how to protect files and thank you page from google & hacker?

Good advice. I'd go one stage further and have the download page in a directory on the second site rather than on the default directory. You might also make sure the robots.txt file on the second domain tells robots not to crawl this directory. I found a site that will generate a robots.txt file for you here: Robots.txt Generator.

You should also add the following meta tags between the <head> and </head> area of your download page:

<meta name="robots" content="nofollow,noarchive,noindex">
<meta name="revisit" content="never">

That should stop your page being indexed by search engines, and download links to your product being followed.

How are you identifying the spiders?

Many of the bad bots I have seen spoof the user agent to look like a human.

I don't see the point of serving a blank page to a 'good' bot as it will obey robots.txt and keep out of your download area anyway (assuming you have disallowed that directory). You should never get so far as having to serve a page to them. The flipside is that the same entry in robots.txt is effectively an advertisement for the bad bots and scrapers - and in my experience these are far from easy to detect.

After manually trawling logs for some months I am convinced that a fair proportion of 'visitors' are actually various kinds of bots attempting to reverse engineer the sites - especially the ones that rank.

The more advanced bots can also accept cookies and interpret JavaScript which makes managing them or even distinguishing them from real people quite a challenge.

There are ways, but IMO it's far from easy, unless perhaps I am missing a trick (am I?).

Next time you tweet a URL take a look at your raw logs - most of that is bots.

While 100% detection rate is most likely impossible, at some point I am going to flick the switch and tell them all to fsck off. Sure there will be some false positives but if someone is blanking their referrer, spoofing their user agent and going through a proxy while rejecting cookies and not running script then perhaps they don't fit my customer profile anyway.

For anyone using G.Analytics or other JS based tracking don't forget that most of the nasties (that I have seen anyway) are still unable or unwilling to execute JavaScript and therefore don't leave a trace, while your site could be literally crawling with scrapers and bots. If you rank for anything it's even more likely due to the plethora of SEO reverse engineering software (I won't name any names).

A bot is never going to join your list, buy from you or add a meaningful comment to your blog. They just burn your bandwidth, rip your content or try to reverse engineer your hard work. Aside from the legit search engine crawlers, AFAIAC they can all p*ss off.

Now the short answer - for downloads try DLGuard - it's very nice.

Cheers,
Phil

ejunkie is pretty good. Cheap and the solution that I would recommend. As far as denying using robots.txt; not a good idea. I believe that ejunkie also puts the customers name on the file so you can track it if someone starts sharing your stuff out.

Sorry...clickbank doesn't do squat for protecting your thank you or download page

Today I noticed that Google has placed my entire book in preview that should only be viewed if purchased.
I wouldn't have found this except I discovered my sidebar with optin autoresponder form was missing along with advertising. I went to google search to see about clicking on the "cached" as that should solve that problem but discovered the book was there free to download. I went back to admin part of site & I checked the thank you page for download and it is set like it is supposed to be. DL guard is another purchase that is weeding out the money starved weaklings like me. Is there a free alternative plugin recommended?