Blog

Why is my traffic suddenly coming from Singapore? — Diagnostics and solutions for bot spam and ghost traffic

10.2.2026
Does your analytics data look weird? Thousands of hits from Singapore, China or the USA to sites that don't even exist? They're not alone. We explain the phenomenon of “vulnerability scanning” and how to prevent these bots from ruining your data.
Source: bchic.de

The mysterious increase: When the curve points upwards but sales remain the same

Every website owner knows the feeling: One look at the analytics dashboard and the figures go through the roof. But on closer inspection, disillusionment ensues. Visitors stay 0 seconds, the bounce rate is 100%, and the location is almost exclusive singapore (or Ashburn, USA).

It gets even more curious when you look at the URLs you have called up. Instead of going to the homepage or in the shop, these “visitors” end up on paths such as:

  • /wp-admin
  • /bak.zip
  • /config.php
  • /shell
  • /ads.txt
  • or random URLs that have never existed before

What's happening here isn't a genuine interest in your content. Your site will scanned.

Why Singapore (And why it's not personal)

It is a common misconception that these attacks target yours are directed at the company. In 99% of cases, these are automated scripts that scan the entire Internet for vulnerabilities.

Why Singapore of all places? That is due to the infrastructure. Singapore (as well as in certain regions of the USA) has huge data centers from large cloud providers. Criminal actors rent cheap server capacities there or hijack poorly protected IoT devices to set up huge bot networks.

These bots fire millions of requests (“requests”) at random websites in the hope of finding an outdated WordPress installation or an open configuration file. Since websites today often run on modern platforms (such as Webflow, Shopify or headless systems), these requests come to nothing — but they leave traces.

The technical problem: When the fault is not recognized as an error

The main problem with these bot waves is often not security (modern hosts block most of them), but the data quality And that SEO.

When a bot calls up a URL such as yourpage.de/give-it-not-123, your server must correctly answer: “There is nothing here.” In technical language, this is the HTTP status code 404 (Not Found).

Unfortunately, many web servers are misconfigured:

  1. Soft 404: Although the page shows “Page not found”, it technically sends the bot a “Everything's okay” (status 200).
  2. Redirects: The wrong URL is automatically redirected to the homepage (status 301).

Why is that dangerous?
If bots (including Googlebot) constantly come across incorrect URLs and find seemingly “valid” pages there, the index of your website will inflate with garbage. Search engines waste their time crawling error pages instead of ranking your real content. It also massively falsifies your analytics data.

The solution: What you can do

You can't turn off the Internet, but you can lock your front door. Here are three strategies against bot spam.

1. Use the firewall (WAF)

The most effective protection happens before the bot actually reaches your website. Services such as Cloudflare offer a so-called “web application firewall”.
Since most local companies don't expect real customers in Singapore, you can create a simple rule there:

  • If visitors come from “Singapore” -> Carry out a “Managed Challenge.”
    Real people solve the captcha in one second. Bots fail and don't even get into your statistics.

2. Enforce correct 404 error pages

Talk to your IT or agency. It is essential that non-existent pages have a hard 404 status code return and not Redirect to the start page
It's the only way bots (and Google) learn: “There's nothing to fetch here, stop scanning that URL.”

3. Clean up analytics

Good analytics tools make it possible to filter out bot traffic. If you can't use server-side blocking (like point 1), you should set up filters in your dashboard:

  • Exclude traffic where the session duration is 0 seconds and the user agent points to a bot.
  • Pay attention to the “referrer.” Real visitors often come via Google or social media. Bots often have no referrer (direct traffic).

Traffic from Singapore and strange URL calls are unfortunately “background noise” on the Internet today. They are usually not dangerous, but annoying for marketing and analysis. However, with the right server configuration and an upstream firewall such as Cloudflare, the problem can be resolved in just a few minutes — so that your data reflects real success again.

Ready to discover the next growth opportunities?

Start 30-Day Free Trial