Close
Close

Banishing Spammers and Trolls With .htaccess Files

In a guest post, Neil Matthews of WPDude.com writes about how comment spammers and trolls can be banished from your site by blocking their IP address using the .htaccess file.

Are you plagued by spammers and trolls inside of the comments section of your blog? If you are, I want to give you a simple little trick to kick them off your blog and keep them out by blocking their IP address.

I decided to use this technique on my own site when I noticed that 80% of my comment spam was coming from about five IP addresses. Enough was enough, although I was capturing the spammers using Akismet, I wanted to stop these people in their tracks. They were not welcome on my site.

This post is written with a WordPress bias, but check out your webserver and if it uses .htaccess there is a good chance you can adopt the techinques described here.

What is the .htaccess file?

The .htacess file is a web server level configuration file which sets certain rules for visitors to your site. It works at a level below WordPress (or any other blogging platform) analyses certain aspects of your web browsers interaction with the web server and if certain rules are met, you can generate an action.

In the example I am about to show, the rule is to check an IP address and the action is to restrict access.

.htaccess configuration is a huge topic. It can be used for redirection and a host of other functions. Much deeper reading can be found at http://httpd.apache.org/docs/trunk/howto/htaccess.html

Finding The Offenders IP address

WordPress does a great job helping you to discover the commentors IP address. Simply go to the comment section in your WordPress dashboard or to your spam moderation folder and below the email address and website is the IP address of the commentor. This is collected by WordPress for you.

Editing Your .htacess file

Lets start with a word of warning you can seriously damage your blog if you amend .htaccess incorrectly so take a backup of your file before you make any changes. I like to download the file to my local machine take a copy and edit the the original before uploading it back to my web server.

Some geekery for you, on unix or linux systems any file begining with a full stop/period is marked as a hidden file, and you will probably not be able to see the .htaccess file in the root of your WordPress installation by default. You will need to enable hidden files on your ftp client. I use Filezilla and that is located under server -> force show hidden files. Your ftp client will vary but the option will be there somewhere.

The default .htaccess file

A default WordPress .htaccess file will look like this:

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

As you can see it has a number of re-write rules for wordpress and very little else.

What To Add

To block a particular IP address add the following lines below the #END WordPress section, replacing the details inside of {} with real IP addresses or host names.

#block spammers and troll’s IP addresses

order allow,deny

deny from {IP ADDRESS}

deny from {SECOND IP ADDRESS ONE PER LINE}

deny from {YOU CAN ALSO USE DOMAIN NAME trollhostname.com}

allow from all

# END spammers and trolls

Edit your .htaccess file with a text editor add your exclusions then upload it back to the root of your blog installation overwriting the old .htacess file.

Testing Your Changes

Any IP address added to the exclusion list will not be allowed access to your web server and a 403 forbidden message will be returned. The message from my web server is shown below:

Forbidden

You don’t have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

You can test it works by leaving a test comment on your blog getting your IP address and adding it the the .htaccess file. Remember to take it out again or you will not have access to your blog.

It is Not Fool Proof

This work around is not fool proof, it comes with some limitations and they are:

  • Proxies – if you offender is behind a proxy IP address then anybody else using that same address will be banned. Some ISPs will use a shared IP address so everyone using that ISP will be banned from yoru site. Use with care.
  • Spoofing IP address – if your troll is particularly tech litereate they could spoof their IP address or use another one, they will then get through your barrier.

Using another machine – your troublesome visitor could simply go to a friends machine or to an internet cafe and get a new IP address.

Wrap Up

As mentioned this is not a fool proof way to stop offenders, but blocking IP addresses is a great way of stopping comment bots from fixed addresses and a way of sending out a real warning to trolls that there type of comments are not welcome.

If you use this trick in conjunction with anti-spam plugins and comment moderation techniques you should be able to reduce your spam and deter trolls.

About Darren Rowse

Darren Rowse is the founder and editor of ProBlogger Blog Tips and Digital Photography School. Learn more about him here and connect with him on Twitter, Facebook, Google+ and LinkedIn.

Problogger.net runs on the Genesis Framework

Genesis Framework

The Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple - start using Genesis now!

Comments

  1. I think stopping spammers using the .htaccess file is a great idea, but should be used with caution.

    This is because as mentioned by Neil, when you block an IP from accessing your site, you block everyone from that IP, and not just the spammers.

    Also, many times spammers rotate IPs that they use for spamming. in which case blocking an IP would not solve the problem.

    So, I personally feel that tools like Akismat and WP-Spamfree should be used as a first line of defence against spammers, and only when they fail, IP blocking should be used.

  2. Salman says:

    Nice tip to Ban Spammers.WOW!
    Regards
    Salman
    http://www.tips4blogging.co.cc

  3. Thanks… this is a great ideal, I will try it our, hopefully I don’t mess up with my code, since I hate coding stuff, but still I can say this is sure better then Akismet, since the ip address is permanently block… way to go Neil Matthews

  4. Well today I was adding some codes to my htaccess to block all spam bots from directly accessing the comments php file:

    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*michaelaulia.com* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]

    Just change the domain (michaelaulia.com) with yours. Since all commentators will comment from your post, this will disallow any direct access to the wp-comments-post if it doesn’t come from your domain

    Seems to work well

  5. Owen Kelly says:

    What about captcha, ive always preffered it. Especially with services like ReCAPTCHA
    i noticed there is none on problogger, personal choice?

    Do people still get offended by captcha’s?

  6. Bill Masson says:

    Its okay for non proxie spam IP addresses, but I would be reluctant to insert proxy IPs in fear of blocking trusted visitors. Proxies are used by more and more genuine as well as spam users. So you could do more harm than good.

    stopping comment bots from fixed addresses is fine.

    I am quite happy to let akismat do the hard work
    Its the very nature of blogs to be as open as possible to allow discussion. Thanks for the read

  7. This is great tip Neil.

    I never knew I could do this.

    Thanks

  8. ariff says:

    good tip. I was looking for this.
    they keep asking me to visit their site and view some celerities’ nude pictures everytime I update my blog.

  9. Hi Neil. I had the same problem with one IP address continually targeting our site. I created a YouTube video on the exact process you described above. If it’s ok, I’d like to share the link so people can see how it’s done:

    http://www.youtube.com/watch?v=dNNVPuqcVHg&feature=channel_page

  10. Be careful, use this with caution as blocking an IP may block even innocent ones, as an IP may be accommodating several accounts or users, not merely your suspected spammer.

  11. Dave says:

    I must confess I’m too lazy to go to all this effort, but I am glad to know there’s a way to do it. :)

  12. @BlogSEOExpert & dante I agree you have to be careful when blocking IP addresses because you might block other people out as well. I typically suggest blocking the troublesome IP for a month or two and then releasing it. The spammer might be gone.

    It’s also good practice to clean out your .htaccess file once a year.

    Michael Aulia Be real careful with that code. I tried it on my blog and it made it so a lot of people couldn’t leave comments. I was able to but a regular to my blog emailed me and let me know she couldn’t leave a comment. I removed the code and everything worked again. So test test test!

    Owen Kelly They work some, but in my experience not all that great.

  13. This is an effective method but I must caution that when doing this you’re playing a game of whack-a-mole. Over time your .htaccess file is going to be filled with IP addresses.

  14. Yes I would be careful of the blanket banning specially for shared domains. May be better to set moderated comments first then filter based on that… I use the akismet plugin for wordpress and find it does the job very well..

  15. Sean says:

    Please, for the love of all things good and holy, do NOT put a hostname in there. Apache then has to do a reverse DNS query on every single request that comes in. That’ll add 30-200ms of latency to each request and drive up your service times and server load.

    I’ve never been fortunate enough to see a small number of IPs causing the spam problem, but this is a great method to temporarily block hosts that are hammering your site, either for a simple DOS attack or a scraper gone wild.

    Sean

  16. HawkEYE says:

    Blocking access via .htaccess is so powerful.
    It may also blocked the whole range of the ip address
    which is known as being used by spammer.

    But sometime, spammer may also use a proxy to spam.
    If going to block the ip address of public proxy ip address.
    Have to advice/encourage user not to use public proxy..
    else it may also blocking the user itself..

    anyway, personally I use Akismet to combat spam.
    seem to catch and filtered out those spam..
    but sometime ..some of the spam still managed to get into the database, then have to cleared it manually ..

    only once in a while..
    have to completely disable comment for certain post after certain period of time.

  17. salman says:

    Hi I am salman nice tips to Ban spammers

    Than Q
    Salman
    http://www.tips4blogging.co.cc
    advertising released on my blog
    cheap advertising rates

  18. Ankur Jain says:

    For not so geeky user, I would suggest installing wordpress CAPTCHA plugin.

    Earlier I used to get at least 300 spam comments per day, after installing that plugin I have received none and it’s already two weeks that I have installed that plugin.

  19. WP-Ban plugin is lot better as that don’t need any type of technical knowledge and also allow you to ban bot. However this tip is also good if someone able to handle it carefully.

  20. Greg Ellison says:

    You just need to be cautious with this tip. I see if there are any other plugins that will help ban the spammers and trolls. Greg Ellison

  21. @John Hoff – WpBlogHost
    Thanks for letting me know. I’m still receiving comments but I’ll be on my guard. Usually my readers were nice enough to let me know when something went wrong on my blog *thankfully*

  22. ITrush says:

    Hmm, nice trick.. hope I could implement this on my blog also. Thanks for sharing.

  23. Great timing. There is one IP address that has been spamming relentlessly the last few weeks getting sick of having to delete the comments from the spam box I tried to add an htaccess file using instructions I found online. They forgot to mention the hidden files bit so I was uploading and it wasn’t showing up. So I gave up.

    Thanks for including everything!

  24. That is a fantastic way to block the spammers. I will be blogging about it for sure. And I dont see any downside in this method.

  25. Does this work for any .htaccess file, or is this something that only works on WP?

    I ask because we have a forum that is just getting slammed with spam. No matter how many requirements we implement for registration, there are at least 50 or so per day.

  26. I don’t get that many comments right now, but doesn’t the catcha thing work as well on blogger?

  27. @Deepak – The downside is the fact that most people are on a dynamic IP address (i.e. the IP address of your computer’s modem may change).

    So if you block out an IP address, you’ll likely be blocking out multiple people and not just one person.

    @MyCreditGroup – Yes, it works for any .htaccess file.

  28. Black Sand says:

    Stopping spammers using the .htaccess file is a great idea. Thanks for information

  29. Dixie Vogel says:

    I personally would not recommend this technique for avoiding spammers. Most spammers use automated tools, coming through proxys or botnets running on compromised machines, and in general use a variety of techniques to cover their tracks. They are actually easier to identify via their software and other behavior than the IP addresses, which are intended to be disposable. Think “hit and run” MO. If your blog has decent SEO, you WILL get comment spam and before long, your .htaccess file will be full of these disposable IP address and it can, over time, impact your site’s performance. Every time someone connects to your site, the server will have to check their IP against your .htacess and for a popular site, this list will grow exponentially.

    If you’ve got a one-off troll with limited technical knowledge, then it may help. Except even broadband internet access almost always sports dynamic IPs, which means you won’t just be blocking out the troll, but maybe innocent people who have the bad luck to share their ISP. So if your spammer/troll uses a free aol trial account for example, using it until they are busted and move on, you’ve just nuked other folks who happened to get the same IP assigned after a modem reboot or something. Oops.

    Think of it like blocking a spammer’s email address. Nobody bothers because they are disposable, right?

    I run a hosting biz, and can block IPs on the server level. And even when we’re getting hammered with breakin attempts, I only block IPs for a limited period of time. Most spammers will move on if it’s not easy because breaking through your defenses is not a good use of their time. So making it harder to spam overall is more effective than targeting the individual incident.

    You’re best best IMO is a combination of strategies, (starting with choosing a hosting company that makes good use of apache’s mod_security module that blocks a lot of these vermin before they even hit your site), good antispam plugins, and, if you do block via .htaccess, then clean it out every month or so lest you do more harm than good.

  30. People must be aware and cautious using this kind of technique, by making sure that the spam comes a lot of times from the same IP, because some service providers don’t use static but dynamic addresses, and you might be blocking an IP that’s isn’t from a spammer anymore. Besides that, if you use this with caution, is one more way to reduce you spam.

  31. BloggerDaily says:

    Nice tutorial but the thing that worries me is the .htaccess file will also ban people from the same IP. And I tracked same spam comments came from different IPs.

    Sincerely I need the prevention like this to avoid spam comments, but there some implications that might affect the site in a long term.

    I’m tired of checking Akismet and sometimes have to delete the spam comment that able to go through Akismet.

    Thanks for the tutorial. Really hope for the spammers to stop their irresponsible act.

  32. this is great. first two part of ip remains same while other two changes. do we have a solution for that too or you think it would not be nice thing to do.

  33. Unfortunately this is useless for blogger with blogspot as a platform.

  34. My WordPress plug-in catches all the spam just fine.

    Wouldn’t it be nice if there was a plug-in that automatically would do what this article describes?

    Thanks for sharing but my blog seems to be covered pretty well.

    I can find other things to do with my time, like post on this blog.

  35. There is a plugin which does all that for you, just enter the ip address and your good to go.

  36. Rajesh says:

    Nice article. But I think CAPTCHA is the best solution since most of the times spammers are blocked except if they have broken the CAPTCHA algorithm.

  37. Jennine says:

    hey thanks for this. i know in fashion blogging, we’ve been plagued by anonymous negative commenters… this might give us a way to block those people who keep harassing bloggers. though, I agree there should be more than one line of defense.

  38. Jennine says:

    oh, i found a plugin that bans IPs
    http://www.quickonlinetips.com/archives/2008/12/ban-ip-to-stop-wordpress-comment-spam-forever/

    good to know, i’d be scared to edit the .htaccess file

  39. mike says:

    Anything to slow spam down is good thing.

  40. Marcus Neto says:

    recently went on vacation and returned to find about 4k spam comments on some demo sites that I have running (we sell templates). This article could not have come at a better time. I found that most of the comments had 2-3 IP addresses associated to them and added them to the deny section in my .htaccess. hope this solves the problem. or at least cuts it back. 4k in a weekend? I mean who does that?

  41. Gary Sanet says:

    Can you suggest how we can do it for ‘blogspot’ blogs !!

    • Lara Kulpa says:

      @Gary Sanet – You can’t access the .htaccess file for blogspot blogs if I’m not mistaken… yet another reason to choke up the $4 a month and go self-hosted wordpress!

  42. I recently stumbled across this site and have been following along slowly. I felt I would leave my opening comment. Im not sure what to write but that I have really enjoyed reading. Cool blog. I intend to continue coming back to this blog very often. I have also subscribed to the feed for updates.