How To Block Bad Bots in htaccess

Have you ever heard about bad robots, bots or something like that? 
Well, they actually exist and they can do many things on your website for that reason it’s important to block them. 
Are you already curious? 
Let’s find out!

block bots htaccess

What are bad bots?

You can imagine bad bots as a software, created to perform automated tasks. These tasks however are malicious and have one intent – harm your website. They basically help hackers targeting and attacking more websites at the same time. 

What bad bots do? 

  1. Steal content and place it another website.

    This can harm your SEO reputation and most people realize their content has been stolen only when they receive an unpleasant penalty from Google itself. 
    To check if your content has been duplicated on another website, you can use this tool: Copyscape 
    It is free and will immediately detect if the same content as your appears on another website. If that is the case, you can request the removal of the content so you can prevent penalties from Search engines.

  2. Submit Contact forms 

    It is common for bad bots to subscribe to contact forms with existing email addresses. Imagine perhaps a person who is receiving newsletters from a website that they have never opened. This can easily lead them to report your newsletter emails as spam. Now imagine 100 real email addresses were used from bots to subscribe to your newsletter and all of these people are not happy at all and report your website. This can very quickly lead to blacklisting and even penalties from your hosting for spamming others. 
    To prevent this, it’s good to use ReCapcha on your website. 

  3. Clicking on Ads 

    This is another so annoying and financially unpleasant issue. Bad bots can click on your Ads making the CRT price higher, leading this way to wrong statistics and higher cost for you. 

  4. Infect visitors devices

    This is the part where the bot itself has already injected malicious code on the website and each time a visitor opens it, there is a risk for them to be infected as well. 
    The most common way to detect such infection is to always double check for suspicious ads like “click here to receive your new iPhone!”  or actual redirects from your website to unknown one. If you notice such activity, request a malware scan of your entire hosting account as soon as possible. 

  5. Put down your website 

    This can happen when the amount of bad bots traffic on the website is so huge, that in just few days or even hours it exceeds the CPU limits you have available. This will bring down your website as there will be no resources available to even load a single page. 

For the reasons above it is so important to prevent the malicious robots from visiting your website 

How to detect which visitors are Bad Bots? 

The easiest way to catch them all is by using Clicky 
This tool has the option to track not only visitors but bots too. You can enable this functionality when you sign up for a free account with Clicky. This will help you understand how many visitors on your website are actual bots.

How to block Bad Bots from .htaccess?  

A good prevention is to implement firewall protection on server level by adding the code provided below in your .htaccess file:

# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/

# 6G:[QUERY STRING]
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
	RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
	RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
	RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
	RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REFERRER]
<IfModule mod_rewrite.c>
	RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR]
	RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
	RewriteRule .* - [F]
</IfModule>

# 6G:[REQUEST STRING]
<IfModule mod_alias.c>
	RedirectMatch 403 (?i)([a-z0-9]{2000,})
	RedirectMatch 403 (?i)(https?|ftp|php):/
	RedirectMatch 403 (?i)(base64_encode)(.*)(\()
	RedirectMatch 403 (?i)(=\\'|=\%27|/\\'/?)\.
	RedirectMatch 403 (?i)/($(\&)?|\*|\"|\.|,|&|&amp;?)/?$
	RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\"\\")
	RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\|\{|\}|\[|\]|\|)
	RedirectMatch 403 (?i)/(=|$&|_mm|cgi-|muieblack)
	RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
	RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
	RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>

# 6G:[USER AGENT]
<IfModule mod_setenvif.c>
	SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot
	SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
	
	# Apache < 2.3
	<IfModule !mod_authz_core.c>
		Order Allow,Deny
		Allow from all
		Deny from env=bad_bot
	</IfModule>

	# Apache >= 2.3
	<IfModule mod_authz_core.c>
		<RequireAll>
			Require all Granted
			Require not env bad_bot
		</RequireAll>
	</IfModule>
</IfModule>

After you have added the code, you can then install a plugin such as Defender. It has a free functionality, very easy to use where it permits you to block manually IP’s which you think might be malicious. This helps a lot. 
Another way to manually block IP’s would be directly from your hosting account or via Cloudflare.

Overall, stay always protected 

1. Implement the code in .htaccess
2. Install a protection plugin 
3. Monitor who visits your website via Clicky 
4. Possibly add a Firewall protection to your website via Cloudflare
5. Check out our previous post on How to Protect WordPress website from hackers for further security tips. 

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on tumblr
Share on whatsapp

Want to stay in touch?
Join our community of learners!

"Happiness lies in the joy of achievement and the thrill of creative effort."

Franklin D. Roosevelt

Copyright © 2019 wptutorialcamp.com – Powered By WordPress

"Happiness lies in the joy of achievement and the thrill of creative effort."

Franklin D. Roosevelt

Copyright © 2019 wptutorialcamp.com – Powered By WordPress

Do NOT follow this link or you will be banned from the site!

wptutorialcamp.com uses cookies to ensure you get the best experience. By continuing to browse on this website, you accept the use of cookies for the above purposes. Read more...