How to filter bots and search engines?

[pascal-cm]

A client of mine has a Ghost blog I manage. I added Umami to the stack, so we have analytics outside of Ghost 6's built-in analytics.

We see in Umami analytics many requests from Singapore. Apparently, those are not real users. We must face a search engine or some other sort of crawler or bot. As the blog is drawing in only very few visitors, those bot requests totally skew the numbers. (On a side note, Ghost's analytics reports those visitors, too, but to be from China, not Singapore.)

I searched the web for those IP address from Singapore and found them to be listed in other sources, stating they were causing undesired traffic.

Are there any options within the domain of Umami to filter them out? We could probably identify those by IP range blocks. I do not see any options to add system or site wide filters, though.

Unfortunately, a WAF from Cloudflare or Google Cloud isn't feasible in given case. We should not bloat the stack and cost for such a tiny blog.

P.S.: we would also like to somehow exclude monitoring and ourselves. The latter can be done on desktop; we would like to exclude our mobile phone's browsers as well.

[manimovassagh]

Umami doesn't have built-in bot filtering by IP range or user agent in the dashboard, but there are several things you can do:

1. Use IGNORE_IP to block known bot IPs
In your environment variables, set:

IGNORE_IP=52.76.x.x,52.76.x.y

You can find the IPs from your server access logs (Nginx/Apache/Caddy). Umami doesn't show IPs in the dashboard, but your reverse proxy logs will have them.

To find the offending IPs:

# Nginx example - find top IPs hitting the tracking endpoint
grep "/api/send" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head 20

2. Block at the reverse proxy level
This is the most effective approach. In Nginx for example:

# Block known bot IP ranges
geo $blocked_ip {
    default 0;
    52.76.0.0/16 1;   # adjust to the actual ranges you find
}

server {
    location /api/send {
        if ($blocked_ip) {
            return 403;
        }
        # Also block common bot user agents
        if ($http_user_agent ~* "(bot|crawler|spider|headless|phantom)") {
            return 403;
        }
        proxy_pass http://umami:3000;
    }
}

3. For excluding yourself on mobile
Since you can't install browser extensions on mobile, you have a couple of options:

• Set up a DNS-level block (Pi-hole or NextDNS) on your mobile network that blocks requests to your Umami tracking endpoint
• Use IGNORE_IP with your own IP addresses
• If you use a VPN on your phone, route through a known IP and add that to IGNORE_IP

The bot traffic from Singapore is a very common issue — those are typically SEO crawlers or scraping services. Blocking at the reverse proxy level is the cleanest solution since it prevents the data from ever reaching Umami.