AWAFAWAF
OPEN SOURCE

Protect websites from bots

AWAF evaluates visitors with technical and behavioral checks, asks for a captcha only when needed, and keeps legitimate traffic moving.

AWAF interface preview

Quick start

Connect a PHP site with one line and configure config.ini.

Flexible rules

IP, URL, User-Agent, Referer, and ASN lists with BLOCK/CAPTCHA modes.

Proxy and CDN ready

Cloudflare, nginx proxy, and load balancer support with real visitor IP handling.

up to 10x less wasted load

Fewer bots means lower hosting load

The chart shows a real case: before protection, the site was hitting the 100cp hosting limit, so the host slowed it down. After AWAF was connected, the load stayed around 30-50% of the maximum.

After protection was enabled, the hosting load stabilized.
After protection was enabled, the hosting load stabilized.
The chart shows a case where the network link is not flooded, but bots and scanners still create unnecessary server load.
The chart shows a case where the network link is not flooded, but bots and scanners still create unnecessary server load.
when the line is not the problem

Not every overload is a DDoS attack

A slow site is not always under a massive network attack. Often it is being drained by bots and scanners that keep opening pages. AWAF helps filter that waste before you pay for heavy DDoS filtering and lets the site breathe again.

real feedback

AWAF saved a large forum from a botnet

I want to thank you for an excellent solution: AWAF saved my fairly large forum. For the last few months, a botnet had been scanning the forum uncontrollably: 40,000 different IPs could arrive in 15 minutes, and no rate limits worked. Manually blocking subnets and countries only helped temporarily.

Michael Kuzminforum owner

Michael also noted that cache can grow quickly under this traffic, so safe regular cleanup should be documented.

Case screenshots: up to 500k unique visits per day and load from botnet scanning.Case screenshots: up to 500k unique visits per day and load from botnet scanning.
Case screenshots: up to 500k unique visits per day and load from botnet scanning.
real feedback

AWAF filtered bots and improved user behavior

A project with webmaster tools quickly started attracting bot traffic. The site is monetized with ads, and ad networks do not like that kind of traffic, so we needed to close the site off from bots. After installing AWAF, Google CAPTCHA was removed from the forms: legitimate users got a smoother experience, while bots stopped getting through. The logs show that AWAF filters out almost all bots, and the chart confirms it. Bounce rate dropped, time on site and page depth increased, and Metrika now shows bot traffic at about 1% instead of previous peaks up to 50%.

Max Fomichwebmaster tools project

The first chart shows the share of visits with bots, and the second shows the lower bounce rate after protection was enabled.

The share of visits with bots in Metrika dropped almost to zero after AWAF was enabled.
The share of visits with bots in Metrika dropped almost to zero after AWAF was enabled.
Bounce rate decreased after bot traffic was filtered.
Bounce rate decreased after bot traffic was filtered.

Documentation for rollout

The help section guides users from first launch to filters, integration, and troubleshooting.

Source code and project updates: github.com/githubniko/antibot. Development news and discussion: t.me/antibotwaf.