.htaccess Redirect based on HTTP_REFERER being empty

Question

I'm trying to set up a redirect on a WP blog installation that will detect anyone coming in from nowhere (i.e. not from another site). The idea is to trap some of the spambots that plug pre-constructed URLs into the system to create comments/posts. I figure if they don't have a referrer site, I can pop them back to the homepage (www.domain.com/index.php or just www.domain.com), which should mess with the bots but not with real people.

I understand that the referrers can be forged but hopefully it'll stop the stupids, at least.

I have very little clue about .htaccess rewrite rules (I apologise for being a noob), but I couldn't find one that did this in existing answers or anywhere else online, despite several searches. Either no one's done it or I'm not phrasing correctly.

Any help appreciated. :)

Answer 1

I'd advise against this. By doing it, you may annoy and alienate a portion of potential your users: for example my browser is set not to report referer information, others use anonymity networks. The dump bots you can catch by matching their reported user agent string (as seen here).

Otherwise it's simple: match against the HTTP_REFERER environmental variable in a RewriteCond:

RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* http://example.com/

The RewriteCond checks to see if the referer is an empty string; the RewriteRule redirects everything to http://example.com/ root. This is a hard redirect, meaning that the server will issue an R=301 moved permanently header. If you just want to sneakily serve another resource, use a soft redirect by specifying a relative URL, like RewriteRule .* index.php. However, it may be kinder for people not reporting referrer information to redirect them to a page saying something like "You should enable referrer reporting if you want to read this page".

For more examples on such things, see the manual. There's a very similar prevent-hotlinking method there.