The short version: the cheapest and most effective way to cut WordPress hosting bandwidth usage is to block the bots that don't matter — backlink checkers, AI training crawlers, and aggressive scrapers. Combine that with a firewall plugin (Wordfence or Solid Security) and a CDN or Cloudflare layer, and a small WordPress site can sit comfortably inside even a tight bandwidth budget.

Most WordPress sites waste a surprising fraction of their hosting bandwidth on traffic that has no value. Ahrefs, Semrush, Majestic, and dozens of smaller backlink-intelligence crawlers hit every site they can find, constantly. AI training bots from OpenAI, Anthropic, Google, and the unknown scrapers behind the wave of LLM startups have added a new layer of load. Together they can account for 30–70% of requests to a small PBN site.

Here is what actually helps.

1. Block the bots that do not buy from you

Backlink checkers do not convert into customers, but they absolutely consume bandwidth. For PBN sites specifically, blocking them also has the secondary benefit of making your link profile invisible to competitors who use Ahrefs or Semrush to reverse-engineer networks.

The easiest way: our free Link Silencer WordPress plugin blocks known backlink-checker user agents and IP ranges with one click, and it is updated as new crawlers appear. Drop-in, no configuration.

For non-WordPress sites or more granular control, a block list in .htaccess works too. We cover that in our backlink checker blocking guide.

2. Block AI training crawlers

GPTBot, ClaudeBot, PerplexityBot, and a growing catalogue of AI training crawlers hit sites aggressively. Blocking them in robots.txt only stops the well-behaved ones, so you also want a real block at the web-server level. Link Silencer covers the major AI crawlers alongside the backlink checkers. Cloudflare also offers a one-click “Block AI Scrapers” toggle in the dashboard, which is the fastest path if your site already runs behind Cloudflare.

3. Use a firewall plugin

A security plugin blocks bad login attempts, XSS attempts, and known vulnerability scans before they reach your database. Three are worth considering in 2026:

• Wordfence: still the most popular, still free, and still solid. The firewall runs inside WordPress so it is one step behind a true WAF, but the detection rules are frequently updated and the free tier is generous.
• Solid Security (formerly iThemes Security): strong brute-force protection, 2FA, file-change detection. Paid-only since the SolidWP rebrand, starting around $99/year.
• Sucuri: less a plugin and more a cloud WAF that sits in front of your site. Starts around $199/year. Cleaner separation between security and site, but the pricing makes it hard to justify at PBN scale.

4. Limit login attempts

Every WordPress site gets brute-forced. Limiting failed login attempts knocks most of those attacks out before they consume meaningful resources. If you run Wordfence or Solid Security, this is already handled; if you run a lighter setup, Limit Login Attempts Reloaded is the go-to free plugin. Configure a lockout after 3–5 failed attempts and forward login alerts to an email you actually read.

5. Hide the WordPress admin URL

Changing /wp-admin/ and /wp-login.php to something non-obvious does not increase real security — a determined attacker finds it anyway — but it cuts 90%+ of dumb automated login attempts at the pattern-matching layer. Both Wordfence and Solid Security can do this; for a standalone solution, WPS Hide Login is 20 KB of code that does exactly one thing well.

6. Put Cloudflare in front

For the bandwidth and attack-mitigation problem at once, a free Cloudflare account cuts both. Cloudflare caches static resources (so your origin server serves them fewer times), rate-limits obvious bots, and absorbs low-level DDoS attempts before they hit you. For PBN sites, use Cloudflare per-site as a free individual-account integration — do not put your whole PBN on a single Cloudflare enterprise account, since that creates an ownership footprint.

7. Serve images as WebP or AVIF

Unoptimised images are the single largest bandwidth consumer on most sites. See our image compression guide; even a lossless conversion to WebP typically cuts image bandwidth 30–50%.

8. Enable caching

A caching plugin serves static HTML snapshots instead of running PHP on every request. The CPU savings matter more than the bandwidth in most cases, but they compound — a cached site responds faster to legitimate visitors and is less likely to be overwhelmed by a traffic spike. LiteSpeed Cache is free and is especially effective on hosts that run LiteSpeed servers (like most of the providers we use at Bulk Buy Hosting). For hosts on Apache/nginx, WP Super Cache or W3 Total Cache are fine free alternatives.

Frequently asked

How much bandwidth will blocking backlink bots actually save?

On a typical low-traffic PBN site, usually 30–70% of total bandwidth. The exact figure depends on the domain's backlink profile — the more inbound links the site has, the more bot traffic it attracts.

Will blocking backlink checkers affect my SEO?

No. Google, Bing, and other search engine crawlers are not backlink-checker bots. They use separate user agents and IP ranges that every blocklist preserves. The blocked services are Ahrefs, Semrush, Majestic, SerpStat, cognitiveSEO, and similar third-party tools.

Should I block AI training crawlers?

For PBN sites, yes — they consume bandwidth for zero return. For a main site with content you want widely cited, the answer depends on whether you want your content in AI training sets (potentially increasing citation) or out of them (controlling unauthorised use).

Does Bulk Buy Hosting pre-install any of this?

No, because customer networks are intentionally configured differently. We recommend starting with Link Silencer on every PBN site (free, one click) and adding a firewall plugin on sites that take comments or have forms.