From mid-to-late-February 2024, my website and many of the websites I manage experienced a high traffic spike in Google Analytics from Poland (actually Russia). I did some research to find the offending attacker.

Here is a video I shared on YouTube to take you through these steps in live time:

How to Find the Traffic Acquisition Referral Domain in Google Analytics 4

In Google Analytics, go to Reports > Acquisition > Traffic Acquisition

Add a column for First user source / medium to see the referral path/domain.

Now we can see the Referral domain: news [dot] grets [dot] store (DO NOT go to the website – It’s spam and may harm your computer).
There may be other referral domains in the list that are also spam. Feel free to research those and block them respectively.

What is news [dot] grets [dot] store?

According to my research, this is a malicious spam site based in Poland. It registers in GA4 tags, resulting in an inflated count of ‘referral traffic’ from Poland. This kind of ghost traffic is void of site interaction or visitor engagement and skews the referral traffic metrics and other critical analytics, leading to a misleading representation of site performance and visitor behavior.

How to Find the IP Address(es) of the Offending Website/Domain

Go to who.is and search for the offending domain: who.is/whois/grets.store

Now we can see a list of IP addresses and the registrar location in Moscow (below but not pictured in screenshot).

How to Block the IP addresses in .htaccess

A note of caution: banning the wrong IP addresses can harm your website searchability. You should do more research on the topic to learn about the consequences of blocking IP addresses.

Another note of caution: Proof any code you edit or paste into .htaccess. If there’s an error, it may take down your site.

To deny one IP address

Use this code as an example:

1
2
3
Order Allow,Deny

Deny from 77.222.50.244

Allow from all

To deny Multiple IP addresses

Leave a blank space with each IP for separation.
For example:

1
2
3
Order Allow,Deny 

Deny from 77.222.50.244 89.111.160.68 77.222.51.244 89.111.167.100 77.222.50.244 89.111.160.68

Allow from all

Now, when a user tries to visit your site from a blocked IP address, they will see a 403 Forbidden page.

How to Block the IP addresses in WordPress

A couple of plugins you may consider using, (1) in particular for its great security is Wordfence. There are various Firewalls, Malware, and Blocking capabilities. To block an entire country, you will need to upgrade to premium.

Another plugin option you could try is iQ Block Country. I’m currently testing out this one. It’s a bit more complex because you need to sign up for an account to get the Maxmind database. There is a free database, which they recommend updating periodically, or you can subscribe to get regular updates automatically.

How to Block the Referral Traffic in Google Analytics 4

You will want to add a filter to block the domain(s) from altering your Google Analytics 4 data:

Go to your Admin in Google Analytics and locate Data Streams.
Then click on the affected stream property.

Scroll down and click Configure Tag Settings.
In settings, click Show more.
Then click List Unwanted Referrals.

Click into the Domain field, add the offending domain, & click Save

Additional steps on filtering the traffic for your data streams & segments can be found on this website:
https://solutionsdigitalconsulting.com/blog/how-to-fix-referral-traffic-spike-from-news-grets-store-in-ga4/