Referrer Spam

Well I seem to have drawn the attention of a few ‘unsavory’ characters as I have some nice referrer stats showing in awstats. Think ‘P-P-C’ and I don’t mean Pay Per Click! 😆

Here’s what I implemented today and I’ll keep you updated if I experience any problems:

From Tom Raftery’s blog: Using .htaccess To Minimize Comment And Referrer Spam

Awstats gives me a list of the referer sites – this list contains those sites which are trying to spam my referrer logs. I monitor those sites and as new ones appear I add them to my .htaccess list in the form:
RewriteCond %{HTTP_REFERER} \.domain\.tld [NC]
where .domain is the domain trying to spam my site (psxtreme, freakycheats, terashells, and so on) and the .tld is the top level domain the site is registered to (.com, .net, .org, .info, etc.).

Tom also provides a copy of the .htaccess file he uses on his blog, so I just copied it and added the rest I’m being hit with, then pasted it into my .htaccess file and uploaded. Voila! All done. It’s quite the list he has, thanks very much Tom!

Then I found two plugins at to moderate trackbacks and pingbacks. This is easy to pop into your plugin folder and activate in WordPress:

Trackback And Pingback Moderation

These two plugins basically do the same thing, but I wanted to keep them seperate. When you turn one on, it will automatically place either all NEW trackbacks or all NEW pingbacks (depending on the plugin) into the comment moderation queue. It’s meant as a simple way to keep the spammers from getting these onto your site without you first approving them.

I then stumbled upon a strong solution for comment spam here at

Spam Stopgap Extreme

Taking Matt’s stopgap spam solution, which sends precomputed hashes to be echoed back by the user-agent’s form, I’ve added dynamic generation of the md5 hash. Rather than write it to a hidden field, we wait until the form is submitted to compute the hash. This prevents spammers from automatically scraping the form, because anyone wanting to submit a comment *must* execute the javascript md5.

After implementing all of these stop spam methods (for trackbacks, pingbacks, referrer spam and comment spam – WHEW what a mouthful), I hope that we’ll all still be able to access this blog and continue to submit comments and posts.

Let’s see how this goes.



I've been trying to find my way online for more years than I care to admit.