Apache, .htaccess and how to block spammers

I’m sure every administrator of a web server has some experience with unwanted visitors. In the real world, you could simply send your Rottweiler after them and scare them off your ground. Sadly, this does not work on the internet.

In this article, I want to write about how to block IP-Addresses, hosts and referrals from accessing your site or portions of your site.

.htaccess File

The .htaccess file inside the document root is one of the most precise utilities you have, if you want to keep something out of a specific directory. The .htaccess is an extension of the regular Apache config for your webserver.

Block IP-Addresses

order allow,deny
deny from 192.168.44.201
allow from all

To block an IP-Range, just leave the trailing block(s) empty:

deny from 192.168.44.
deny from 192.168.

Block Referrals

You don’t want anyone coming from Facebook, Twitter or LinkedIn? No problem, just block them as referral.

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://.*facebook\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*twitter\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://.*linkedin\.com [NC]
RewriteRule .* - [F]

Note the OR at the end of the first two conditions.

Block Bots

The Rewrite Engine of the Apache web server is a really powerful tool, it even allows you to block bots, based on the user agent.

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^BadBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^EvilScraper [OR]
RewriteCond %{HTTP_USER_AGENT} ^FakeUser
RewriteRule ^(.*)$ http://go.away/

You can also send the bot to another web site, or let him look at a lovely picture of a wall, if the user agent starts with BadBot, EvilScraper or FakeUser.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu