BotBlocker’s core free functionality uses Accept-Language header analysis as a lightweight, fast, and reliable way to weed out automated bots. This check runs automatically – no extra settings or geo-language mapping required.
Most browsers send a standard Accept-Language header (like en-US, ru, de-DE). Bots and scripts often skip this step or fill the header with garbage. BotBlocker blocks requests if:
*, an empty string, or looks random (e.g. xxx-XX, ,,, junk data)This method stops a huge share of spam and scraping bots before they reach WordPress.
When a person opens a website in Chrome, Firefox, Safari, or Edge, the browser automatically adds the Accept-Language header to every HTTP request. This header tells the server which language the visitor prefers. A typical value looks like en-US,en;q=0.9 or de-DE,de;q=0.8,en;q=0.5. The browser builds this value based on the operating system language settings and the browser’s own language preferences. Real users never have to do anything manually – it just works.
Bots and automated scripts are built differently. Many of them are written in Python, Go, or similar languages using basic HTTP libraries. These libraries do not add the Accept-Language header by default unless the developer explicitly codes it in. Most bot authors don’t bother. That is exactly the gap BotBlocker uses to filter them out before they cause any damage to your site.
When BotBlocker detects a request with a missing or invalid Accept-Language header, it returns a block response immediately. The request never reaches WordPress, its database, or any installed plugins. This keeps your server load low and your site fast, even during active bot attacks. The block happens at the earliest possible point in the request lifecycle, which is one of the main reasons this approach is so efficient.
Just activate BotBlocker. No need to tweak language maps or add custom rules. The filter runs by default, protecting your site automatically.
The Accept-Language check is one layer in BotBlocker’s overall protection system. It works together with User-Agent analysis, IP reputation checks, and request rate limiting. Each layer catches different types of threats. Some sophisticated bots do fake a valid Accept-Language header, which is why BotBlocker does not rely on this check alone. But for the large volume of low-effort bots and scrapers that flood WordPress sites every day, this single check eliminates a significant portion of unwanted traffic without touching legitimate visitors.
According to data from Cloudflare, bots account for a large share of all internet traffic, and many of them make no attempt to mimic real browser behavior. The Accept-Language header check directly targets this category of traffic.
Because the check runs before WordPress loads, it does not add overhead to your PHP execution, database queries, or plugin processing. The logic is simple: read the header, validate the format, block or pass. This takes microseconds. You will not see any difference in page load time, and your hosting resources stay protected. This is especially valuable for shared hosting plans where server resources are limited and bot traffic can push you over usage limits.
Can it block real visitors?
Almost never. All modern browsers set Accept-Language by default. Only some rare CLI tools or misconfigured scrapers are affected.
Does this slow down the site?
No, the check is extremely fast and adds zero noticeable delay.
Is this check enough on its own?
It is highly effective against simple bots. For advanced threats, BotBlocker combines it with additional checks. You can read more about the HTTP Accept-Language header standard in the MDN Web Docs and in the official RFC 9110 specification.