A single line in robots.txt can make or break your SEO. One misplaced asterisk blocks your entire site from search engines. One forgotten directive exposes staging content to the world. Major brands like BBC and HBO have made exactly this mistake.
And in 2025, the stakes have grown. AI crawlers now account for a significant portion of bot traffic. Some of them respect robots.txt. Some of them do not.
This guide covers the technical mechanics of robots.txt, the mistakes that cost real sites real traffic, and the AI crawler landscape that most guides have not caught up with yet.
What Robots.txt Actually Does
Robots.txt is a crawl directive, not a security mechanism. This distinction trips up more site owners than any syntax error.
When Googlebot encounters your site, it first requests /robots.txt at your domain root. The file tells crawlers which URL paths they can and cannot request. Compliant crawlers respect these directives. But compliance is voluntary. Malicious bots ignore robots.txt entirely.
Here is what robots.txt can do: prevent well-behaved search engine crawlers from accessing specific URLs, reduce server load from aggressive crawling, and keep certain content out of search engine caches.
Here is what robots.txt cannot do: prevent pages from being indexed (they can be indexed without crawling if linked externally), hide sensitive content from bad actors, protect private information, or remove already-indexed pages from search results.
Wait. Pages can be indexed without being crawled?
Yes. A page blocked by robots.txt can still appear in Google’s index. Google sees external links pointing to the URL, knows the page exists, but cannot crawl it to understand the content. The result is an indexed URL with no snippet, no title beyond what Google infers from anchor text, and no useful information for searchers. This is often worse than either full access or true deindexing.
Think of robots.txt as a “Please Do Not Enter” sign on your door. Polite visitors respect it. Burglars ignore it completely. And it does nothing to prevent someone from knowing your house exists.
If you want to prevent indexing, use meta robots noindex tags or X-Robots-Tag HTTP headers. If you want to remove already-indexed content, use Search Console’s URL Removal tool or return 404/410 status codes. Robots.txt is for managing crawl behavior, not indexing behavior.
Basic Directive Syntax
Robots.txt uses a straightforward syntax, but precision matters. A single character can change everything.
| Directive | Function | Example | Notes |
|---|---|---|---|
| User-agent | Specifies which crawler rules apply to | User-agent: Googlebot | Use * for all crawlers |
| Disallow | Blocks access to specified path | Disallow: /private/ | Empty value allows everything |
| Allow | Permits access despite broader Disallow | Allow: /private/public.html | Widely supported but not in original protocol |
| Sitemap | Declares sitemap location | Sitemap: https://example.com/sitemap.xml | Can appear anywhere in file |
| Crawl-delay | Requests seconds between requests | Crawl-delay: 10 | Googlebot ignores this entirely |
User-agent specifies which crawlers the following rules apply to. Each rule block starts with a user-agent line:
User-agent: Googlebot
Disallow: /private/The asterisk serves as a wildcard for all crawlers:
User-agent: *
Disallow: /admin/Disallow blocks access to specified paths. The path matching starts from the beginning of the URL path:
Disallow: /searchThis blocks /search, /search/, /search-results, /searching, and anything else beginning with /search.
Allow explicitly permits access to paths that might otherwise be blocked by a broader Disallow rule. Google, Bing, and most major search engines respect Allow directives, though the original robots exclusion protocol did not include them.
Sitemap declares the location of your XML sitemap. This line can appear anywhere in the file and is not associated with any specific user-agent block. Multiple declarations work fine:
Sitemap: https://example.com/sitemap-posts.xml
Sitemap: https://example.com/sitemap-products.xmlCrawl-delay requests that crawlers wait a specified number of seconds between requests. Critical caveat: Googlebot ignores Crawl-delay entirely. To manage Google’s crawl rate, use Search Console’s crawl rate settings. Bing and some other crawlers do respect this directive.
Path Matching and Wildcards
Understanding how path matching works prevents most syntax errors.
Paths match from the beginning of the URL path portion. The directive Disallow: /folder matches /folder, /folder/, /folder/page.html, and /folder-name. It does not match /other/folder or /my-folder.
The asterisk matches any sequence of characters:
Disallow: /*.pdfThis blocks any URL containing .pdf, like /documents/report.pdf or /files/2024/annual.pdf.
The dollar sign marks the end of a URL pattern:
Disallow: /*.pdf$This blocks URLs that end with .pdf but not /documents/pdf-guide/ (which contains .pdf but does not end with it).
Combining wildcards creates powerful patterns:
Disallow: /products/*?sort=*This blocks product pages with sort parameters while allowing the base product pages.
Case sensitivity applies to path matching. /Page and /page are different paths. Most servers treat URLs as case-sensitive, though some do not. Test your specific configuration before assuming.
Directive Priority Rules
When multiple rules could apply to a URL, specificity determines which rule wins. More specific rules override less specific ones. Think of it like legal contracts: specific terms override general terms.
Consider this configuration:
User-agent: *
Disallow: /private/
Allow: /private/press-releases/For the URL /private/press-releases/2024-announcement.html, the Allow rule wins because it is more specific (longer match) than the Disallow rule.
If rules have equal specificity, Allow takes precedence in most implementations, including Google’s. However, relying on this tie-breaker suggests your rules need clearer structure.
When multiple user-agent blocks exist, crawlers use the most specific block that applies to them:
User-agent: Googlebot
Disallow: /
User-agent: *
Disallow: /admin/Googlebot uses only the first block (blocking everything). All other crawlers use only the second block (blocking just /admin/). Rules do not combine across blocks. This catches people off guard regularly.
Seven Mistakes That Break Real Sites
These errors appear repeatedly in site audits. Each has cost real sites real traffic.
Mistake 1: Blocking everything accidentally.
User-agent: *
Disallow: /This blocks all crawlers from all pages. Sometimes this happens intentionally during development but gets forgotten at launch. Sometimes it is a typo (meant to write Disallow: with no path, which blocks nothing). BBC and HBO have both made this mistake publicly.
Symptom: Entire site disappears from search results within weeks.
Fix: Remove or modify the Disallow line. Monitor Search Console for crawl recovery.
Mistake 2: Blocking CSS and JavaScript.
Older SEO advice recommended blocking resource files. Modern SEO requires the opposite. If Google cannot access your CSS and JavaScript, it cannot render your pages properly.
# Wrong
Disallow: /wp-content/themes/
Disallow: /js/
Disallow: /css/Symptom: Pages appear indexed but render poorly in Google’s cache. Mobile usability errors appear in Search Console.
Fix: Remove directives blocking render-critical resources. Use URL Inspection to verify proper rendering.
Mistake 3: Blocking query parameters too broadly.
# Dangerous
Disallow: /*?This blocks all URLs with any query parameter, including legitimate pagination, tracking parameters in external links, and canonical URLs using parameters.
Symptom: Significant portions of site become uncrawlable.
Fix: Block specific parameter patterns instead. Handle parameters with canonical tags.
Mistake 4: Forgetting trailing slashes.
Disallow: /private # Blocks /private, /private/, /private-other, /privately
Disallow: /private/ # Blocks /private/ and subpaths, but NOT /private itselfSymptom: Either more or fewer URLs blocked than intended.
Fix: Use Search Console’s robots.txt tester to verify exact behavior.
Mistake 5: Conflicting directives over time.
Complex sites accumulate rules. Eventually, rules contradict each other in non-obvious ways. One team adds a block, another adds an allow, nobody tracks the interactions.
Fix: Audit periodically. Remove outdated rules. Document why each rule exists.
Mistake 6: Not testing before deploying.
Robots.txt changes take effect immediately. Googlebot checks the file frequently.
Fix: Always test in Search Console before pushing to production.
Mistake 7: Assuming robots.txt prevents indexing.
It does not. External links to a blocked page mean Google knows it exists. The page can appear in search results with no useful information.
Fix: Use noindex for pages that should never appear in search results.
The 2025 AI Crawler Landscape
This is where robots.txt gets interesting in 2025.
AI crawler traffic has exploded. According to Cloudflare data, training-related crawling now accounts for nearly 80% of all AI bot activity. GPTBot’s market share surged from 5% to 30% between May 2024 and May 2025. Meta-ExternalAgent emerged as a new major player at 19%. Former leader Bytespider plummeted from 42% to 7%.
Over 560,000 websites now include AI bot directives in their robots.txt files. As of August 2024, 35.7% of the top 1,000 websites blocked GPTBot specifically.
Here is what you need to know about the major players:
OpenAI operates three different bots:
- GPTBot collects training data. Most frequently blocked AI crawler.
- OAI-SearchBot indexes content for ChatGPT search features.
- ChatGPT-User activates when humans request content through the interface.
Important: As of late 2024, ChatGPT-User does not respect robots.txt for user-initiated requests. This is a significant policy change. If a user asks ChatGPT to fetch your page, it will attempt to do so regardless of your robots.txt.
Other major AI crawlers:
- ClaudeBot and anthropic-ai (Anthropic)
- Google-Extended (Google’s AI training token)
- Meta-ExternalAgent (Meta)
- PerplexityBot (Perplexity)
- CCBot (Common Crawl, training data source for many LLMs)
- Applebot-Extended (Apple’s AI training)
A strategic option: block training crawlers while allowing search crawlers.
# Allow AI Search Crawlers
User-agent: OAI-SearchBot
Allow: /
User-agent: PerplexityBot
Allow: /
# Block Training Crawlers
User-agent: GPTBot
Disallow: /
User-agent: ClaudeBot
Disallow: /
User-agent: anthropic-ai
Disallow: /
User-agent: Google-Extended
Disallow: /
User-agent: CCBot
Disallow: /
User-agent: Meta-ExternalAgent
Disallow: /This approach lets you maintain visibility in AI-powered search results while protecting content from being absorbed into training datasets.
A few caveats. Blocking GPTBot will not remove content already in training data. New crawlers emerge regularly. Some crawlers do not respect robots.txt at all. For stronger enforcement, consider server-level blocking through Cloudflare, nginx rules, or firewalls.
Is blocking AI crawlers the right move for your site? That depends on your content strategy. Publishers with valuable original content increasingly see blocking as reasonable protection. Sites seeking maximum visibility might allow everything. There is no universal answer.
Robots.txt vs Meta Robots vs X-Robots-Tag
Three tools control crawler behavior. Each serves different purposes.
Robots.txt manages crawl access at the path level. Use it for broad sections of your site, for managing crawl budget, and for blocking resource files. It cannot control indexing.
Meta robots tags (in HTML head) control indexing at the page level. Common directives include noindex, nofollow, and noarchive. Use meta robots when you need page-specific control and when the page needs to be crawled to receive the directive.
X-Robots-Tag (HTTP header) provides the same directives as meta robots but works for any file type, including PDFs, images, and other non-HTML resources.
The relationship matters: if robots.txt blocks a page, Google cannot see meta robots directives on that page. This creates a problematic state where Google knows the page exists from external links but cannot receive your noindex instruction.
Decision framework:
- Want to save crawl budget on low-value pages? Use robots.txt.
- Want to prevent a page from appearing in search results? Use noindex via meta tag or X-Robots-Tag.
- Want to prevent both crawling AND indexing? Allow crawling, use noindex, wait for deindexing, then optionally add robots.txt.
This sequence matters because reversing it prevents the noindex directive from being seen.
Real-World Configurations
E-commerce site balancing crawl efficiency with comprehensive product indexing:
User-agent: *
# Block checkout and account pages
Disallow: /cart/
Disallow: /checkout/
Disallow: /account/
# Block filter combinations creating duplicates
Disallow: /*?color=*&size=*&
Disallow: /*?sort=
# Block internal search
Disallow: /search
# Block AI training
User-agent: GPTBot
Disallow: /
User-agent: ClaudeBot
Disallow: /
Sitemap: https://example.com/sitemap-index.xmlContent publisher protecting content from AI training while maintaining search visibility:
User-agent: *
Allow: /
Disallow: /admin/
Disallow: /users/
Disallow: /search/
# Block AI Training
User-agent: GPTBot
Disallow: /
User-agent: ClaudeBot
Disallow: /
User-agent: anthropic-ai
Disallow: /
User-agent: Google-Extended
Disallow: /
User-agent: CCBot
Disallow: /
# Allow AI Search
User-agent: OAI-SearchBot
Allow: /
Sitemap: https://example.com/sitemap.xmlSaaS application protecting authenticated areas:
User-agent: *
Disallow: /app/
Disallow: /dashboard/
Disallow: /api/
Disallow: /login
Disallow: /signup
Allow: /
Allow: /blog/
Allow: /features/
Allow: /pricing/
Sitemap: https://example.com/sitemap.xmlLocal business site in Nashville, TN with service areas:
User-agent: *
# Block internal tools
Disallow: /admin/
Disallow: /booking-system/
# Block duplicate location pages
Disallow: /*?location=
# Allow service and location pages
Allow: /services/
Allow: /nashville/
Allow: /areas-we-serve/
Sitemap: https://example.com/sitemap.xmlEach configuration reflects specific site architecture and business goals. Copy-pasting a template without understanding your own needs leads to problems.
Testing and Validation
Never push robots.txt changes to production untested.
Search Console’s robots.txt Tester validates syntax and tests specific URLs against your rules. Enter any URL to see whether it is allowed or blocked and which rule applies.
Limitations: The tester shows Googlebot’s interpretation only. Other crawlers may behave differently. The tester also shows current state, not future behavior if Google updates its parser.
Third-party tools like Screaming Frog, Sitebulb, and Ahrefs test multiple URLs simultaneously and simulate different user agents.
Version control your robots.txt. When something breaks, you need to know exactly what changed and when.
The file remains deceptively simple. Thirty years after the protocol was created, the basic syntax has not changed. But in 2025, with search engines and AI systems competing for access to your content, getting it right means understanding not just the syntax, but the entire ecosystem of crawlers now knocking on your door.
Sources
- Google Search Central: Robots.txt Introduction – https://developers.google.com/search/docs/crawling-indexing/robots/intro
- Google Search Central: Robots.txt Specifications – https://developers.google.com/search/docs/crawling-indexing/robots/robots_txt
- RFC 9309: Robots Exclusion Protocol – https://www.rfc-editor.org/rfc/rfc9309.html
- Cloudflare Blog: From Googlebot to GPTBot (July 2025) – https://blog.cloudflare.com/from-googlebot-to-gptbot-whos-crawling-your-site-in-2025/
- Paul Calvano: AI Bots and Robots.txt Analysis – https://paulcalvano.com/2025-08-21-ai-bots-and-robots-txt/
- OpenAI: GPTBot Documentation – https://platform.openai.com/docs/bots
- Playwire: How to Block AI Bots with robots.txt – https://www.playwire.com/blog/how-to-block-ai-bots-with-robotstxt-the-complete-publishers-guide