Redirecting Spammers: A Guide to Using .htaccess on Apache Servers

Last Updated:

I’m sure you’ve encountered an annoying bot or individual who thinks it’s a good idea to spam your blog or contact form with nasty links or gibberish. Such spammers can be relentless and frustrating, prompting the need for a method to redirect their IP addresses to another website altogether. One effective way to achieve this is by using the .htaccess file in the root directory of your website. An .htaccess file is a configuration file used on Apache servers to rewrite URLs, authenticate usernames and passwords, and customise error responses (such as error 404 pages). These files can be created easily with any text editor, like Notepad, and are typically saved without a filename, using the .htaccess extension.

What will I need to do this?

  • Your hosting needs to support PHP
  • Your hosting needs to be on an Apache Server – preferably Linux based – IIS will not support .htaccess files.
  • You need to check with your host that .htaccess files are allowed to be used. This should be fine in most cases.

Getting their IP address

The first step is to obtain the spammer’s IP address. On your blog, this shouldn’t be a problem, as the IP address is typically logged when someone posts a comment. For website forms using PHP, you can add a line of code to your email script to capture the IP address.

Create a hidden field in your form and set the value to:

value="<?php echo $_SERVER['REMOTE_ADDR']; ?>"

When the form is submitted, this hidden field will capture the user’s IP address. By monitoring incoming emails from your forms, you can identify if the same IP address is repeatedly spamming your site. If you’re lucky and the spam comes from a single address, you can redirect that address using .htaccess. If the fourth block of numbers in the IP address varies, but the rest remains the same, the spammer is likely within the same IP range, and you should redirect the entire range. If the IP addresses vary significantly, the spammer might be using a proxy server.

Security Measures

For security, ensure you add input filtering to the PHP code. Wrap htmlentities() around each form variable to prevent malicious input.

$filteredInput = htmlentities($_POST['input']);

FFiltering should be context-specific. Since the data’s destination is an HTML page, htmlentities() is suitable. If the data is later inserted into a database, use addslashes() or mysqli_real_escape_string() just before insertion. For email, validate the “To” and “From” addresses with a regular expression and use htmlentities() since many email clients can render HTML.

Regularly check your web server logs to see if the spammer persists or changes their source. Persistent spammers might change their IP address every month or two. Be cautious; if a legitimate user from the same ISP gets the spammer’s old IP address, they could be mistakenly redirected.

Using WHOIS to Look Up IP Addresses

You can perform a WHOIS lookup to find information about an IP address or URL’s owner. However, this will often point to the user’s internet provider rather than the spammer. If multiple offending IPs point to the same provider, save all evidence and report it to the provider, who should address the issue.

Redirecting with .htaccess

Redirecting from a Specific Page

To block a spammer from accessing a specific page, use this code. This will still allow them to access other parts of your website. Modify the IP address, page, and destination URL as needed, and save it as .htaccess in your website’s root directory.

Using a Single IP Address:

# Permanently redirect specific IP request for a single page  
RewriteEngine On 
RewriteBase / 
RewriteCond %{REMOTE_ADDR} ^22\.22\.22\.239$  
RewriteCond %{REQUEST_URI} page-with-form-on.php$ 
RewriteRule .* http://www.destinationwebsite.com/ [R=301,L]

Using an IP range:

# Permanently redirect ranged IP request for a single page 
RewriteEngine On 
RewriteBase / 
RewriteCond %{REMOTE_ADDR} ^22\.22\.22\.[0-9]+$ 
RewriteCond %{REQUEST_URI} page-with-form-on.php$ 
RewriteRule .* http://www.destinationwebsite.com/ [R=301,L]

How to redirect using .htaccess from an entire website

To block a spammer from accessing your entire website, use the following code in your .htaccess. Modify the IP address and destination URL as needed. Save it in your website’s root directory. Adjust \.php to \.html if your site uses HTML extensions.

Using a single IP address:

# Permanently redirect specific IP request for entire site 
Options +FollowSymlinks 
RewriteEngine On 
RewriteCond %{REMOTE_ADDR} ^22\.22\.22\.239$ 
RewriteRule \.php$ http://www.destinationwebsite.com/ [R=301,L]

Using an IP range:

# Permanently redirect specific IP request for entire site 
Options +FollowSymlinks 
RewriteEngine On 
RewriteCond %{REMOTE_ADDR} ^22\.22\.22\.[0-9]+$ 
RewriteRule \.php$ http://www.destinationwebsite.com/ [R=301,L]

By implementing these methods, you can effectively redirect spammers away from your site and protect your online presence.