At SCM360 LAB, we design web defenses that are quiet to genuine visitors and noisy for attackers. This month, we’re pulling back the curtain on the layered controls protecting our public sites and our clients’ portals— the same controls that often return error pages to automated crawlers and scanners while loading normally for humans.
Defense in Depth, Not Single Points of Failure
Our stack blends multiple controls so that if one layer is bypassed, others still hold. In practice, a bot may see a
500 or 503 response (blackhole or “service unavailable”), while a real browser, with normal
headers and behavior, receives the page as expected.
Our Core Layers
| Layer | What It Does | Outcome for Bots |
|---|---|---|
| WAF / ModSecurity (custom rules) | Blocks known exploit patterns, abnormal headers, and suspicious payloads. | Hard blocks, fake 500s, or rule-triggered denials. |
| Imunify360 + CSF/LFD | Reputation checks, rate limits, and automated bans on abusive IPs. | Temporary or persistent bans; throttled responses. |
| Bot/UA Filtering | Rejects non-browser user agents and headless traffic patterns. | Soft 503 “unavailable” or JS challenges. |
Honeypots (e.g., wp-login.php, xmlrpc.php, tests dir, e.t.c.) |
Decoy endpoints to capture attacker behavior without exposing real auth flows. | Requests are logged, fingerprinted, and intelligence is generated. |
| Secure Headers | HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy harden browsers. |
Clickjacking/script injection becomes far harder. |
| TLS & Email Auth | Modern TLS only; SPF, DKIM, DMARC for domain trust. |
Stops spoofing and downgrades; improves deliverability. |
| Geo / Path Rules | Country-based and path-based allow/deny decisions. | Recon from hostile regions is curtailed. |
| Observability | Centralized logs, alerts, and correlation across WAF/host/app. | Rapid triage and evidence-quality telemetry. |
What Bots & Scanners See
- Headless or scripted requests often hit WAF rules and get
500“blackhole” responses. - Aggressive crawlers get
503rate-limited or “unavailable” responses. - Known bad IPs are throttled or banned by Imunify360/CSF.
- Decoy endpoints log and tag activity for later correlation—turning attacks into intelligence.
Proof in Practice
Recent automated crawlers attempting to fetch our pages received 500/503 responses, while normal browsers loaded fine. That’s by design: the same layered defenses we deploy for clients protect SCM360 properties, too.
Why This Matters for Your Business
- Prevents automated recon from mapping your stack.
- Captures attacker fingerprints for blocklists and threat intel.
- Reduces false positives by challenging only risky traffic.
- Supports compliance with control evidence (headers, TLS, logs).
Closing
Security isn’t one product—it’s a disciplined system. By combining WAF, host controls, strict headers, and deception techniques, SCM360 LAB keeps attackers busy, bots confused, and your customers served. Need this standard for your own site? Talk to us today.
