29 June 2009

Blogging Tips : Banishing Spammers and Trolls

Banishing Spammers and Trolls With .htaccess Files

In a guest post, Neil Matthews of writes about how comment spammers and trolls can be banished from your site by blocking their IP address using the .htaccess file.

Are you plagued by spammers and trolls inside of the comments section of your blog? If you are, I want to give you a simple little trick to kick them off your blog and keep them out by blocking their IP address.

I decided to use this technique on my own site when I noticed that 80% of my comment spam was coming from about five IP addresses. Enough was enough, although I was capturing the spammers using Akismet, I wanted to stop these people in their tracks. They were not welcome on my site.

This post is written with a WordPress bias, but check out your webserver and if it uses .htaccess there is a good chance you can adopt the techinques described here.

What is the .htaccess file?

The .htacess file is a web server level configuration file which sets certain rules for visitors to your site. It works at a level below WordPress (or any other blogging platform) analyses certain aspects of your web browsers interaction with the web server and if certain rules are met, you can generate an action.

In the example I am about to show, the rule is to check an IP address and the action is to restrict access.

.htaccess configuration is a huge topic. It can be used for redirection and a host of other functions. Much deeper reading can be found at

Finding The Offenders IP address

WordPress does a great job helping you to discover the commentors IP address. Simply go to the comment section in your WordPress dashboard or to your spam moderation folder and below the email address and website is the IP address of the commentor. This is collected by WordPress for you.

Editing Your .htacess file

Lets start with a word of warning you can seriously damage your blog if you amend .htaccess incorrectly so take a backup of your file before you make any changes. I like to download the file to my local machine take a copy and edit the the original before uploading it back to my web server.

Some geekery for you, on unix or linux systems any file begining with a full stop/period is marked as a hidden file, and you will probably not be able to see the .htaccess file in the root of your WordPress installation by default. You will need to enable hidden files on your ftp client. I use Filezilla and that is located under server -> force show hidden files. Your ftp client will vary but the option will be there somewhere.

The default .htaccess file

A default WordPress .htaccess file will look like this:

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

As you can see it has a number of re-write rules for wordpress and very little else.

What To Add

To block a particular IP address add the following lines below the #END WordPress section, replacing the details inside of {} with real IP addresses or host names.

#block spammers and troll’s IP addresses

order allow,deny

deny from {IP ADDRESS}



allow from all

# END spammers and trolls

Edit your .htaccess file with a text editor add your exclusions then upload it back to the root of your blog installation overwriting the old .htacess file.

Testing Your Changes

Any IP address added to the exclusion list will not be allowed access to your web server and a 403 forbidden message will be returned. The message from my web server is shown below:


You don’t have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

You can test it works by leaving a test comment on your blog getting your IP address and adding it the the .htaccess file. Remember to take it out again or you will not have access to your blog.

It is Not Fool Proof

This work around is not fool proof, it comes with some limitations and they are:

  • Proxies - if you offender is behind a proxy IP address then anybody else using that same address will be banned. Some ISPs will use a shared IP address so everyone using that ISP will be banned from yoru site. Use with care.
  • Spoofing IP address - if your troll is particularly tech litereate they could spoof their IP address or use another one, they will then get through your barrier.

Using another machine - your troublesome visitor could simply go to a friends machine or to an internet cafe and get a new IP address.

Wrap Up

As mentioned this is not a fool proof way to stop offenders, but blocking IP addresses is a great way of stopping comment bots from fixed addresses and a way of sending out a real warning to trolls that there type of comments are not welcome.

If you use this trick in conjunction with anti-spam plugins and comment moderation techniques you should be able to reduce your spam and deter trolls.

No comments: