Apache .htaccess Guide, Tutorials and Articles

Apache .htaccess Guide & Tutorial >>

Deny visitors by referrer

The visitor blocking facilities offered by the Apache Web Server enable us to deny access to specific visitors based on where they have come from. If you've ever looked at your logs and noticed a surprising increase in traffic, yet no increases in actual file requests it's probably someone pinching content (such as CSS files) or someone attempting to hack your web site (this may simply mean trying to find non public content).

Note, this functionality requires that 'mod_rewrite' is enabled on your server. Due to the demands that can be placed on system resources, it is unlikely it is enabled so be sure to check with your system administrator or web hosting company.

To set-up block a single referrer, create a .htaccess file following the main instructions and guidance which includes the following text:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC]
RewriteRule .* - [F]

The above lines tell the Apache Web Server to block traffic from the URL 'otherdomain.com'. The '[NC]' text after the referrer specifies it as not case-sensitive. Which prevents traffic from 'OtherDomain.com', 'otherdomain.com', 'OTHERDOMAIN.COM' and so on.

To set-up block multiple referrers, create a .htaccess file following the main instructions and guidance which includes the following text:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherdomain\.com
RewriteRule .* - [F]

The above lines tell the Apache Web Server to block traffic from the URL 'otherdomain.com' and 'anotherdomain.com'. Note the backslash before the dot, this is important, e.g. 'domain\.com'. The only difference between blocking a single referrer and multiple referrers is the modified [NC, OR] flag in the multiple referrers example, this should be added to every domain except the last.

You might have noticed the line "Options +FollowSymlinks" above, which is commented with a '#'. Uncomment this line if your server returns a '500 Internal Server' error. This means your server isn't configured with FollowSymLinks in the '' section of the 'httpd.conf'. Contact your system administrator for advice with this issue.

Blocked referrers will be shown a '403 Forbidden' error message. You can customise this error message by following the 'Error Documents' section of this article.

Next Article: Hot link prevention techniques
Previous Article: Deny visitors by IP address

Comments

Supernaturalist
"That was a great tutorial, but I still have a question: Is it possible to block a referrer and all its subdomains?"

Post Comment

Your Name:
Your Comment: