Designing a site to not be affected by bots is fixing the problem. Blocking things that are bot-like, poorly, with no technical understanding, is a kludge, not a fix.

That is not always possible, may not be affordable, or may degrade the overall user experience.

> That is not always possible

It is definitely always possible.

> may not be affordable

You hired the wrong person / people, then.

> may degrade the overall user experience

Which is exactly what Cloudflare does, although most people would make a distinction between degrading an experience and outright causing something to not work at all.

I would ask that the companies that build WAFs please stop, honestly.

I don't think you understood the parent.

> Designing a site to not be affected by bots is fixing the problem.

Bots footprint is minimal and shouldn't affect your site performance.

Bots have negative impacts beyond potential performance impact:

- scraping & content theft

- spam & fake engagement

- DDoS attacks

- Ad fraud

> Blocking things that are bot-like, poorly, with no technical understanding, is a kludge, not a fix.

a kludge might be better than none. And it's an easy kludge (for the site owner - a checkbox in cloudflare).

The fault lies with cloudflare implementing a lazy bot detector.

And blocking users can make the user experience worse.

Maybe, but it has to be a really sharp ratio.

Except the Cloudflare firewall is just so goddamn dumb. It considers all of Asia a "bot", anybody who uses Linux or has a tracker blocker. I've had this complaint from several regular people who don't even have an adblocker.

I just put my content behind a paywall. If the bots want to pay $50/mo I guess I don't mind. No cloudflare!