Celebrating 20 years online :)
Web Dev + WordPress + Security

Block Spam by Denying Access to No-Referrer Requests

What we have here is an excellent method for preventing a great deal of blog spam. With a few strategic lines placed in your .htaccess file, you can prevent spambots from dropping spam bombs by denying access to all requests that do not originate from your domain.

Block comment spam

Here is the script to add to your site’s root .htaccess file:

# block comment spam by denying access to no-referrer requests
RewriteEngine On
RewriteCond %{REQUEST_URI} wp-comments-post\.php
RewriteCond %{HTTP_REFERER} !(.*)example\.com(.*) [OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* http://the-site-where-you-want-to-send-spammers.com/ [R=301,L]

Note that you need to edit the following lines according to your specific setup:

This is the default comment-processing script for WordPress users. If you are not running WordPress, you will need to determine the corresponding file and enter its name here.
Change this value to that of your own domain.
Because spambots typically ignore redirects, this may not be accomplishing too much. But go ahead and enter the URL of your least-favorite website anyway. Another option here is to simply bounce the spambot back to where it came from by replacing the last with this: RewriteRule .* http://%{REMOTE_ADDR}/ [R=301,L]

For more awesome anti-spam techniques, check out How to Block Bad Bots and Stupid .htaccess Tricks.

How does it work?

When a legitimate user (i.e., not a robot, etc.) decides to leave a comment on your blog, they have (hopefully) read the article for which they wish to leave a comment, and have subsequently loaded your blog’s comment template (e.g., comments.php), which is most likely located within the same domain as the article, blog, etc. (i.e., your domain).

So, after filling out the comment form via comments.php, the user clicks the “submit” button, which then initiates the PHP file/script that actually processes the comment for the world to see. For WordPress users, the comment processing file is wp-comments-post.php.

Therefore, the HTTP referrer for all legitimate (user-initiated) comments will be your domain (or the domain in which the comments.php file is located). Automated spam robots typically target the comment-processing script directly, bypassing your comments.php form altogether. Such activity results in HTTP referrers that are not from your domain.

Thus, by blocking all requests for the comments-processing script (wp-comments-post.php) that are not sent directly from your domain (comments.php), you immediately eliminate a large portion of blog spam.

And that is all there is to it! Bye bye spambots!

About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
GA Pro: Add Google Analytics to WordPress like a pro.

44 responses to “Block Spam by Denying Access to No-Referrer Requests”

  1. Is there some variable that can replace the domain name in the following line?

    RewriteCond %{HTTP_REFERER} !(.*)example\.com(.*) [OR]

    I am trying to put together a .htaccess that I can put on any host with out editing each copy.


  2. Thanks for the code, But i am wondering what if the post comment file inside a folder? will it become:

    RewriteCond %{REQUEST_URI} .articles.post_reply.php*


    RewriteCond %{REQUEST_URI} .articles/.post_reply.php*


    RewriteCond %{REQUEST_URI} articles.post_reply.php*

    Please help

  3. Why is there a backslash in this line?


    My default WordPress file is:


    Does that slash need to be there for some reason?

    Also, I’ve seen suggestions for not including the “www” or the “.com”. Which is correct?


    • Jeff Starr 2013/02/15 1:15 pm

      The backslash escapes the dot so that it is taken as literal instead of as a wildcard character. You don’t need the slash, but would risk matching files other than the one targeted. Including other strings such as “.com” or “www” works to increase specificity, which is optimal but not required if you don’t mind a few false positives.

  4. Laurie Bergren 2013/02/23 10:16 am

    Thanks so much for this! Two questions:

    (1) Considering the 6+ year span between the date of your post and the date of the most recent comments above, can we conclude that another huge benefit of this solution is that posts can be left open for comment indefinitely without drawing the usual mountains of spam?

    (2) Where in the .htaccess file should this rule be placed? Specifically, should it go (A) before the WordPress rules, (B) inside the WordPress rules, or (C) after the WordPress rules?

    Thanks again!

    • Jeff Starr 2013/02/24 1:05 pm

      Hi Laurie,

      (1) Yes, but also because of Akismet ;)

      (2) Should work anywhere, if not try placing before the WP rules. And test thoroughly :)


  5. Richard Brown 2013/03/28 2:39 am

    Hi Perishable, I have used your script to try and stop spambots posting blank forms on my clients contact form by replacing the wp-comment with ‘contact.php’

    I think it has worked for 5 of the forms which have their own independent pages, however, there is one form that is embedded in the footer.php and is actually on the homepage…

    I’m not an expert programmer but I think since the referrer is listed as the homepage and bots generally visit the homepage first, do you think this form could still be vulnerable because we have still received a blank email to that form?

    Note: comment edited for clarity

  6. Hello Jeff Starr,
    This is really Nice and informative post.
    I m also suffering with this spam problem i m getting 100-200 spams daily.
    I added you given code in my Htaccess file it really help me but the major problem is arriving that my website pages goes down excluding home page…..

    Please Help Me M really in need…

    Thanx In Advance..

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
SAC Pro: Unlimited chats.
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.