How to block referrer spam with htaccess file

To find out if your website stats are already being affected by referrer spam please read our blog post Is referrer spam affecting your website metrics?

Many websites are hosted on web servers that use .htaccess files to control how the server should behave in response to specific requests. The .htaccess file is found in the root of your site directory and can be accessed either by FTP, SSH or web admin control panel such as cPanel. There are two possible methods to block referrer spam to your site using the .htaccess file: mod_rewrite or mod_setenvif.

You can find instructions on how to block referrer spam with htaccess file methods below:

The following instructions are technical by their very nature and should not be attempted by anyone other than an experienced webmaster, coder/developer. We cannot be held responsible for any detrimental effects and we do not provide unpaid support for these or any other instructions. Always take a backup!

In the “single referrer” example below, “” is the domain you wish to block. Note the backslash proceeding the period (“.”) to actually denote a period, as in Regular Expressions, a period denotes any character, which is not what we want. The flag “[NC]” is added to the end of the domain to make it case insensitive, so whether the domain is “”, “” etc, however bad it gets, it gets blocked. Finally, the last line in the .htaccess file specifies that the action to take when a match is found is to fail the request, meaning the referrer traffic will hit a 403 Forbidden error.

RewriteEngine on # Options +FollowSymlinks RewriteCond %{HTTP_REFERER} [NC,OR] RewriteRule .* – [F]

To block multiple referrers, you can add multiple ‘RewriteCond’ statments, but omitting the [NC,OR]

RewriteEngine on # Options +FollowSymlinks RewriteCond %{HTTP_REFERER} [NC,OR] RewriteCond %{HTTP_REFERER} RewriteRule .* – [F]

Now, you may have noticed the line “Options +FollowSymlinks” above, which is commented. Uncomment this line (by removing the # character) if your server isn’t configured with FollowSymLinks in its section in httpd.conf, and you get a 500 Internal Server error when using the code above as is.

Related blog posts

Is referrer spam affecting your website metrics? How to block referrer spam in Google Analytics How to block referrer spam with a WordPress plugin

Grow your business faster with strategic, results driven digital marketing.

Let’s get started

Our industry expert

James Patten

Technical Director

Responsible for overseeing every website build, Jim is our resident expert in data and API integration, email and DNS configurations, and all things technical. He takes every client’s vision for their new website and brings it to life, integrating automated systems to save them time.

James Patten profile photo

Is now the time to start dominating online?

Let’s get started

Subscribe to our newsletter

Join over 600 like-minded individuals who benefit from our monthly roundup of marketing insights, tips and updates.

"*" indicates required fields

What are you interested in?
This field is for validation purposes and should be left unchanged.