How to prevent referer spam

Even though referer spam isn’t something new to black hat SEOs, WordPress blogs seem to get hit pretty hard with referrer spam these days.

Every time somebody clicks a link on a website, the browser sends the originating URL (the URL of the web page that hosts the link) to the target web server. This referer information can be parsed with web server log statistic software to show the webmaster where the web site’s visitors originated from.

Referer spammers visit a website with the intention to log their fake referer (usually the web site they try to promote) into your web server’s log. They hope the targeted web site publishes its referer statistics publicly and if it does, the spammer is able to increase his search engine page rank because more and more sites link to the advertised web site. Even though most websites don’t publish such statistics publicly anway, the spammers may frequently hit a web site with fake bot requests. There’s a spammer who visits my site so frequently that he messes up my StatPress WordPress statistics. That’s pretty annoying! I could ban his IP addresses but there’s a much more elegant way: to deny his referer he’s trying to advertise.

SetEnvIfNoCase Referer "^http://(www.)?" spam_ref=1
SetEnvIfNoCase Referer "^http://(www.)?" spam_ref=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=spam_ref

You can add as many SetEnvIfNoCase lines as you want. Place the statements in your .htaccess file of your www-root directory. The unruly visitor will be greeted with a 403-Forbidden message the next time he visits your web site.

Use a browser extension like RefControl to modify the referer information that’s being sent if you want to test if the above code works on your web site.

Read more about referer spam on Wikipedia.

3 replies on “How to prevent referer spam”

  1. By the way, a very good way to combat all kinds of Spam on your WordPress site is the combination of the WordPress plugins Akismet and Bad Behavior.

Comments are closed.