Block rogue bot traffic with svelte-kit-bot-block

[Copilot]

Site receives frequent malicious requests probing for WordPress vulnerabilities (/wp-includes/, /wp-admin/, *.php, etc.). Need application-level blocking since Railway doesn't provide network-layer firewall.

Changes

• Added svelte-kit-bot-block dependency - Lightweight SvelteKit-native solution that blocks requests in server hooks before hitting app logic
• Updated hooks.server.ts - Chained bot blocking with existing font preloading using sequence

Configuration

const botBlock = createHandler({
  log: true,
  block: true,
  pathnames: [
    ...defaultOptions.pathnames,  // .php, .env, /wp-admin, /wp-content, etc.
    /\/wp-includes/               // Additional pattern for issue examples
  ]
});

Default patterns block:

• Sensitive files (.env, .git, .ssh)
• Unused extensions (.php, .asp, .cgi, .aspx)
• WordPress paths (/wp-config, /wp-admin, /wp-content)
• 100+ known malicious user-agents

Blocked pathnames return 404, blocked user-agents return 410. Logging enabled for monitoring in Railway.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com//advisories
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Block rogue traffic</issue_title>
<issue_description>Every now and then my website gets hammered with rogue request:

• /css/colors/blue/index.php
• /wp-includes/assets/index.php
• /1.php
• /wp-admin/css/colors/midnight/about.php
• /wp-includes/js/codemirror/index.php

These are just examples. There are many more requests like this.

I am hosting on Railway and would like to avoid using third party firewalls. What are my options to mitigate these types of requests in a way that the rogue bots don't keep trying?

You would need to think about options to mitigate this within the SvelteKit app or possibly with another service hosted on Railway. Can you do some research about the options I have?</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Block rogue traffic #1125

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[railway-app]

🚅 Deployed to the website-pr-1126 environment in maiertech

Service	Status	Web	Updated (UTC)
website	❌ Build Failed (View Logs)	Web	Nov 30, 2025 at 7:50 pm