I found https://plugins.matomo.org/BotTracker but it seems to rely on the honesty of the bot farm to disclose itself as a bot via the user agent. Sadly, many don’t do this, and try to pass as a regular visitor. So a visit from such a disguised bot will be counted as a regular visit.
I instead added the Tracking Spam Prevention plugin, maybe that can take care of blocking disguised bots from getting counted?
… and enabled these filters:
x Block tracking requests from the cloud
Blocks tracking requests originating from cloud providers like AWS, Azure, Digital Ocean, Google Cloud and Oracle by fetching a list of their IP ranges. It should be safe to turn on if you are only tracking using the JavaScript tracker, as their tracking requests do not orginate from clouds, unless they use a VPN that routes data through cloud providers. The setting applies to all your sites.
x Block headless browsers
These are browsers without a user interface, mostly used for automation. It should be safe to turn this on if you only have regular websites or apps. It can block additional bots and spam requests that otherwise would not be detected.
x Block tracking requests from server-side libraries
Use this if only using JavaScript Tracker, as other traffic will be attacks or spam anyway. It blocks tracking requests from cURL, HTTP, Guzzle, and Postman.
Note: Do not use it if track data using a server-side SDK like the Matomo PHP tracking SDK, Java SDK, Python SDK, Android or iOS SDK, or other server-side programming languages.