkbox for Exclude traffic from known bots and spiders is checked.

While this is a fantastic first line of defense, it isn't foolproof. More sophisticated or custom bots can still slip through the cracks. That’s why you need to learn how to spot the signs of custom bot traffic yourself.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

How to Manually Identify Suspicious Traffic in GA4

When the default filter isn’t enough, you need to play detective. Look for strange patterns in your data that don’t align with normal human behavior. Here are the key indicators to watch for.

1. Look for Sudden, Unexplained Traffic Spikes

A sudden, massive increase in traffic that doesn't correspond to a marketing campaign, press mention, or viral social post is a classic sign of a bot attack. This is particularly suspicious if the traffic is primarily from the "Direct" channel.

Go to your Reports > Acquisition > Traffic acquisition report. Change the date range to look at the last 30 or 90 days. Do you see any dramatic spikes that stick out like a sore thumb? Click on that spike to narrow the date range and start drilling down into the referral source, location, and landing pages to see where it came from.

2. Check for Extremely Low Engagement Rates

Real users browse, click, and scroll. Bots rarely do. They hit a page and vanish. This results in an average engagement time of 0 or 1 second and a bounce rate of nearly 100%.

Navigate to your Reports > Engagement > Pages and screens or Landing page report. Look for pages with a huge number of views but an abnormally low average engagement time (e.g., less than 2 seconds). This suggests traffic is hitting the page but not engaging at all, a strong bot indicator.

3. Analyze Geographic, Language, and Device Data

Bots often originate from specific server locations around the world or fail to report language and device information correctly.

Head to the Reports > Demographics > Demographic details report. Switch the primary dimension to Country or City. Do you see a sudden surge of traffic from a country you don't do business in? Similarly, check the Language dimension. A high volume of sessions where the language is listed as "(not set)" or something mismatched like "C" is highly suspicious.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

4. Investigate Unfamiliar Hostnames

Ghost spam is a type of bot traffic that never actually visits your site. Scammers send fake data directly to Google Analytics servers, making it look like you had a visitor. A common way to spot this is by checking the Hostname dimension. Legitimate traffic will almost always have your website’s domain as the hostname.

Here’s how to check this:

1. Go to the Explore section and create a new, blank exploration.
2. In the Variables column, click the "+" next to Dimensions, search for and import Hostname.
3. Next to Metrics, click the "+" and import Sessions and Engaged sessions.
4. Drag the Hostname dimension into the Rows box and the metrics into the Values box.

Your report will now show all the hostnames sending data to your GA4 property. If you see any that are not your own domain (or a related service you use, like a third-party payment portal), you've likely found ghost spam.

3 Ways to Exclude Custom Bot Traffic in GA4

Once you've identified the patterns of suspicious traffic, you can take steps to remove it from your reports to get a cleaner view of your data.

Method 1: Create a Data Filter for IP Addresses

If you discover that junk traffic is consistently coming from the same IP address or a small range of them, an IP filter is the most direct way to exclude it. Note that finding specific IPs often requires access to your server logs, but this method is highly effective for blocking repeat offenders like an office IP address ruining data or a known spammer.

Here’s how to set it up:

1. Navigate to Admin > Data Settings > Data Filters.
2. Click Create Filter in the top-right corner.
3. Select the Internal Traffic filter type for this example.
4. Give your filter a descriptive name, like "Known Spam Bot IP Block."
5. Set the filter operation to Exclude.
6. Under the filter rules, enter the suspect IP address in the "Value" field. You can use different match types, such as "is one of" for a list or "starts with" for a range.
7. By default, the filter starts in "Testing" mode. Keep it that way for a day or two to ensure it's working as expected. You can check its effectiveness by looking for traffic with the dimension Test data filter name in your reports.
8. Once you've confirmed it works correctly, go back to the filter settings and change its state from "Testing" to Active.

Method 2: Use Segments to Analyze Bot-Free Data

This is probably the most practical and flexible method for marketers who want to clean up their reports without permanently altering their underlying data. Instead of blocking the data from being collected, you can create a detailed segment that excludes sessions with bot-like characteristics. This allows you to apply it to any of your past or future reports in the Explore section.

Let’s build a segment that excludes traffic from a suspicious hostname and a spammy geographic location:

1. Go to the Explore section and open any of your existing reports or create a new one.
2. In the Variables column next to Segments, click the + icon.
3. Choose to create a Session segment.
4. Give your segment a clear name, like "Exclude Known Bot Activity."
5. On the next screen, change the dropdown from "Include sessions when" to Exclude sessions when.
6. Now, build your conditions based on your previous detective work.
7. Save and apply your segment.

You can now see your report with all the data that matches these bot criteria removed, giving you a much more accurate view. You can add as many conditions as needed to this segment to make it as robust as possible.

Graphed

Still Building Reports Manually?

Watch how growth teams are getting answers in seconds — not days.

Watch the Demo

Method 3: Manage Unwanted Referrals

If you notice a lot of junk traffic coming from a specific spammy domain in your referral reports, you can add them to GA4’s "unwanted referrals" list. It is important to know that this feature doesn't block the traffic. Instead, it tells GA4 to treat traffic from that domain as "Direct" rather than creating a new session from a "Referral." This can help prevent spam from distorting your channel reports but it’s less useful than data and IP filtering. But combined with other methods from above, it can really help to clean all of your analytics reports.

Here's where to find the setting:

1. Go to Admin > Data Streams and click on your Web stream.
2. Click Configure tag settings.
3. Click Show all, then click List unwanted referrals.
4. Add the spammy domain (e.g., spam-website.com) under the Match Type condition and click Save.

Final Thoughts

Protecting the integrity of your analytics data is an ongoing process. While Google Analytics 4 provides a helpful automatic filter, sophisticated spam and bots can often bypass it. By learning to recognize the tell-tale signs of bot traffic - unexpected spikes, weird geographic sources, and nonsensical hostnames - you can clean up your reporting using IP exclusions and custom segments for a true view of performance once again.

This level of analysis can still feel a bit manual, especially when you're busy running campaigns. That's where we wanted Graphed to make life easier. Instead of spending hours digging through reports and building segments, you can connect your GA4 and other marketing accounts and simply ask questions in plain English. For example, asking "Show me my campaign ROI from last month, but exclude traffic from these suspicious countries" allows our AI analyst to filter out the noise and build a real-time report for you in seconds. With Graphed, you spend less time wrestling with data and more time acting on clear insights.