Ratings, reviews, plans and features to help you find the right web hosting provider for your site.

Using .htaccess to block referrer spam

Web Hosting Articles » A simple guide to .htaccess » Using .htaccess to block referrer spam



Lately referrer spam became a great annoyance for the webmasters. If you are not sure what referrer spam is you may wish to check this article: http://en.wikipedia.org/wiki/Referrer_spam

To block these spam referrers you need the following lines in your .htaccess file:

# set the spam_ref variable
SetEnvIfNoCase Referer "^http://(www.)?some-spammer.com" spam_ref=1

SetEnvIfNoCase Referer "^http://(www.)?other-spammer.com" spam_ref=1

SetEnvIfNoCase Referer "^casino-poker" spam_ref=1

# block all referres that have spam_ref set
<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=spam_ref
</FilesMatch>

The first lines “setenvifnocase” assign a span_ref environment variable. Then we deny all access to such referrers in the FilesMatch clause.

You can also use wildcards with the above .htaccess directives to match a variety of hosts. For example, you can use

SetEnvIfNoCase Referer "*some_word*" spam_ref=1

to match all referrers that contain the word 'some_word'.

For example you can ban visits from referral sites that contain in their domains words like: phentermine, viagra, cialis, shemale, porn, nude, celebrity, etc.


  1. How to block users from accessing your site based on their IP address
  2. How to prevent or allow directory listing?
  3. How to change the error documents – 404 Page Not Found, etc
  4. Using .htaccess for password protecting your folders
  5. Using .htaccess to block referrer spam
  6. Disable Hot-Linking of images and other files
  7. Redirect URLs using .htaccess
  8. Introduction to mod_rewrite and some basic examples
  9. Force SSL/https using .htaccess and mod_rewrite
  10. 301 Permanent redirects for parked domain names
  11. Enable CGI, SSI with .htaccess
  12. How to add Mime-Types using .htaccess
  13. Change default directory page
  14. Block Bad robots, spiders, crawlers and harvesters
  15. Make PHP to work in your HTML files with .htacess
  16. Change PHP variables using .htaccess
  17. HTTP Authentication with PHP running as CGI/SuExec
  18. Force www vs non-www to avoid duplicate content on Google
  19. Duplicate content fix index.html vs / (slash only)

Comments 20 >>

naruti Said,
Sep 11, 2008 @ 05:50

thx so much.

it's very helpful from me.

my website was flooded.
Sipylus Said,
Jan 19, 2010 @ 12:26

The "SetEnvIfNoCase" info was great and in a test was able to block of our site from google.com but not yahoo.com.
vangel Said,
Apr 05, 2010 @ 04:58

yep. this is exactly what I needed. I am getting tons of bad referers... mostly scrapers that generate a lot of traffic for no reason. I have a huge list running for bad refers
Jim Morris Said,
Aug 07, 2010 @ 10:26

I love this article, but I am new to programming. Can you clarify how I am supposed to set up this coding. I am somewhat confused...

/////////////////////////////
SetEnvIfNoCase Referer "^http://(www.)?some-spammer.com" spam_ref=1
/////////////////////////////
Should the above code read like this:
SetEnvIfNoCase Referer "^http://(www.)?bbb.org.com" spam_ref=1

Or like this:
SetEnvIfNoCase Referer "^http://www.bbb.org.com" spam_ref=1

Also, does the ^ symbol need to be in front of the http?

thank you so much in advance.

Also, when blocking out certain "words" like casino or poker, can I put them all on one line, or do I need a different line per word. Please provide an example as if I were a COMPLETE BEGINNER. Since that is what I am.

:)
Rob Said,
Oct 21, 2010 @ 16:22

That Wikipedia link up there is broken. Should be http://en.wikipedia.org/wiki/Referrer_spam
Martin Said,
Jun 24, 2011 @ 22:57

This works well if you're only being spammed by a smaller number of specific sites. But not for the kind of log spamming I regularly see these days - literally hundreds of sites, most with just a couple of 'visits'.

I'd also be very wary of using a keyword based block - or you could find yourself accidentally blocking visitors from sites that have genuinely linked to you.

It's a crazy problem, especially when I doubt the spammers actually manage to get any real benefit out of it.
Vivaldi Said,
Aug 30, 2011 @ 07:46


Order Allow,Deny
Allow from all

This is not a good solution because in this way is the ability to display files. htaccess and .htpasswd
Augadha Said,
Sep 10, 2011 @ 14:35

Great tip, i have been looking for different methods to reduce spam and avoid using any plugins to make my blog faster. I have had bad experiences with plugins and i prefer to avoid them all together.
Louie Said,
Sep 12, 2011 @ 14:59

Thank you very much for this. I have been getting a lot of traffic lately from porn sites that end with .ru
Brent Said,
Oct 13, 2011 @ 18:42

I use countryipblocks.net. This site can quickly generate htaccess blocks for all known ip addresses from specific countries. My website is a business in only 1 country so if I start getting problems from those russian basterds, I have no problem blocking all of their known ip's.
Volker Said,
Nov 30, 2011 @ 04:01

Thank you very much for this instruction. I have been getting a lot of referrer spam from one youtube video.
Mahesh Said,
Dec 01, 2011 @ 07:41

Now these days I am getting lot of visits from


76.73.39.226/?xurl=http://76.73.39.226/xze28VVp8v7y5qo302265e4b07009b545012d9e3812881df18 x&xref=http://my-domain.com

146.185.250.210/?xurl=http://146.185.250.210/eZ80n0CP7p6yTSc9288060207282108b8925890b1f181c2118 k&xref=http://my-domain.com

146.185.250.210/?xurl=http://146.185.250.210/pza0FNrd526QGKo4599c167c8817cd3f2f74053a56e13afe37 A&xref=http://my-domain.com

83.133.124.250/?xurl=http://83.133.124.250/zkI0Jeyl593Jv2U51fb8a4f0f5d7df93611ca5d7776fc61635 k&xref=http://my-domain.com


I searched in many forums and lot of google searches, couldn't found what is it and wher it comes?

Can anyone tell as about them? will them affet search engine rankings?
How to block them?
Diane Said,
Dec 26, 2011 @ 04:57

Sorry, I like the sound of the advice, but have no idea what an
.htaccess file is, or where to find it in my computer, or in the blog being spammed by a notorious Russian site.

I've no idea if people logging on are being spammed, but I'm pretty sure it is wrecking my stats' accuracy.

I'd be glad to have step by step advice - from the very beginning.
Edmund Said,
Jan 05, 2012 @ 16:30

I've tried the methods above, especially with "deny from" statement. The issue, "deny from" statement using the IP number which turned out quite a lot, so I had to type the statements one by one, some statements using the IP range, some others using the exact IP. Is that the only way, or is there another way to block IP refererrer?
mascali Said,
Jan 22, 2012 @ 06:49

What about subdomain?
I need new one for every subdir or can I use same file?

Thanks
p-dot Said,
Nov 05, 2012 @ 16:02

For those asking for 'basic instructions' you REALLY REALLY need to become familiar FAST with how Apache is configured and how it works.

Yes, the bus may be free, but you still have to drive it, and you can only do that through your understanding of how it works.

Read the Apache documentation. Do a search on . Get a book on administering Apache. Don't expect to be spoon fed or have someone do it for you for free -- there are lots of motivated technical folks out there who will admin your sites for a reasonable cost if you don't understand, don't want to or can't be arsed to figure it out.

Shalom.
Rhett Said,
Mar 28, 2013 @ 14:52

Why not just use a Cloud-based SAS (Software as a Service) like CloudFlare to stop threats at the edge networks?
allergist in Oklahoma City Said,
Jul 15, 2014 @ 09:38

Your approach to this post is unique and appreciating. I am writing an article for our research paper and this post has helped me. Thanks.
pratamaandi78 Said,
Aug 25, 2014 @ 20:57

Thank you for providing the step by step detail for this process. You did a fantastic job of explaining the details.
kokim89 Said,
Sep 17, 2014 @ 00:40

Great information
Your comments on this article

(required)

(required but never displayed)



security code



Previous: Using .htaccess for password protecting your folders Next: Disable Hot-Linking of images and other files