If you are on VPS, or you have Nginx (Apache works too, but Nginx is easier ) front of Discourse banning bots is quite much easier. IU of Discourse is… not so easy to use, because out there is plenty of bots. Robots.txt is close to useless because quite few is following it, not even Google.
The issue is not knockers trying to reach your Discourse. Everything else those are looking for is.
- Hundreds script kiddies are testing if you have WordPress and knocking holes, mostly old ones, but still
- SEO-scrapers and other spiders are trying to analyze your content, mostly because they want to money with it
- plus of course search engines
Those don’t do any real harm, as breaking in, but serving them costs pure money.
The problem is that your server must answer to all of them. Quite soon majority of the load is coming from bots, not real users. It is totally normal situation when you have around 50 - 500 bots per one actual user.
And you will pay all of this.
I don’t have global audience because my sites, including Discourse, are pure finnish. So I have one powerful tool too, but it can be used only on VPS: geo-blocking.
I’m so sorry our friends from Russia, China, India, Pakistan, Iran, Iraq and Viet Nam, but when I stopped your countries, my bot-load sank about 90 %.
Fighting against bots is never ending struggle. And tools of Discourse, when a forum is not private, are very limited. But sure, better than nothing.
Do not understand me wrong. I’m not wanting that an app should do something that is job of server. I’m just meaning that you can’t rely on Discourse.