Banning a WordPress Spammer With .htaccess

By John Pozadzides (“How the heck is that pronounced?!?”)

Uugh. I’ve got this problem comment spammer. Today alone he posted over 1,000 comment spams on my blog. You can imagine how I felt about that. Did I mention I am a Marine (Semper Fi)! So, even though Akismet was doing it’s job, I was about ready to kill someone because I have to search through marked messages to take out the false positives.

Luckily some time ago I discovered a silver bullet for dealing with Akismet spam in the form of the Auntie Spam Greasemonkey script for the FireFox browser (Lorelle also just mentioned it). This script is invaluable because it adds two important spam fighting features:

1. It groups all of the spams posted by the same spammer together and gives a total count on just one line.
2. It gives the IP address that the spams are originating from.

Now, in the case of my spammer, even though they were spamming different URLs, they all came from the same IP. Since Auntie Spam made it so easy to see this, all I needed to do was ban that IP address.

As Lorelle previously mentioned, one way to do this is by adding that IP address to the OPTIONS > DISCUSSION tab under Comment’s Blacklist. Unfortunatly, this didn’t work for me, so I took the more drastic step of banning that sucker from my entire blog using the .htaccess file.

I thought this method could use a little more detail because it’s pretty drastic, so here’s specifically how to do it. (By the way, this requires the stand-alone WordPress, not WordPress.com).

Your WordPress install most likely has a document in the root directory ( most often named public_html, httpdocs, or webdocs) called .htaccess. (Here is more about what an .htaccess file really is.) You need to download a copy of that .htaccess file to your local computer via FTP in order to edit it.

When you open the .htaccess file, and if you are using Permalinks, it will likely have the following content:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

If you don’t have a .htaccess file, simply create a blank document by that name, and follow the remaining steps.

In order to block a certain IP Address from access to your site you can add the following to the end of the .htaccess file in your web server document root directory:

## USER IP BANNING
<Limit GET POST>
order allow,deny
deny from 200.49.176.139
allow from all
</Limit>


There is also a nifty little .htaccess IP Banning Generator here to create the code for you. (Incidently, it will also help you ban specific site referrers and disable hotlinking to your images and media.)

Now, you can continue to add more “deny from x.x.x.x” lines for all of the IP addresses you want to ban. But I would advise that you keep the list short. Also, remember that spammers tend to move around a lot, so this technique is best utilized for short periods of time. And generally, most spambots will remove a site from their list once they realize they can no longer get through to it, so you can probably remove the ban in a couple of weeks.

If you forget to remove the ban and the IP is recycled to a legitimate user by the ISP you will be blocking an innocent user from your content.

Two quick but important details:

1. Use an HTML editor to edit the .htaccess file. Some plain text editors will actually save it in a format that will screw it up.
2. BACKUP THE ORIGINAL before you overwrite it! If you don’t and you accidentally screw it up you might have to start all over with a blank .htaccess file and then update your Permalinks again.

Now… if we could just get Akismet to cut down on the false positives I’d really be pleased.

Have fun banning the bloodsuckers!

---

This article was guest written by Lorelle’s good buddy John P. John enjoys bizarre billboards and long walks without being tazed.