How do I stop bot traffic and spam in GA4?

The Short Answer

While GA4 automatically filters known bots out-of-the-box, 'Ghost Spam' hitting your Measurement Protocol directly can still inflate your numbers. You must secure your API secrets and filter out traffic with zero engagement time.

The Context

In Universal Analytics, managing bot traffic was a nightmare that required manually maintaining complex regex exclusion lists. Google attempted to fix this in GA4 by making bot filtering mandatory and invisible—you cannot even turn it off. GA4 automatically runs traffic against the IAB's list of known spiders and bots.

So, why are you still seeing spikes of 5,000 visitors from Ashburn, Virginia, with 0 seconds of engagement time?

The 3 Most Common Root Causes

1. "Ghost" Spam via Measurement Protocol Sophisticated spammers don't actually visit your website. They simply guess your 'G-XXXX' Measurement ID and send fake HTTP requests directly to Google's servers. GA4 records this as a visit, even though nobody ever loaded your page.

2. Scrapers Evading the IAB List If a competitor is scraping your e-commerce prices using a custom Python script or headless browser array that rotates IP addresses perfectly, GA4 cannot distinguish it from human traffic because it isn't on a known blacklist.

3. Unsecured API Secrets If you are passing server-side events and accidentally leak your Measurement Protocol 'API Secret' in your public client-side JavaScript, malicious actors can hijack it to inject fake conversions into your dashboard.

How to fix it:

1
Create an Engagement Audience: Instead of looking at raw 'Users', create a custom segment in your reports for 'Engaged Users' (users who stayed on site > 10 seconds or fired a conversion). This immediately purges the dashboard of 99% of bot traffic.
2
Filter by Hostname: True 'Ghost Spam' doesn't know what your actual website URL is, so it sends the payload with a random hostname. Go to Explorations, apply a breakdown by 'Hostname', and permanently exclude any data where the hostname does not perfectly match your domain.
3
Rotate your API Secrets: Go to GA4 Admin > Data Streams > Measurement Protocol API secrets. Delete any exposed secrets and generate new ones. Do not place these new secrets in client-side code.
4
Audit your Security: Run a scan through the GA4 Auditor. We look for exposed Measurement Protocol secrets resting in your raw client-side window objects.

Want to check this automatically?

Instead of clicking through settings yourself, let our engine audit your GA4 Property for this exact issue (and 30 others) in 60 seconds.

Scan your setup with our Google Analytics 4 Audit Tool

The Context

So, why are you still seeing spikes of 5,000 visitors from Ashburn, Virginia, with 0 seconds of engagement time?

The 3 Most Common Root Causes

How to fix it:

Create an Engagement Audience: Instead of looking at raw 'Users', create a custom segment in your reports for 'Engaged Users' (users who stayed on site > 10 seconds or fired a conversion). This immediately purges the dashboard of 99% of bot traffic.

Filter by Hostname: True 'Ghost Spam' doesn't know what your actual website URL is, so it sends the payload with a random hostname. Go to Explorations, apply a breakdown by 'Hostname', and permanently exclude any data where the hostname does not perfectly match your domain.

Rotate your API Secrets: Go to GA4 Admin > Data Streams > Measurement Protocol API secrets. Delete any exposed secrets and generate new ones. Do not place these new secrets in client-side code.

Audit your Security: Run a scan through the GA4 Auditor. We look for exposed Measurement Protocol secrets resting in your raw client-side window objects.