Block Spam by Denying Access to No-Referrer Requests
Published Monday, November 20, 2006 @ 11:28 am • 28 Responses
Credit for this trick goes to shoemoney.com. What we have here is an excellent method for preventing a great deal of blog spam. With a few strategic lines placed in your htaccess file, you can prevent spambots from dropping spam bombs by denying access to all requests that do not originate from your domain.
How does it work? Well, when a legitimate user (i.e., not a robot, etc.) decides to leave a comment on your blog, they have (hopefully) read the article for which they wish to leave a comment, and have subsequently loaded your blog’s comment template (e.g., comments.php), which is most likely located within the same domain as the article, blog, etc. (i.e., your domain).
So, after filling out the comment form via comments.php, the user clicks the "submit" button, which then initiates the PHP file/script that actually processes the comment for the world to see. For WordPress users, the comment processing file is wp-comments-post.php.
Therefore, the HTTP referrer for all legitimate (user-initiated) comments will be your domain (or the domain in which the comments.php file is located). Automated spam robots typically target the comment-processing script directly, bypassing your comments.php form altogether. Such activity results in HTTP referrers that are not from your domain.
Thus, by blocking all requests for the comments-processing script (wp-comments-post.php) that are not sent directly from your domain (comments.php), you immediately eliminate a large portion of blog spam.
Sound good? Here is the script to add to your site’s .htaccess file:
# block comment spam by denying access to no-referrer requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*perishablepress.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^http://the-site-where-you-want-to-send-spammers.com/$ [R=301,L]
Please note that you need to edit the following lines according to your specific setup:
.wp-comments-post\.php*- This is the default comment-processing script for WordPress users. If you are not running WordPress, you will need to determine the corresponding file and enter its name here.
!.*perishablepress.com.*- Change this value to that of your own domain.
^http://the-site-where-you-want-to-send-spammers.com/$- Because spambots typically ignore redirects, this may not be accomplishing too much. But go ahead and enter the URL of your least-favorite website anyway. Another option here is to simply bounce the spambot back to where it came from by replacing the last with this:
RewriteRule ^(.*)$ ^http://%{REMOTE_ADDR}/$ [R=301,L]
And that is all there is to it! Bye bye spambots!
About this article
Related articles
- WordPress Tip: Quick Hack to Block Spam for the Wordspew Shoutbox Chat Plugin
- How to Block Proxy Servers via htaccess
- Backwards-Compatible Spam and Delete Buttons for WordPress
- Stop the Madness: Redirect those Ridiculous Favicon 404 Requests
- Redirect All Requests for a Nonexistent File to the Actual File
- Allow Feedburner Access to Hotlink-Protected Images
- Allow Google Reader to Access Hotlink-Protected Images
Dialogue
28 Responses Jump to comment form
January 23, 2007 at 6:25 am
Shouldn’t the last line be changed to:
RewriteRule ^(.*)$ http://the-site-where-you-want-to-send-spammers.com/ [R=301,L]
I am using it as you have it and am getting getting 404 errors like this:
http://shamar.org/%sitegoto.com/$
October 10, 2007 at 7:59 am
oh nothing just wanted to feel special!!!!!!!!!!!
December 10, 2007 at 9:15 pm
I’ve thought of using this method before but I was too lazy to form up a proper code. Thank you Perishable…of course not forgetting Shoemoney :)
January 24, 2008 at 5:00 am
I’m using this code too, but looking up the IPs of spammers caught by Akismet and cross-referencing those same IPs with my Apache logs, I’m seeing that the spammers are actually loading the posts and submitting via the actual form.
And by doing so, they’ve circumvented the protection you share above, as well as the one I implemented (renaming /wp-comments-post.php to something custom, editing my theme’s /comments.php file appropriately).
Spam sucks.
Oh, just curious as to why users with empty user-agents are blocked from commenting in the above rewrite?
January 26, 2008 at 12:09 am
I put in the above code in my .htaccess and got a 500. After a few tries and changes, I decided to add this into my wp-comments-post.php. Is there any reason I shouldn’t have this (other than having to add it every time I upgrade WP)?
if (strPos($_SERVER['HTTP_REFERER'],'yourdomain.com')===FALSE) exit;
Thanks.
April 4, 2008 at 5:25 am
Hi
Thanks for your list, it’s been on my favourites for years. I’m trying to use the above script to kill spam on our contact forms, however, not being the htaccess guru you are, I’m having trouble redoing the urls to the form handlers in subdirectories….any tips?
May 9, 2008 at 5:05 pm
What about proxy ? I know that some proxy server will erase referrer header. Do you know if that solution will block visitors ? Is that better to stock a referrer address in session or use an otherway like an empty input text (display none) and verify that the input still empty before using the data ?
September 25, 2008 at 8:40 pm
I was using manual posting technique, but I am not able to post comment in any site.
May be my URL “gigaturn” has been listed in block-list by wp-comments-post.
Any solution for this problem would be appreciated.
Thanks in advance!
jitu78@gmail.com
September 29, 2008 at 3:03 am
Thanks Jeff,
But you can try it by yourself.
just try it with gigaturn.com
you will not able to post.
still looking for right solution.
September 29, 2008 at 3:06 am
Tried again with site URL and got this,
http://perishablepress.com/press/wp-comments-post.php
Not able to post comment but this URL (gigaturn.com), however I can post with other URLs.
November 19, 2008 at 8:12 am
Hi, sorry to botter you, I need help.
I think I have a few pages with strange url, that i can see from my wassUp stats. That xxx is a porn site. And Google crawls it all the time. I never link to them in the first place. Please help. How to remove and block it because it’s not only one page.
eg :
/page/92/?ref=www.xxx.com-www.xxx.com-www.xxx.com-www.xxx.com
I’m very sad, I don;t know much about this :cry:
November 25, 2008 at 5:50 am
Thank you for your help. I will link to you so I don’t forget your site.
November 28, 2008 at 7:58 am
Hi, Mr Jeff. How are you? :smile:
After what happened to me, I’m still sometimes worried that someone is redirecting bad content to my site. Is that possible and if so, how can I stop them? And which is the better way to block bad bots - .htaccess or robots.text?
I feel more “comfortable” modifying robots.text rather than .htaccess.
Thank you for all your help.
Trackbacks / Pingbacks
Share your thoughts..
← Previous post • Next post →
« Add RSS Feed Link Icons to WordPress Category Listings • WordPress on Crack: Tips for Faster Post Publishing »
1 • Michael
December 8, 2006 at 4:57 pm
WordPress Trackback Spam!!!
I have installed plugins that prevent comment spams, but this won't prevent trackback to be blocked. I've been spam by many
MFA websites that most probably is from the same network with trackback, but they are not linking me on their website. May I
know how do they do it and how do I stop it? Without disabling trackback?
Thanks, and I'm using WordPress.