Skip navigation

Battling Referrer Spam

By Michael Hampton

Right around the time you realize that people you don’t know are actually reading your blog, you probably are going to start checking your stats to see where in the world they’re coming from. Your web host gave you a package like awstats or webalizer to generate nice statistics and graphs for you, and you go through it looking for the search terms people used to find you and the sites which linked to you.

You check one out, and suddenly you’re at an online casino, or a porn site.

You’ve been hit by referrer spam.

What’s Referrer Spam?

Unlike comment spam, where spammers try to post comments and trackbacks to your site, in order to get links to their spammy garbage, referrer spam doesn’t show up on your site, but in your web server logs. A spammer loads up your pages using fake referrers, their own nasty sites, that don’t actually link to you. And when you check them out, you’re horrified. You want this crap out of your logs and the spammers to suffer horrible fates.

But why are they doing this? What’s the point of putting a link where nobody but you, the blogger, will ever see it?

Unfortunately, whether by accident or design, too many people actually publish their web server statistics. Search engines crawl them, and the spammers have “good” links back to their spammy sites.

Fortunately, there are several things you can do to get rid of referrer spam and make it useless for referrer spammers to hit your site.

Killing Referrer Spam

Hide your statistics: The very first thing you should do, before anything else, is to stop publishing your web server statistics. It’s best to download them to your computer for offline viewing. If you want to leave them online, though, password protect your statistics directory. Your web host should have an option in the control panel to set up password protection for portions of your site, or you can set it up manually. This will ensure that referrer spammers, even if they do hit your site, can gain no benefit from doing so.

Block referrer spammers: Next, you will want to block referrer spammers. Install the Referrer Bouncer Plugin for WordPress and referrer spammers will be delivered a nice 403 Forbidden error message. The 403 errors can then be filtered out of your web server statistics so that you never have to see them in your finished reports. If you don’t see an option in your hosting control panel to filter these out of your statistics, ask your web host. And if you don’t use WordPress, or you want to protect other parts of your site from referrer spam, try Referrer Karma. It’s a lot more work to set up, but it doesn’t require WordPress to run. It can protect almost any web site which uses PHP from referrer spam.

Prevent referrer spam: Finally, prevent referrer spam by blocking malicious robots which crawl your site. Bad Behavior is a plugin for WordPress and many other PHP-based platforms which blocks many types of malicious crawlers, as well as comment spam. A referrer spammer has to crawl your site to deliver spam. Bad Behavior can stop many of these crawlers before they even have a chance to get started.

Use third-party services: Last, consider gathering statistics using an outside service such as Site Meter or Google Analytics. These packages use JavaScript to gather their information, so referrer spammers never leave a trace in their statistics.

Related Articles

Michael Hampton is the author of Homeland Stupidity and several other blogs and the author of the Bad Behavior link spam prevention software.


  1. Posted August 7, 2007 at 9:15 am | Permalink

    We spend so much time focusing on comment spam and feed scrapers, it’s easy to overlook the evil abusers of referrer spam. Thanks for bringing this up. It’s important to know all of the issues threatening our blogs and how to handle it.

    I won’t run a blog without Bad Behavior installed!

    Thank you so much for bringing this to our attention. We need the kick in the butt reminder.

  2. Posted August 7, 2007 at 10:15 am | Permalink

    I wouldn’t have thought of it myself, except that two people asked me about it in the last week. I figure referrer spam is probably up, and more people are going to have the same question.

  3. Posted August 8, 2007 at 10:39 am | Permalink

    I just had this happen to me a couple days ago (luckily the statistics was hidden already.) I was minding my own business checking my statistics, I clicked on a rather tame looking link in my referrers, and let’s just say I’m glad I wasn’t at work.

    I should have noticed that below that one there were ones with wonderfully spamey sounding domain names.

  4. Posted August 9, 2007 at 3:21 am | Permalink

    I am quite happy somebody found this out. I was myself quite amused at the type of links I had coming into my blog. Anyway, I have also mentioned and linked to your article on my blog. It is better to join the war and spread the word as soon as possible.

  5. Posted August 9, 2007 at 2:06 pm | Permalink

    Well, using .htaccess and .htpasswd are different in the basis. In order to create the .htpasswd you’ll need an SSH access to the server. At least I have been reading about it somewhere. In comparison you can create .htaccess without having any SSH access. Am using ip based access to my referrers directory. However, storing referrers isn’t necessary if you, as mentioned in this article, use G Analytics.

    I used to check referring URLs at old ages when my site was receiving max. 100 daily visits. Now am checking it just for fun.

  6. boxguy
    Posted August 13, 2007 at 1:56 pm | Permalink

    Thank you for posting about that.

  7. teeveebee
    Posted August 19, 2007 at 4:29 pm | Permalink

    What are web server statistics and how have I accidently published them? Thanks from a Technologically Challenged Blogger.

  8. Posted August 19, 2007 at 5:09 pm | Permalink

    Honestly, I have no idea how you could have “published” your web server statistics. I don’t understand the question. Web server statistics are the statistics from the traffic on your blog as recorded by your server.

  9. teeveebee
    Posted August 20, 2007 at 9:42 am | Permalink

    Sorry, I should have been more specific. The question is based on Michael Hampton’s aritcle “Battling Referrer Spam”. He writes that sometimes people accidently publish their web server statistics and that one of the steps to stop referrer spam is to stop publishing these stats and download them to your computer for offline viewing.

    Thanks for any help you can give me.

  10. Posted August 20, 2007 at 9:53 am | Permalink

    Are you publishing your server stats?

    It doesn’t just happen by accident. You have to use a WordPress Plugin or some tool to display them on your blog. Some people like showing off their stats, but really, they aren’t helpful to anyone but you.

    To find them, visit your web host server access panels. It might be Cpanel, Vdeck, or whatever system your server set up for you to access your site. That’s where you will find something that says Reports, Statistics, or some such name. Those are your server stats.

    Michael’s main point on this is to password or protect these server stats from access, which is best handled by your web host if you are unfamiliar with the technical aspects of this. Contact them.

  11. teeveebee
    Posted August 20, 2007 at 11:25 am | Permalink

    Thank you for the information. I’ve recently been receiving a small amount of referrer spam and was concerned I was doing something to exasperate the problem.You have cleared it up for me, though. Thanks.

  12. Posted April 3, 2010 at 5:06 am | Permalink

    I don`t like SPAM..

11 Trackbacks/Pingbacks

  1. […] Battling Referrer Spam […]

  2. […] guest blogger Michael Hampton of Bad Behavior fame  offers tips for battling referrer spam (if you don’t what that is, his post will explain […]

  3. […] Battling Referrer Spam […]

  4. […] You’ve been hit by referrer spam. Read the rest of Battling Referrer Spam […]

  5. […] Battling Referrer Spam […]

  6. […] Lorelle: Battling Referrer Spam […]

  7. […] Battling Referrer Spam: Michael Hampton, one of the blogosphere’s leading experts in comment spam and other blog uglies, helps us better understand the often ignored referrer spam that plagues our blogs. […]

  8. […] pun, ada artikel menarik yg boleh dibaca:…t-not-spamming Battling Referrer Spam Lorelle on WordPress bg aku, mmg niat kita baik. tp kalau itu menyusahkan org lain, bagaimana pula? kita kena tau.. […]

  9. […] Battling Referrer Spam […]

  10. […] Battling Referrer Spam […]

  11. […] you want to fight the battle I used this post on Battling Referrer Spam.  I also installed the SpamReferrerBlock plugin. If you know better ways to stop referrer spam, […]

Post a Comment

Required fields are marked *

%d bloggers like this: