Sometimes you need to block requests in .htaccess that don’t have a valid HTTP referer header (or one you want). For example, a visitor without an referer header cannot add items to a WooCommerce webshop’s wishlist. For that to happen he has to visit the site and has valid referrer information. Here is how to block requests in mod_rewrite .htaccess that don’t have your website as HTTP referer.

This particular blockade is for a WooCommerce shop that has YITH WooCommerce Wishlist installed. Unfortunately, the plugin accepts GET requests, and requests without referrer. Imagine the number of requests one or more bots can do in a short amount of time. And the load / CPU spike that causes.

Let’s block it.

Note: this is in no way a rant towards Yith. It’s merely an example.

Use Apache mod_rewrite for access control

Using Apache mod_rewrite .htaccess you can control access to various resources. This post shows the use of mod_rewrite to control access to a resource based on query string and referrer: Requests without valid referrer information to your resource are blocked, and access is denied.

Assume your website is located at https://www.example.com. So that’s the domain you’d want to see as referrer information when a visitor adds an item to their wishlist. This is easily done in mod_security .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} ^add_to_wishlist=(.*)
RewriteCond %{HTTP_REFERER} !www.example.com [NC]
RewriteRule .* - [L,F]
</IfModule>

What this does is:

  1. enable RewriteEngine
  2. the first condition is the REQUEST_METHOD has to be GET. Don’t do anything if it’s a POST (or PUT)
  3. the QUERY_STRING as to start with (^) add_to_wishlist=, followed by anything ((.*)).
  4. our third condition states the HTTP_REFERER must not be www.example.com, case insensitive.
  5. if all conditions are met, substitute everything .* with nothing - and refuse the request (F).

Protip: the exclamation mark ! in the RewriteCond negates the condition, meaning not. www.example.com means is www.example.com and !www.example.com means is not www.example.com.

Yes, this was a quick and dirty fix in times of heavy load.