Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

Block Spam by Denying Access to No-Referrer Requests

What we have here is an excellent method for preventing a great deal of blog spam. With a few strategic lines placed in your .htaccess file, you can prevent spambots from dropping spam bombs by denying access to all requests that do not originate from your domain.

Block comment spam

Here is the script to add to your site’s root .htaccess file:

# block comment spam by denying access to no-referrer requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} wp-comments-post\.php
RewriteCond %{HTTP_REFERER} !(.*)example\.com(.*) [OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* http://the-site-where-you-want-to-send-spammers.com/ [R=301,L]

Note that you need to edit the following lines according to your specific setup:

wp-comments-post\.php
This is the default comment-processing script for WordPress users. If you are not running WordPress, you will need to determine the corresponding file and enter its name here.
!(.*)example\.com(.*)
Change this value to that of your own domain.
http://the-site-where-you-want-to-send-spammers.com/
Because spambots typically ignore redirects, this may not be accomplishing too much. But go ahead and enter the URL of your least-favorite website anyway. Another option here is to simply bounce the spambot back to where it came from by replacing the last with this: RewriteRule .* http://%{REMOTE_ADDR}/ [R=301,L]

For more awesome anti-spam techniques, check out How to Block Bad Bots and Stupid .htaccess Tricks.

How does it work?

When a legitimate user (i.e., not a robot, etc.) decides to leave a comment on your blog, they have (hopefully) read the article for which they wish to leave a comment, and have subsequently loaded your blog’s comment template (e.g., comments.php), which is most likely located within the same domain as the article, blog, etc. (i.e., your domain).

So, after filling out the comment form via comments.php, the user clicks the “submit” button, which then initiates the PHP file/script that actually processes the comment for the world to see. For WordPress users, the comment processing file is wp-comments-post.php.

Therefore, the HTTP referrer for all legitimate (user-initiated) comments will be your domain (or the domain in which the comments.php file is located). Automated spam robots typically target the comment-processing script directly, bypassing your comments.php form altogether. Such activity results in HTTP referrers that are not from your domain.

Thus, by blocking all requests for the comments-processing script (wp-comments-post.php) that are not sent directly from your domain (comments.php), you immediately eliminate a large portion of blog spam.

And that is all there is to it! Bye bye spambots!

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
Digging Into WordPress: Take your WordPress skills to the next level.

44 responses to “Block Spam by Denying Access to No-Referrer Requests”

  1. WordPress Trackback Spam!!!

    I have installed plugins that prevent comment spams, but this won’t prevent trackback to be blocked. I’ve been spam by many MFA websites that most probably is from the same network with trackback, but they are not linking me on their website. May I know how do they do it and how do I stop it? Without disabling trackback? Thanks, and I’m using WordPress.

  2. Hmmm… good question. I will look into it..

  3. Shouldn’t the last line be changed to:

    RewriteRule ^(.*)$ http://the-site-where-you-want-to-send-spammers.com/ [R=301,L]

    I am using it as you have it and am getting getting 404 errors like this:

    http://shamar.org/%sitegoto.com/$
  4. Perishable 2007/01/23 9:10 am

    Lee,

    If that works for you, great. Often, there are multiple ways of writing htaccess expressions. For example, here is the last line of the same htaccess code currently presented on the WordPress Codex:

    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

    Further, here is the corresponding line we are currently using at Perishable Press:

    RewriteRule ^(.*)$ ^http://www.google.com/$ [R=301,L]

    ..which has been working fine for quite a while.

    Also, an absence of errors doesn’t necessarily translate into proper functionality. You should throw down with some tuf log action:

    RewriteEngine On
    RewriteLog /absolute/path/to/your/wwwroot/public_html/rewrite_log.txt
    RewriteLogLevel 2

    ..to ensure that your syntax actually produces the desired results (i.e., blocking spambots, etc.). Either way, thanks for the information concerning your specific issue — it may prove beneficial to others experiencing the same type of error.

  5. oh nothing just wanted to feel special!!!!!!!!!!!

  6. Your specialness is obvious, danielle ;)

  7. I’ve thought of using this method before but I was too lazy to form up a proper code. Thank you Perishable…of course not forgetting Shoemoney :)

  8. Perishable 2007/12/10 9:17 pm

    My pleasure, Jenny — thank you for the feedback :)

  9. Rick Beckman 2008/01/24 5:00 am

    I’m using this code too, but looking up the IPs of spammers caught by Akismet and cross-referencing those same IPs with my Apache logs, I’m seeing that the spammers are actually loading the posts and submitting via the actual form.

    And by doing so, they’ve circumvented the protection you share above, as well as the one I implemented (renaming /wp-comments-post.php to something custom, editing my theme’s /comments.php file appropriately).

    Spam sucks.

    Oh, just curious as to why users with empty user-agents are blocked from commenting in the above rewrite?

  10. I put in the above code in my .htaccess and got a 500. After a few tries and changes, I decided to add this into my wp-comments-post.php. Is there any reason I shouldn’t have this (other than having to add it every time I upgrade WP)?

    if (strpos($_SERVER['HTTP_REFERER'], 'example.com') === FALSE) exit;

    Thanks.

  11. Perishable 2008/01/27 9:11 am

    @Rick: Yes indeed, spam sucks — it’s like a perpetual cyberspace battle: spammers attack, bloggers defend themselves, spammers defeat the defenses and attack some more.. ad nauseam. As to the secret purpose of blocking empty user agents, I will never tell!

    @a name: Beyond the pain of perpetual updates, I see no reason why such code would cause any issues — in fact, it seems like an excellent alternative to the htaccess method. Thanks for sharing :)

  12. Hi

    Thanks for your list, it’s been on my favourites for years. I’m trying to use the above script to kill spam on our contact forms, however, not being the htaccess guru you are, I’m having trouble redoing the urls to the form handlers in subdirectories….any tips?

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Banhammer: Protect your WordPress site against threats.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.