If you’ve ever stared at a traffic spike with zero sales to show for it, you weren’t imagining things. You were probably looking at bots.The numbers, and why they don’t all agreeAsk “what percent of web traffic is bots?” and you’ll get several different answers — not because anyone’s lying, but because each report measures a different slice of the internet.
Imperva’s 2026 Bad Bot Report puts automated traffic at 53% of all web traffic in 2025, up from 51% the year before. Of that, 40% is “bad” bots — scrapers, fraud tools, attack scripts — while the rest is legitimate automation like search crawlers.
Cloudflare, measuring only HTML page requests (not video, email, or gaming traffic), reported bots crossing 57.5% in mid-2026 — the first time automated requests outnumbered human ones in that specific measurement.
HUMAN Security puts the figure closer to 51–52%, and notes AI-driven bot traffic grew roughly 187% in a single year.
The exact number depends on what’s being counted, but the trend lines all point the same direction: bots aren’t a rounding error anymore. For an average website, something close to half of all visits — and on some networks, more than half — are automated.
Good bots, bad bots, and the new gray zone
Not all of this is a problem. Search engine crawlers, uptime monitors, and accessibility tools have always been part of a healthy web — Imperva puts “good bot” traffic at around 13–14% of the total.
The bigger concern is the 37–40% that’s outright malicious, and a newer middle category that’s harder to label: AI shopping agents and assistants that browse, compare, and even buy on a customer’s behalf. These aren’t trying to harm your store, but they don’t behave like a normal shopper either, and traditional bot detection often can’t tell the difference between an AI agent checking out for a real customer and a scraper stealing your catalog.
Why ecommerce sites take it harder than mostGeneral bot statistics are interesting. For someone running a store, they’re operational. A handful of patterns show up constantly in ecommerce specifically:
Inventory and scalping bots. When a limited drop sells out in eleven seconds and shows up on resale sites an hour later, that’s automation outpacing your real customers at checkout. Beyond the lost goodwill, it can mean inventory sitting in abandoned carts that never converts to revenue.
Card testing (“carding”). Fraudsters run small, rapid transactions through checkout to find out which stolen card numbers still work. You absorb the chargebacks, the processing fees, and potentially a “high-risk” flag from your payment processor that raises your rates going forward.Price and catalog scraping. Competitors, aggregators, and data resellers hit your product pages systematically to harvest pricing and inventory levels — quietly, and often without tripping your analytics at all.
Ad and click fraud. Bots click paid ads without ever intending to buy, burning through ad budget and polluting the data your ad platform uses to optimize targeting — which can drag down performance for weeks after the fraud itself stops.Credential stuffing and fake accounts. Automated logins using leaked password lists, and bulk-created fake accounts used to abuse promo codes or loyalty programs.
Distorted analytics. Maybe the quietest cost: when a meaningful share of your “sessions” are non-human, your conversion rate, traffic-source data, and demand signals all get less reliable — which makes every other business decision slightly worse.The practical takeaway
None of this means you need an enterprise security budget to function. A few priorities, roughly in order of where the money actually leaks:Protect checkout and login first. This is where carding, credential stuffing, and scalping do real financial damage. Rate limiting, CAPTCHA at the moment of purchase (not on every page), and basic bot-detection rules (Cloudflare’s free tier covers a lot of this) go a long way.
Watch for the mismatch pattern. Traffic up, sales flat; ad clicks up, conversions flat; cart adds spiking with no checkouts. That gap is usually where bots are hiding.Clean your analytics before you trust them. If you’re making inventory or ad-spend decisions off session data, filter out known bot traffic first — otherwise you’re optimizing for robots.
Don’t over-rotate into friction. Aggressive CAPTCHAs and lockouts stop bots, but they also stop real customers. The goal is filtering automated abuse, not making checkout harder for everyone.Plan for AI shopping agents, not just AI scrapers. As more purchases get initiated by an assistant on a customer’s behalf, blocking “anything that looks automated” will start blocking sales too. Worth revisiting your bot rules periodically rather than setting them once and forgetting them.
Roughly half the web’s traffic — maybe more, depending whose numbers you trust — isn’t a person at all. For most online businesses that’s not an abstract statistic; it shows up directly in ad spend, chargeback fees, server costs, and decisions made off bad data. You can’t eliminate bot traffic entirely, and you probably shouldn’t try — some of it is genuinely useful. But knowing roughly where it’s hiding in your store, and protecting the few pages where it actually costs you money, is the difference between bots being background noise and bots quietly eating your margin.