Block Domains & Subdomains Using .htaccess
A large focus of my redesign was improving site speed, and in doing so, I took a look at my site's error_log for the first time in a long time. I was shocked when I found out that 90% of my site errors were either hacking attempts or hot-linked files from hundreds of different tumblr.com subdomains. Thousands upon thousands of PHP fatal errors due to lack of memory saw me seeing red pretty quick -- no wonder I was having periodical speed issues! Luckily this bit of .htaccess code allows me block all of those sites:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*tumblr\.com [NC]
RewriteRule .* - [F]
</IfModule>
These days I only see PHP notices in my error_log, and that makes me a very happy man. I've also noticed less SPAM commenting, so maybe Tumblr is used a SPAM hub too? Either way, blocking domains and subdomains did the trick for me!
![Send Text Messages with PHP]()
Kids these days, I tell ya. All they care about is the technology. The video games. The bottled water. Oh, and the texting, always the texting. Back in my day, all we had was...OK, I had all of these things too. But I still don't get...
![Detect DOM Node Insertions with JavaScript and CSS Animations]()
I work with an awesome cast of developers at Mozilla, and one of them in Daniel Buchner. Daniel's shared with me an awesome strategy for detecting when nodes have been injected into a parent node without using the deprecated DOM Events API.
![WebKit Marquee CSS: Bringin’ Sexy Back]()
We all joke about the days of Web yesteryear. You remember them: stupid animated GIFs (flames and "coming soon" images, most notably), lame counters, guestbooks, applets, etc. Another "feature" we thought we had gotten rid of was the marquee. The marquee was a rudimentary, javascript-like...
![Link Nudging with CSS3 Animations]()
One of the more popular and simple effects I've featured on this blog over the past year has been linking nudging. I've created this effect with three flavors of JavaScript: MooTools, jQuery, and even the Dojo Toolkit. Luckily CSS3 (almost) allows us to ditch...
There are 2 issues with your solution:
1) If a legit person linked to your blog from their Tumblr blog, people would see a Forbidden message. This is because you have your images under the same domain as the blog. Keeping them on the sub-domain would save your visitors from this.
2) Security – probably a minor issue, but when you get a Forbidden message from Apache, you also get a path to the content you were forbidden to access. And since you are using WordPress with caching, the message looks as follows:
Forbidden
You don't have permission to access /wp-content/w3tc/pgcache//block-domain/_index_search_engines.html_gzip on this server.
Apache/2.2.3 (CentOS) Server at davidwalsh.name Port 80
Thanks for sharing Shimon. Per your points:
1. If it’s only specific subdomains hurting you, listing them one by one would be best, I agree. In my case, I don’t care if legit Tumblr sites are linking to me. :)
2. I’ll look into the Forbidden issue — thanks!
Wow. blocking anyone comming from tumblr seems pretty extreme to me, you could at least add a RewriteCond to block only static content.
Seems like a lot of work, when this doesn’t even require mod_rewrite:
deny from .tumbler.com