Skip navigation

Banning a WordPress Spammer With .htaccess

Lorelle's 2 Year Anniversary!By John Pozadzides (“How the heck is that pronounced?!?”)

Uugh. I’ve got this problem comment spammer. Today alone he posted over 1,000 comment spams on my blog. You can imagine how I felt about that. Did I mention I am a Marine (Semper Fi)! So, even though Akismet was doing it’s job, I was about ready to kill someone because I have to search through marked messages to take out the false positives.

Luckily some time ago I discovered a silver bullet for dealing with Akismet spam in the form of the Auntie Spam Greasemonkey script for the FireFox browser (Lorelle also just mentioned it). This script is invaluable because it adds two important spam fighting features:

  1. It groups all of the spams posted by the same spammer together and gives a total count on just one line.
  2. It gives the IP address that the spams are originating from.

Auntie Spam ScreenshotNow, in the case of my spammer, even though they were spamming different URLs, they all came from the same IP. Since Auntie Spam made it so easy to see this, all I needed to do was ban that IP address.

As Lorelle previously mentioned, one way to do this is by adding that IP address to the OPTIONS > DISCUSSION tab under Comment’s Blacklist. Unfortunatly, this didn’t work for me, so I took the more drastic step of banning that sucker from my entire blog using the .htaccess file.

I thought this method could use a little more detail because it’s pretty drastic, so here’s specifically how to do it. (By the way, this requires the stand-alone WordPress, not WordPress.com).

Your WordPress install most likely has a document in the root directory ( most often named public_html, httpdocs, or webdocs) called .htaccess. (Here is more about what an .htaccess file really is.) You need to download a copy of that .htaccess file to your local computer via FTP in order to edit it.

When you open the .htaccess file, and if you are using Permalinks, it will likely have the following content:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

If you don’t have a .htaccess file, simply create a blank document by that name, and follow the remaining steps.

In order to block a certain IP Address from access to your site you can add the following to the end of the .htaccess file in your web server document root directory:

## USER IP BANNING
<Limit GET POST>
order allow,deny
deny from 200.49.176.139
allow from all
</Limit>

There is also a nifty little .htaccess IP Banning Generator here to create the code for you. (Incidently, it will also help you ban specific site referrers and disable hotlinking to your images and media.)

Now, you can continue to add more “deny from x.x.x.x” lines for all of the IP addresses you want to ban. But I would advise that you keep the list short. Also, remember that spammers tend to move around a lot, so this technique is best utilized for short periods of time. And generally, most spambots will remove a site from their list once they realize they can no longer get through to it, so you can probably remove the ban in a couple of weeks.

If you forget to remove the ban and the IP is recycled to a legitimate user by the ISP you will be blocking an innocent user from your content.

Two quick but important details:

  1. Use an HTML editor to edit the .htaccess file. Some plain text editors will actually save it in a format that will screw it up.
  2. BACKUP THE ORIGINAL before you overwrite it! If you don’t and you accidentally screw it up you might have to start all over with a blank .htaccess file and then update your Permalinks again.

Now… if we could just get Akismet to cut down on the false positives I’d really be pleased.

Have fun banning the bloodsuckers!


This article was guest written by Lorelle’s good buddy John P. John enjoys bizarre billboards and long walks without being tazed.

9 Comments

  1. Posted October 14, 2007 at 6:45 pm | Permalink

    I have a question, what does this do exactly? Can they just not comment at all, will they not be able to see the site, etc?

  2. Posted October 14, 2007 at 11:39 pm | Permalink

    “Block access to the site” means that they cannot see nor visit the site from that IP address. They can change their IP address, which isn’t that hard to do, and then have access to the site again.

    If you are having trouble with a nasty commenter, this is the most drastic step you can take, as John pointed out. I outline some other methods in Attack of the mean commenter – blocking comments and commenters on your WordPress blog.

  3. Posted October 16, 2007 at 8:51 pm | Permalink

    Nice plugin link, good .htaccess code! I haven’t experienced any type of spam I haven’t been able to stop using the htaccess security features. that plugin is really neat btw..

  4. Posted June 4, 2008 at 8:36 pm | Permalink

    Thank you this. I was wondering where to put the relevant bits in the WordPress .htaccess file itself.

  5. Posted August 24, 2008 at 3:43 pm | Permalink

    thank you for this nice tip… got 100s a couple days ago, and hasn’t stopped since… cant wait to try this :)…

  6. Posted April 28, 2009 at 8:55 am | Permalink

    The same can be done with Cpanel -> Security -> IP Deny manager.

    I havent tried it yet, but in theory it should work and its a lot simpler than messing with .htaccess manually.

    Btw, which plugin you are using for “follow-up comments via email” ?

    • Posted May 2, 2009 at 6:42 am | Permalink

      It is the Subscribe to Comments WordPress Plugin that comes with WordPress.com automatically.

  7. Posted April 28, 2009 at 9:07 am | Permalink

    The same can be done with the method i just mentioned eariler.

    It works. ( I found some free proxy server and banned it. Next, tried to visit site using that proxy and I got access denied message. )

  8. Yim
    Posted September 26, 2010 at 8:14 am | Permalink

    Thanks a lot you help me ;)

    ## USER IP BANNING

    order allow,deny
    deny from 123.456.789
    deny from 9123.456.789
    deny from 8123.456.789
    allow from all

    That bot’s will no longer buggin me.


67 Trackbacks/Pingbacks

  1. [...] your blog posts. Anyway, in order to stop WordPress comment spammers using the method mentioned in Banning a WordPress Spammer With .htaccess, even if you don’t have a .htaccess file in your root directory, create one using Notepad or [...]

  2. [...] Baneando spam de WordPress con htaccess [...]

  3. [...] Banning a WordPress Spammer With .htaccess [...]

  4. [...] 14 – Banning a WordPress Spammer With .htaccess « Lorelle on WordPress [...]

  5. [...] wenig im Vergleich zu weitaus bekannteren Blogs, die mehrere hundert Spams bekommen – bis hin zu vierstelligen [...]

  6. [...] Banning a WordPress Spammer With .htaccess: John Pozadzides takes another stab at stopping a nasty commenter and comment spammer with a nice tutorial on blocking users with the .htaccess file. [...]

  7. [...] area. This file called .htaccess should be uploaded in the wp-admin folder. I direct you to Lorelle’s post about .htaccess for more details (attention, in the case of Lorelle the .htaccess file is done to ban from the [...]

  8. [...] 限制admin文件夹的访问权限 这个可以在.htaccess里搞定,具体参见Lorelle’s post about .htaccess。 [...]

  9. [...] Banning a WordPress Spammer With .htaccess: John Pozadzides takes another stab at stopping a nasty commenter and comment spammer with a nice tutorial on blocking users with the .htaccess file. [...]

  10. [...] 限制admin文件夹的访问权限 这个可以在.htaccess里搞定,具体参见Lorelle’s post about .htaccess。 [...]

  11. [...] Source: The easiest way to ban a WordPress spammer [...]

  12. [...] 参考:The easiest way to ban a WordPress spammer [...]

  13. [...] 参考:The easiest way to ban a WordPress spammer [...]

  14. [...] 参考:The easiest way to ban a WordPress spammer [...]

  15. [...] 参考:The easiest way to ban a WordPress spammer [...]

  16. [...] The easiest way to ban a WordPress spammer If you enjoyed this post, make sure you subscribe to my RSS [...]

  17. [...] 参考:The easiest way to ban a WordPress spammer [...]

  18. [...] Source: The easiest way to ban a WordPress spammer [...]

  19. [...] Source: The easiest way to ban a WordPress spammer [...]

  20. [...] heard that mod_security (and the use of .htaccess) can (at least) help us in fighting spammers. but you need to maintain it. You need to keep updating [...]

  21. [...] 参考:The easiest way to ban a WordPress spammer [...]

  22. [...] Sursa: The easiest way to ban a WordPress spammer [...]

  23. [...] 参考:The easiest way to ban a WordPress spammer Hello! 如果您第一次来到这里,您可以通过 订阅本站 RSS Feed 更快地获得本站最新更新。 [...]

  24. [...]   参考:The easiest way to ban a WordPress spammer 分类: 网站应用 标签: 评论 (0) Trackbacks (0) 发表评论 Trackback [...]

  25. [...] GET POST> order allow,deny deny from xx.xx.xx.xx allow from all </Limit> 参考:The easiest way to ban a WordPress spammer英文原文: 10 awesome .htaccess hacks for WordPress中文译文: [...]

  26. [...] Source: The easiest way to ban a WordPress spammer [...]

  27. [...] GET POST> order allow,deny deny from 128.45.226.121 allow from all </Limit> Source: The easiest way to ban a WordPress spammer Share and [...]

  28. [...] 参考:The easiest way to ban a WordPress spammer [...]

  29. [...] 参考:The easiest way to ban a WordPress spammer [...]

  30. [...] The easiest way to ban a WordPress spammer Share and [...]

  31. [...] 参考:The easiest way to ban a WordPress spammer [...]

  32. [...] 参考:The easiest way to ban a WordPress spammer [...]

  33. [...] 参考:The easiest way to ban a WordPress spammer [...]

  34. [...] 参考:The easiest way to ban a WordPress spammer [...]

  35. [...] 参考:The easiest way to ban a WordPress spammer [...]

  36. [...] 参考:The easiest way to ban a WordPress spammer [...]

  37. [...] 参考:The easiest way to ban a WordPress spammer [...]

  38. [...] 参考:The easiest way to ban a WordPress spammer [...]

  39. [...] 参考:The easiest way to ban a WordPress spammer [...]

  40. [...] 参考:The easiest way to ban a WordPress spammer [...]

  41. [...] 参考:The easiest way to ban a WordPress spammer [...]

  42. [...] 参考:The easiest way to ban a WordPress spammer Form:http://e-spacy.com/blog/10-htaccess-hacks-for-wordpress.html [...]

  43. [...] 参考:The easiest way to ban a WordPress spammer [...]

  44. [...] 参考:The easiest way to ban a WordPress spammer by tedwch | Leave a comment | 学习笔记 ← WordPress3在IIS下的URL伪静态配置 [...]

  45. [...] 参考:The easiest way to ban a WordPress spammer [...]

  46. [...] 参考:The easiest way to ban a WordPress spammer [...]

  47. [...] 如果你想要阻止指定IP的访问,来防止其垃圾评论,那么你可以创建自己的Backlist黑名单。(替换xx.xx.xx.xx为指定的IP地址) <Limit GET POST> order allow,deny deny from xx.xx.xx.xx allow from all </Limit> 参考:The easiest way to ban a WordPress spammer [...]

  48. [...] 参考:The easiest way to ban a WordPress spammer [...]

  49. [...] Replace xxx.xx.xxx.xxx with the IP address of the spammer. If you do some bit of searching in the internet then you can find lists of IP addresses of the frequent spammers in the cyber world. Learn more about this The easiest way to protect your blog from spammers. [...]

  50. [...] Banning a WordPress Spammer With .htaccess Cancel [...]

  51. [...] The easiest way to ban a WordPress spammer [...]

  52. [...] 参考:The easiest way to ban a WordPress spammer http://e-spacy.com/blog/10-htaccess-hacks-for-wordpress.html  [...]

  53. [...] 参考:The easiest way to ban a WordPress spammer [...]

  54. [...] 参考:The easiest way to ban a WordPress spammer [...]

  55. [...] 参考:The easiest way to ban a WordPress spammer [...]

  56. [...] 参考:The easiest way to ban a WordPress spammer [...]

  57. [...] 如果你想要阻止指定IP的访问,来防止其垃圾评论,那么你可以创建自己的Backlist黑名单。(替换xx.xx.xx.xx为指定的IP地址) <Limit GET POST> order allow,deny deny from xx.xx.xx.xx allow from all </Limit> 参考:The easiest way to ban a WordPress spammer [...]

  58. [...] The easiest way to ban a WordPress spammer [...]

  59. [...] Source: The easiest way to ban a WordPress spammer  [...]

  60. [...] 参考:The easiest way to ban a WordPress spammer Bookmark the permalink. « Zend Optimizer 安装 linux下安装Zend Optimizer的方法 » [...]

  61. [...] Source: The easiest way to ban a WordPress spammer [...]

  62. [...] 参考:The easiest way to ban a WordPress spammer [...]

  63. [...] 参考:The easiest way to ban a WordPress spammer [...]

  64. […] Banning a WordPress Spammer With .htaccess […]

  65. […] Banning a WordPress Spammer With .htaccess: John Pozadzides takes another stab at stopping a nasty commenter and comment spammer with a nice tutorial on blocking users with the .htaccess file. […]

  66. […] Banning a WordPress Spammer With .htaccess […]

  67. […] Banning a WordPress Spammer With .htaccess […]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 20,272 other followers

%d bloggers like this: