I noticed a massive increase in unwanted bot traffic to my login page. I tested blocking IP's, denying specific bots access and also denying all except bots on a whitelist, but all have drawbacks. A captcha is not the solution because bots still use bandwidth. I am now testing a delay:
sleep(2);
Added before the rest of the PHP code.
Is this a good way to limit bot bandwidth usage? Any problems with this solution that I have not thought of?
Adding sleep() is a good way to ensure you have a possible DDoS attack. Sleep will still keep the thread busy, only your CPU will be freed. This means that your available connection pool will be used up quicker than it should. Such bandwidth or DDoS prevention should be done on the server level not in PHP application.