Spammers and hackers can cause all sorts of problems, so here is how to block visitors by their referrer using Apache.

Rfc1394-2-Barricades-barriers

The other day, I was investigating some 500 errors on a WordPress site. Even if you are not a webmaster, you might realize that 500 errors are never a good thing. Upon closer inspection, I noticed that the errors were coming from different IP addresses, but they shared one of two common referrers.

So, I checked out the referrers. Not surprisingly, there was all sorts of spam on the sites with links here, there and everywhere. Whatever they were doing to cause the 500 error shifted to second place. I just plain needed to block anyone clicking on these links, because they were looking for pages that simply don’t exist and weren’t the quality users that SEO looks for.

So, here is how to block web traffic by referrer by using the .htaccess file in Apache.

I scoured the net, and there were more than a handful of examples of how to block this by putting the HTTP_REFERER into your .htaccess file, but there were different forms of this. I needed something comprehensive, for one had a very long subdomain, and I believe both sites may have multiple.

So, I needed to catch anything before the main domain and afterwards to block any page. In reality, the second part is probably unnecessary, but most examples either assumed no subdomain or assumed “www” as the subdomain.

So, here is what I eventually landed upon:

  1. RewriteCond %{HTTP_REFERER} ^([^.]+.)*?lanud-adisutjipto.mil.id.*$ [NC,OR]
  2. RewriteCond %{HTTP_REFERER} ^([^.]+.)*?fr-voyage.com.*$ [NC]
  3. RewriteRule .* - [F,L]

So, the above code will first look for anything from lanud-adisutjipto.mil.id, case-insensitive, or, second, from fr-voyage.com, also case-insensitive. If either are true, forbid entry (F) and stop processing, aka, make this the last processed statement (L).

Pretty easy, but coming up with the proper regular expression is always key.