Why My WordPress Blog Got Fake Traffic and How to Stop It

Problem Overview

After migrating a personal blog from a custom Java system to WordPress, the author observed a sudden increase in page views (PV) reported by Baidu Analytics. The spike was caused by two distinct sources of fake traffic:

Search‑keyword flooding : External actors repeatedly invoked WordPress’s built‑in site‑wide search with unrelated keywords. Baidu counted each search request as a visit, inflating PV numbers.

Analytics code reuse : Other websites copied the Baidu Analytics tracking script embedded on the blog. Visits to those third‑party sites were mistakenly attributed to the author’s domain.

Technical Root Causes

WordPress enables a <form role="search"> widget by default. When the search endpoint ( / ?s=keyword) is hit, Baidu registers a page view even if the result page contains no content. Malicious actors can automate thousands of such requests, causing a massive, artificial PV surge.

The Baidu tracking script ( hm.js) is a simple JavaScript snippet that can be copied verbatim. If the same hm.js code (including the site’s unique ID) is placed on another domain, Baidu aggregates the traffic under the original ID, leading to cross‑site contamination.

Mitigation Steps

1. Disable WordPress Site Search

Open the active theme’s functions.php file.

Add the following filter to remove the search form from the front‑end and prevent the ?s= query from being processed:

add_filter('get_search_form', '__return_empty_string');
remove_action('init', 'wp_widgets_init'); // optional: deregister search widget

Alternatively, install a lightweight plugin that disables the search endpoint (e.g., “Disable Search” plugin) and deactivate any search widgets in the sidebar.

After disabling the search feature, the artificial PV spike disappeared and traffic metrics returned to normal levels.

2. Filter Out Unauthorized Baidu Traffic

Use Baidu Analytics’ whitelist (filter rule) to restrict statistics to trusted domains:

Log in to the Baidu Analytics console.

Navigate to Management → Statistics Rule Settings → Filter Rule Settings .

Select the Whitelist tab.

Set the whitelist status to Enabled .

Add the domain(s) that should be counted (e.g., yourblog.com) and save the configuration.

Only visits originating from the listed domains will be recorded, effectively excluding traffic generated on other sites that have copied the tracking script.

Additional Considerations

Periodically review the “Filter Rule Settings” page to ensure no unintended domains are included.

If the blog requires a search feature, consider implementing a third‑party search service (e.g., Algolia) that does not trigger Baidu page‑view counting.

Monitor Baidu Analytics reports for abnormal keyword patterns; a sudden influx of unrelated terms often indicates automated abuse.