The Maze: AI crawlers have found the cart. Kinsta, the managed WordPress host with more than 230,000 customers across 128 countries, analyzed over 10 billion HTTP requests and found bot loops hammering WooCommerce-style shopping paths. One ClaudeBot-identified crawler sent 3.75 million requests to a single add-to-cart endpoint in 24 hours. Across crawlers, add-to-cart hits reached 7.67 million in the same window.
The issue is endpoint quality, not just bot volume. A crawler reading a cached product page is one cost profile. A crawler hitting cart, checkout, and search routes is another. Those pages often bypass server-side cache and trigger PHP execution, database queries, session creation, and plugin logic on every request. In plain English: the bot is not reading the shop window. It is leaning on the cash register.
WooCommerce URL sprawl turns curiosity into loops. Kinsta's report describes AI crawlers getting trapped in query-string patterns, including one rule that filtered 550 million requests in 30 days. A product page can become many URLs as color, size, sort, pagination, stock filters, session tokens, and quantity parameters accumulate. Google has long warned that faceted navigation can create crawl traps when parameter combinations multiply pages without adding useful content.
The damage can hide from the dashboards operators trust. Standard analytics tools often remove bot traffic from session reporting, so the incident may show up only as slower checkout, higher abandonment, or worse paid-media conversion. That is where this becomes a marketing problem. If PHP workers are tied up by bot loops, a paid-search campaign may look inefficient because the checkout flow is degraded, not because the media is bad. Remarketing audiences can also get dirtier when abandoned-cart signals include non-human sessions.
Blanket blocking is too blunt. Kinsta's framework is closer to traffic economics: let useful crawlers reach useful content, challenge or block AI training crawlers on expensive endpoints, block unidentified bots from store paths, and whitelist trusted internal tools by IP range. That matters because even Googlebot can get caught in the same parameter traps, while blocking Googlebot outright would be SEO self-harm. Bot policy now has to be path-specific, not ideological.
Why it matters: AI shopping is usually sold as demand generation. This is the infrastructure bill hiding underneath it. For WordPress merchants, agent traffic can consume PHP workers, crawl budget, and measurement quality before it creates a single order. The next agent-commerce fight will not only be over who owns the customer. It will be over who gets to spend the merchant's server capacity.
Sources: PPC Land | Kinsta | Kinsta Bot Protection | Google Search Central
