Block requests for YITH WooCommerce Wishlist plugin by HTTP referer in mod_rewrite

Sometimes you need to block requests in .htaccess that don’t have a valid HTTP referer header (or one you want). For example, a visitor without an referer header cannot add items to a WooCommerce webshop’s wishlist. For that to happen he has to visit the site and has valid referrer information. Here is how to block requests in mod_rewrite .htaccess that don’t have your website as HTTP referer.

This particular blockade is for a WooCommerce shop that has YITH WooCommerce Wishlist installed. Unfortunately, the plugin accepts GET requests, and requests without referrer. Imagine the number of requests one or more bots can do in a short amount of time. And the load / CPU spike that causes.

Let’s block it.

Note: this is in no way a rant towards Yith. It’s merely an example.

Use Apache mod_rewrite for access control

Using Apache mod_rewrite .htaccess you can control access to various resources. This post shows the use of mod_rewrite to control access to a resource based on query string and referrer: Requests without valid referrer information to your resource are blocked, and access is denied.

Assume your website is located at So that’s the domain you’d want to see as referrer information when a visitor adds an item to their wishlist. This is easily done in mod_security .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^add_to_wishlist=(.*)
RewriteCond %{HTTP_REFERER} ! [NC]
RewriteRule .* - [L,F]

What this does is:

  1. enable RewriteEngine
  2. the first condition is the REQUEST_METHOD has to be GET. Don’t do anything if it’s a POST (or PUT)
  3. the QUERY_STRING as to start with (^) add_to_wishlist=, followed by anything ((.*)).
  4. our third condition states the HTTP_REFERER must not be, case insensitive.
  5. if all conditions are met, substitute everything .* with nothing - and refuse the request (F).

Protip: the exclamation mark ! in the RewriteCond negates the condition, meaning not. means is and ! means is not

Yes, this was a quick and dirty fix in times of heavy load.

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *