You’re checking your Google Analytics and notice something alarming: direct traffic has spiked, and your bounce rate is climbing with it. Before you panic or start installing plugins, take a breath. The answer is almost always hiding in your data — you just need to know where to look.
If you’re using GA4, it automatically filters out many known bots. So in most cases, an inflated bounce rate tied to direct traffic is more about how engagement tracking is configured or what’s slipping through the cracks than it is about your website being broken. Let’s walk through how to diagnose the problem.
Start With Your GA4 Configuration
Before diving into the data, make sure your GA4 setup isn’t part of the problem. There are a few common configuration issues that can inflate direct traffic or skew your bounce rate.
Internal Traffic Filters
Your own visits can show up as direct traffic if you haven’t excluded them. To check this:
- Go to Admin → Data Streams → Configure tag settings → Define internal traffic
- Make sure your office, home, and VPN IP addresses are listed
- Then go to Admin → Data Settings → Data Filters and confirm the filter is set to Active, not just Testing
Referral Exclusions
When users pass through payment gateways, SSO providers, or other redirect-heavy services and return to your site, GA4 can re-classify them as new direct sessions. These often bounce because the user already completed their action. Check this under Admin → Data Streams → Configure tag settings → List unwanted referrals and add any services that are part of your normal user flow.
Engaged Session Settings
GA4 defines a “bounce” differently than Universal Analytics did. A bounced session in GA4 is one that wasn’t “engaged,” meaning it didn’t last at least 10 seconds, didn’t include 2 or more page views, and didn’t trigger a conversion event. If your site is content-heavy but users tend to read quickly and leave, that 10-second threshold might be too aggressive. You can adjust it under Admin → Data Streams → Configure tag settings → Adjust session timeout.
Missing UTM Parameters
This one is easy to overlook. If you’re running email campaigns, posting on social media, or running ads without proper UTM parameters on your links, that traffic gets dumped into the direct bucket. It might have engagement patterns that differ significantly from your direct traffic, pulling your overall numbers in unexpected directions.
Dig Into the Data With Explore Reports
Once you’ve confirmed your configuration is solid, it’s time to investigate the traffic itself. GA4’s Explore reports let you slice the data in ways that standard reports can’t, and they’re essential for spotting bot traffic.
Setting Up Your Exploration
- Go to Explore in the left sidebar and create a new blank exploration
- Add Session default channel group and Landing page + query string as dimensions
- Add Sessions, Engaged sessions, Bounce rate, and Engagement rate as metrics
- In the Tab Settings, add a filter: Session default channel group exactly matches Direct
A quick but important note: make sure you’re using Session default channel group, not just “Default channel group.” The version without “Session” is event-scoped and will return far fewer results, sometimes dramatically so. In one case, using the wrong dimension showed only 10 sessions, even though the actual number was over 142,000.
What to Look For: Landing Pages
With your exploration filtered to direct traffic, set Landing page as your row dimension and sort by sessions in descending order. You’re looking for:
- URLs you don’t recognize or that don’t exist on your site, which can indicate spam or ghost hits
- A single page absorbing a disproportionate share of all direct sessions
- Pages with near-100% bounce rates and almost zero engaged sessions
What to Look For: Devices and Screen Resolution
Add Device category and Screen resolution as row dimensions alongside your landing page. Sort by sessions and look for:
- Screen resolutions like 1024×768, 800×600, or (not set) appearing with unusually high session counts
- A single resolution driving the vast majority of your direct traffic
- Any resolution with a 100% or near-100% bounce rate and zero engaged sessions
The resolution 1024×768 is the default viewport size for headless browsers and automation tools like Selenium, and it’s rarely used by real humans today. If you see tens of thousands of sessions from this resolution, you’re almost certainly looking at bot traffic.
What to Look For: Engagement Patterns
Check the overall engagement rate for your direct traffic. Real human traffic, even from disinterested visitors, doesn’t produce a perfect 100% bounce rate across tens of thousands of sessions. You’d always expect at least some percentage to engage. If your engagement rate is below 1–2% and your session counts are high, that’s a strong signal of automated traffic.
A Real-World Example
Here’s what this looks like in practice. A recent investigation into a site’s GA4 data revealed the following over a 90-day period:
- Over 140,000 total direct sessions with fewer than 800 engaged sessions, a 99%+ bounce rate
- The vast majority of those sessions came from a single screen resolution: 1024×768 on desktop
- Every single one of those sessions had a 100% bounce rate with zero engaged sessions
- Over 95% of all direct traffic was concentrated in this one resolution
- All of it was hitting the homepage exclusively
This pattern is a textbook indicator of automated bot traffic:
- 1024×768 is the default viewport size for headless browsers and automation tools
- Real human traffic doesn’t produce a perfect 100% bounce rate
- All traffic landing exclusively on the homepage via direct is the most common behavior for bots that simply load a URL without navigating the site
- A single resolution accounting for 95%+ of all direct traffic is not a natural distribution
When the 1024×768 resolution was filtered out of the data, the results shifted dramatically:
- Engagement rate jumped from under 1% to over 10%
- Bounce rate dropped from over 99% to under 90%
- Total bounce rate across all channels fell by nearly 17 percentage points
What to Do About It
If your investigation points to bot traffic, here’s the recommended path forward:
Short Term: Clean Up Your Reports
In GA4, you can create filters or custom audiences that exclude the offending screen resolution so your reports reflect real user behavior. This doesn’t stop the bots, but it gives you clean data to work with while you address the root cause.
Medium Term: Check Your Server Logs
Contact your hosting provider and ask them to check for high-volume requests from specific IP ranges or user agents that hit your homepage. The server logs will show you exactly which IPs are responsible, and you can cross-reference those against known cloud hosting providers and bot networks. From there, you can block the offending traffic while allowing legitimate bots, such as search engine crawlers, through.
Long Term: Implement Bot Mitigation
If you’re behind a CDN like Cloudflare, you can tighten your firewall rules or enable bot management features to challenge suspicious traffic before it ever reaches your site. This prevents the traffic from being recorded in GA4 in the first place, which is the cleanest solution.
The Bigger Picture
A sudden spike in direct traffic with a high bounce rate isn’t always a sign that something is wrong with your website or your analytics setup. Sometimes it’s just bots. The key is knowing how to investigate systematically: start with your configuration, dig into the data with the right dimensions and filters, and follow the evidence.
Once you’ve cleaned up the bot traffic, you’ll have a much clearer picture of how your real visitors are behaving. And from there, you can make informed decisions about what actually needs to be optimized.