SemrushBot Explained: User Agents, Crawl Control, and Blocking
SemrushBot is not one universal crawler switch. Semrush uses several documented user agents for backlinks, audits, content tools, and experiments. Identify the exact agent in server logs, connect it to a business purpose, then apply the least disruptive control and verify the result without accidentally restricting real search crawlers.

What is SemrushBot, and should you block it?
SemrushBot is the documented crawler Semrush uses to collect backlink and web-graph data, but “Semrush traffic” also includes several purpose-specific agents. Do not reflexively block them all. First name the exact bot, decide whether its function helps your team, and apply the narrowest control that solves the load, privacy, or reporting problem.
The practical verdict is simple: allow useful collection when server cost is trivial, throttle a legitimate bot causing load, and block an exact agent when its purpose provides no value. The official Semrush crawler documentation is the canonical purpose map. A rule for SemrushBot does not automatically govern every other Semrush user agent.
Which Semrush user agent is requesting your pages?
Semrush publishes distinct user agents because its products perform different jobs. Match the complete agent token in your logs and robots rules rather than assuming every name beginning with “Semrush” behaves identically. The table below summarizes the documented purposes; confirm current wording on the Semrush bot reference before setting policy.
| User agent | Documented purpose or control context |
|---|---|
SemrushBot | Backlink and web-graph collection |
SiteAuditBot | Configured Site Audit crawls |
SemrushBot-BA | Backlink Audit |
SemrushBot-SI | On Page SEO Checker |
SemrushBot-SWA | SEO Writing Assistant |
SplitSignalBot | SplitSignal testing |
SemrushBot-OCOB | Content outline builder |
SemrushBot-FT | Free tools |
RyteBot | Ryte-related crawling |
SemrushBot-ESI | SEO Intelligence features |

How can you identify Semrush traffic with evidence?
Identify a Semrush bot from the exact user-agent string, then correlate timestamps, requested paths, response codes, request frequency, and any known audit schedule. A name alone is a claim supplied by the requester, not proof of identity. Never report that a crawl occurred unless your own CDN, load-balancer, or origin logs contain matching requests.
For a 10–15 minute window, group requests by exact agent; record host, timestamp, path, status, bytes, latency, and cache result; then compare timing with configured Semrush projects. Repeat the check for each subdomain.
Semrush advises using robots controls instead of IP blocking because it does not publish crawler addresses as stable consecutive ranges. The official crawler page is therefore more reliable for control syntax than an invented allowlist. Reverse DNS can contribute evidence, but it is not guaranteed Semrush authentication.
When should you allow, throttle, or block it?
Allow a named crawler when its product output is useful and resource impact is low. Throttle it when the purpose is legitimate but request rate strains infrastructure. Block only the exact unnecessary agent or sensitive path. This least-disruptive policy preserves audits and research while avoiding accidental damage to unrelated search and AI discovery systems.
- Allow: expected projects and low-cost public crawling.
- Throttle: a useful agent producing measured origin strain.
- Block: an exact unneeded agent or irrelevant public route.
Robots rules affect crawl access, not identity or authorization. RFC 9309 defines user-agent groups and allow/disallow matching, while also establishing the protocol’s crawl-control role. Measure before and after: request volume, error rate, origin latency, and whether a legitimate Semrush project still completes.
How do robots.txt rules, responses, and propagation control Semrush?
Create a separate group for the exact documented user agent you intend to control, keep ordinary public content available, and publish the file at the root of every affected subdomain. Semrush states that each subdomain needs its own reachable /robots.txt; a rule on www does not control shop, docs, or another host.
Block only a costly route for the backlink crawler:
User-agent: SemrushBot
Disallow: /internal-search/Block a specific audit crawler while leaving other agents untouched:
User-agent: SiteAuditBot
Disallow: /Throttle the backlink crawler without naming Googlebot or AI search bots:
User-agent: SemrushBot
Crawl-delay: 5
Disallow: /cart/Semrush documents wildcard support and says backlink SemrushBot honors Crawl-delay up to 10 seconds. Its crawler guidance also says a 4xx robots response means missing with no restrictions, 5xx stops crawling, and 3xx redirects are followed. Apply these details only as documented, then test the exact agent and host.
Rule changes may take up to an hour or roughly 100 requests to propagate for the backlink crawler. Fetch every host’s final 200 response, inspect its body, wait through one propagation window, then compare logs. Do not use 5xx as a permanent blocking policy.

Why can SiteAuditBot appear to be Google or OpenAI Search?
A Semrush Site Audit owner can configure crawler user-agent emulation, including Semrush, Google, or OpenAI Search options. That setting changes the presented audit identity; it does not turn SiteAuditBot into the real Google or OpenAI crawler. Diagnose it by correlating logs with the audit project, selected settings, timing, paths, and rate.
The Site Audit configuration guide documents user-agent choices and configurable crawl speeds, including a one-URL-per-two-seconds option where available. Treat that as project configuration evidence, not proof that any similarly named request came from Google or OpenAI.
Google and OpenAI publish separate controls. OpenAI’s official bot documentation distinguishes OAI-SearchBot from GPTBot. Allowing or blocking a Semrush agent does not directly change either role, and it does not change Google crawling. Keep those policies in separate, explicit groups.
How do you verify the fix without weakening security or SEO?
Verify a crawler-control change in 15 minutes by checking the published file, generating no destructive traffic, and comparing fresh logs with the baseline. Robots is public advice, not a security barrier. Keep sensitive routes behind authentication, use POST plus authorization for state changes, and never place secrets or private parameters in crawlable GET URLs.
Use this focused plan:
- Minutes 0–3: fetch
/robots.txton every affected subdomain; record final URL, status, and rule. - Minutes 3–6: validate exact group spelling and confirm no
Googlebot,OAI-SearchBot, or normal content rule changed. - Minutes 6–10: inspect logs for agent, path, rate, status, and cache behavior.
- Minutes 10–15: compare the baseline, note propagation limits, and test the intended Semrush project.
Robots blocking is not reliable deindexing: Google explains that a blocked URL can still appear when other pages link to it in its robots.txt introduction. Use appropriate indexing controls on accessible pages and authentication for private data.
StoreCited can flag public crawler and AI-readiness controls visible at scan time. It does not live-monitor every bot request, prove the source of a request, force an AI citation, or replace access logs, WAF evidence, and authenticated security controls.
Get the answer for your specific store