Bots can create unnecessary load on a website, scan pages without bringing any value, send automated requests, test forms or simply consume hosting resources. If your website runs on the LiteSpeed web server, in some cases you can use additional visitor verification through reCAPTCHA without making changes to the website code itself.
What bot protection is used for
Not every bot is harmful. Search engines also use bots to index websites, and they usually should not be blocked. However, there are many unwanted automated requests: scrapers, scanners, questionable SEO bots, form abuse bots, vulnerability scanners and other programs that can create high load on a website.
Such requests may cause several problems:
- increased CPU, memory and database load;
- slower website performance for real visitors;
- unnecessary consumption of hosting resources;
- polluted visitor statistics;
- automated scanning of login pages, search pages or forms;
- increased risk of attacks against a CMS, plugins or admin sections.
In some cases, it is better not to block a visitor immediately, but first to show a reCAPTCHA verification page. If it is a real person, they can pass the check and continue using the website. If it is an automated bot, it will usually fail the verification or stop making further requests.
How LiteSpeed verification works
On hosting powered by the LiteSpeed web server, special rules can be used in the .htaccess file. These rules allow you to define which requests should trigger an additional reCAPTCHA check.
The following variable is used for this:
RewriteRule .* - [E=verifycaptcha]This rule does not change the page URL and does not perform a redirect. It simply tells LiteSpeed that captcha verification should be applied to the request.
You can also block an unwanted bot directly without showing a captcha:
RewriteRule .* - [E=blockbot:1]In this case, the request will be blocked without giving the visitor the option to pass reCAPTCHA.
Important: before changing the .htaccess file, it is recommended to create a backup copy. An error in the rules may cause the website to work incorrectly.
When to use reCAPTCHA for bot protection
LiteSpeed reCAPTCHA verification should not be enabled for all visitors without a reason. It is better to use it selectively. For example, when your logs or statistics show that certain bots generate too many requests or create excessive load on the website.
Common use cases include:
- checking specific bots by User-Agent;
- checking visitors from countries that are not part of your target audience;
- protecting login pages, search pages or forms;
- limiting unwanted SEO bots and scrapers;
- temporary protection during periods of increased load or attack.
It is not recommended to enable captcha for all visitors unless there is a real need. This can make the website less convenient and may reduce the number of inquiries, orders or other useful actions on the site.
Example 1. Bot verification by User-Agent
If a particular bot creates high load and does not bring value to the website, it can be sent to reCAPTCHA verification based on its User-Agent.
For example, the following rule enables verification for MJ12bot and AhrefsBot:
<IfModule LiteSpeed>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} MJ12bot [OR]
RewriteCond %{HTTP_USER_AGENT} AhrefsBot
RewriteRule .* - [E=verifycaptcha]
</IfModule>In this example, if a request comes from a User-Agent containing MJ12bot or AhrefsBot, LiteSpeed will apply reCAPTCHA verification.
This approach is convenient when you need to limit specific bots without affecting ordinary website visitors.
Example 2. Verification of visitors outside Ukraine
If a website is mainly intended for visitors from Ukraine, you can allow Ukrainian visitors to browse the website without additional checks while asking visitors from other countries to pass reCAPTCHA.
<IfModule LiteSpeed>
RewriteEngine On
GeoIPEnable On
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(UA)$
RewriteRule .* - [E=verifycaptcha]
</IfModule>In this example, verification is applied to all visitors whose country is not detected as UA. This can be useful for local websites that work primarily with a Ukrainian audience.
At the same time, it is important to remember that some real users may visit the website from abroad, use VPN services or mobile networks with unusual routing. Before using such a rule, you should evaluate whether it may interfere with real customers.
How to add a search engine bot to the whitelist
If you use country-based verification or other broad conditions, it is important not to restrict useful search engine bots. For example, you can add an exception for Googlebot.
<IfModule LiteSpeed>
RewriteEngine On
GeoIPEnable On
RewriteCond %{HTTP_USER_AGENT} !^Googlebot
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^(UA)$
RewriteRule .* - [E=verifycaptcha]
</IfModule>In this example, verification is not applied to Googlebot, even if the request is not detected as coming from Ukraine.
However, keep in mind that a User-Agent can be spoofed. For critical scenarios, User-Agent alone is not enough. If you need to verify search engine bots accurately, additional checks such as reverse DNS lookup should be used.
Example 3. Verification of visitors from selected countries
You can apply reCAPTCHA only to visitors from specific countries. For example, if a large number of automated requests comes from certain regions, verification can be enabled only for those countries.
<IfModule LiteSpeed>
RewriteEngine On
GeoIPEnable On
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(CN|US)$
RewriteRule .* - [E=verifycaptcha]
</IfModule>In this example, reCAPTCHA verification will be applied to visitors detected as coming from China or the United States.
This approach should be used carefully. If your website may be useful to an international audience, you should not restrict entire countries without first analyzing the logs. A better approach is to review traffic patterns and identify where unwanted load is actually coming from.
How to block a bot without reCAPTCHA
If you are sure that a specific bot is unwanted and should not access the website, you can block it directly without showing reCAPTCHA.
<IfModule LiteSpeed>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} BadBot
RewriteRule .* - [E=blockbot:1]
</IfModule>In this example, requests from the BadBot User-Agent will be blocked.
Direct blocking should be used only when you are confident that it will not restrict real users or useful services. In uncertain cases, it is usually better to apply reCAPTCHA first instead of using strict blocking immediately.
Practical recommendations
To make bot protection work correctly and avoid interfering with real visitors, it is worth following several practical rules:
- analyze website logs before adding new rules;
- do not enable captcha for all visitors without a real need;
- add exceptions for important search engines;
- use country-based restrictions carefully;
- check the website in a browser after changing .htaccess;
- keep a backup copy of a working .htaccess file;
- if the website uses a CMS, also keep the CMS, themes and plugins updated;
- do not treat reCAPTCHA as a complete replacement for overall website security.
Bot protection works best when it is applied selectively: to specific bots, suspicious countries, selected pages or periods of increased load.
Conclusion
LiteSpeed allows flexible control over visitor verification through reCAPTCHA using rules in the .htaccess file. This is a convenient way to reduce unwanted bot traffic without modifying the website code.
With these rules, you can verify specific bots by User-Agent, apply captcha to visitors from selected countries, add exceptions for search engines or completely block unwanted automated requests.
The main rule is to use these tools carefully. Too many checks may disturb real users, while overly strict blocking may accidentally limit useful traffic. The best approach is to analyze logs, identify the sources of unwanted load and apply rules exactly where they are truly needed.