Block Spam and Bot Traffic with Tracking Spam Prevention FAQ - How to

Unexpected tracking requests from unusual locations or unnatural patterns in your analytics data may indicate spam or bot activity. These unwanted requests can increase your hits count and distort your reports, making it difficult to rely on your data.

The Tracking Spam Prevention feature in Matomo helps filter out spam and bot traffic for more accurate and reliable data. This is a premium feature included in our Cloud-hosted plan and its available to purchase on the Matomo Marketplace for Matomo On-Premise.

With configurable settings, you can block tracking requests from cloud providers, headless browsers, and server-side libraries, set limits on actions per visit, and exclude/include traffic from specific countries.

This guide explains how to configure the Tracking Spam Prevention settings to reduce the impact of spam and bot activity.

Configure Tracking Spam Prevention Settings

Spam filters are not enabled by default because some websites and systems, such as intranets, need to collect all interactions and automatic filtering could prevent legitimate tracking.

Enabling spam prevention settings requires careful consideration to ensure that valid tracking requests are not unintentionally blocked, especially for server-side tracking, internal use cases, or websites with atypical traffic patterns.

In Matomo, navigate to settings > System > General settings.
Use the Tracking Spam Prevention link to locate the settings section.
Configure as needed for your tracking setup and click Save to apply the changes.

Block tracking requests from the cloud

This setting applies to all tracked websites in your Matomo instance. When enabled, it blocks tracking requests from cloud providers such as AWS, Azure, Digital Ocean, Google Cloud, and Oracle Cloud by detecting their IP ranges. Some providers, like Alibaba Cloud, may also be identified using a geolocation database (e.g., DB-IP City DB).

It is generally safe to enable this option if you are tracking visitors using the JavaScript tracker, as human visitors typically do not generate tracking requests from cloud environments unless they use a VPN that routes traffic through cloud servers.

Enable if you want to filter out bot and spam traffic from cloud services, as real visitors typically do not generate tracking requests from these environments.
Do not enable if you use server-side tracking (e.g., Matomo PHP, Java, or Python SDKs) or send tracking requests from a cloud server. In this case, you can whitelist specific IP addresses to prevent legitimate requests from being blocked.

Block headless browsers

Enable to block tracking requests from headless browsers (browsers without a user interface), typically used for automation. Since regular visitors do not use headless browsers, this option helps filter out additional bot and spam traffic. While most headless browsers can be detected, those with customised user agents may bypass detection.

Enable if your website receives high volumes of bot traffic, you notice automated scraping or testing tools generating tracking requests, and you only want to track real visitors using standard web browsers.
Do not enable if you rely on server-side tracking, use custom tracking implementations or your website is primarily accessed via apps, IoT devices, or non-traditional browser environments.

Block tracking requests from server-side libraries

This setting blocks tracking requests from server-side libraries such as cURL, HTTP, Guzzle, and Postman, which are commonly used for automated scripts, spam, or malicious activity. It is safe to enable if you are only using the JavaScript Tracker, as tracking requests from real visitors would not originate from these libraries.

Enable if you want to block automated scripts and spam traffic that use server-side libraries to send tracking requests.
Do not enable if you track data using a server-side SDK, such as the Matomo PHP, Java, Python, Android, or iOS SDKs, track interactions from IoT devices, or rely on other server-side tracking methods, as it will block legitimate tracking requests.

Max actions to record per visit

This setting allows you to define the maximum number of actions a visit can record before Matomo stops tracking further actions and temporarily blocks the IP address for up to 24 hours. The default setting is 0, which records all actions without restriction. The average number of actions per visit varies based on website type and user behaviour:

Standard websites (blogs, corporate sites, small e-commerce): 10–50 actions per visit
Content-heavy sites (news, educational, large e-commerce): 50–150 actions per visit
Web applications (SaaS, dashboards, interactive tools): 150–300 actions per visit

Most websites see fewer than 300 actions per visit. If visits are exceeding this range, it may indicate bots, automated scripts, or spam activity, especially if the same IP consistently triggers excessive actions.

Enable if you want to limit excessive actions per visit and reduce bot and spam traffic. To receive notifications when an IP is blocked for exceeding the action limit, enter the Notification email address.
Do not enable if you track highly interactive applications where users naturally generate many actions per visit, such as real-time dashboards, productivity tools, or complex web apps.

Exclude Countries

This setting blocks tracking requests from specific countries, allowing you to filter out traffic from locations that are not relevant to your website. You can add multiple countries to limit tracking to allowed regions.

Enable if you want to block visits from specific countries to reduce bot traffic, spam, or irrelevant visits that do not align with your target audience.
Do not enable if your website serves a global audience or if blocking certain countries could unintentionally exclude legitimate visitors.

Only track visitors from specific countries

This setting excludes all other countries, allowing tracking only from the selected locations. It works as a stricter version of the Exclude Countries setting and only tracks visits from specified regions.

For example, if your website targets an American audience, you may only want to track visitors from the USA. If you prefer a broader audience but want to filter out unlikely traffic, use the setting Exclude Countries.

Enable if you want to only track visitors from specific countries and exclude all other regions to reduce spam and improve data relevance.
Do not enable if your website has a global audience or if restricting tracking to specific countries could exclude legitimate visitors.

Test the Tracking Spam Prevention Settings

To test your spam filters, send test tracking requests from a cloud server, headless browser, or server-side script (according to your configuration) to confirm they are blocked. You should monitor the Visits in real-time report and Visits Log after enabling filters to ensure expected traffic is still being recorded.

For additional ways to filter unwanted traffic, refer to the Traffic Exclusions guides.

Next FAQ: How do I exclude / ignore my traffic or specific users from being tracked in Matomo?