Sometimes you need to block requests in .htaccess that don’t have a valid HTTP referer header (or one you want). For example, a visitor without an referer header cannot add items to a WooCommerce webshop’s wishlist. For that to happen he has to visit the site and has valid referrer information. Here is how to block requests in mod_rewrite .htaccess that don’t have your website as HTTP referer.
This particular blockade is for a WooCommerce shop that has YITH WooCommerce Wishlist installed. Unfortunately, the plugin accepts GET requests, and requests without referrer. Imagine the number of requests one or more bots can do in a short amount of time. And the load / CPU spike that causes.
Let’s block it.
Note: this is in no way a rant towards Yith. It’s merely an example.
Use Apache mod_rewrite for access control
Using Apache mod_rewrite .htaccess
you can control access to various resources. This post shows the use of mod_rewrite to control access to a resource based on query string and referrer: Requests without valid referrer information to your resource are blocked, and access is denied.
Assume your website is located at https://www.example.com. So that’s the domain you’d want to see as referrer information when a visitor adds an item to their wishlist. This is easily done in mod_security .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} ^add_to_wishlist=(.*)
RewriteCond %{HTTP_REFERER} !www.example.com [NC]
RewriteRule .* - [L,F]
</IfModule>
What this does is:
- enable RewriteEngine
- the first condition is the REQUEST_METHOD has to be GET. Don’t do anything if it’s a POST (or PUT)
- the QUERY_STRING as to start with (
^
) add_to_wishlist=, followed by anything ((.*)
). - our third condition states the HTTP_REFERER must not be www.example.com, case insensitive.
- if all conditions are met, substitute everything
.*
with nothing-
and refuse the request (F
).
Protip: the exclamation mark !
in the RewriteCond negates the condition, meaning not. www.example.com means is www.example.com and !www.example.com means is not www.example.com.
Yes, this was a quick and dirty fix in times of heavy load.