Block Domains & Subdomains Using .htaccess

By  on  

A large focus of my redesign was improving site speed, and in doing so, I took a look at my site's error_log for the first time in a long time.  I was shocked when I found out that 90% of my site errors were either hacking attempts or hot-linked files from hundreds of different tumblr.com subdomains.  Thousands upon thousands of PHP fatal errors due to lack of memory saw me seeing red pretty quick -- no wonder I was having periodical speed issues!  Luckily this bit of .htaccess code allows me block all of those sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*tumblr\.com [NC]
RewriteRule .* - [F]
</IfModule>

These days I only see PHP notices in my error_log, and that makes me a very happy man.  I've also noticed less SPAM commenting, so maybe Tumblr is used a SPAM hub too?  Either way, blocking domains and subdomains did the trick for me!

Recent Features

  • By
    From Webcam to Animated GIF: the Secret Behind chat.meatspac.es!

    My team mate Edna Piranha is not only an awesome hacker; she's also a fantastic philosopher! Communication and online interactions is a subject that has kept her mind busy for a long time, and it has also resulted in a bunch of interesting experimental projects...

  • By
    9 Mind-Blowing Canvas Demos

    The <canvas> element has been a revelation for the visual experts among our ranks.  Canvas provides the means for incredible and efficient animations with the added bonus of no Flash; these developers can flash their awesome JavaScript skills instead.  Here are nine unbelievable canvas demos that...

Incredible Demos

Discussion

  1. There are 2 issues with your solution:
    1) If a legit person linked to your blog from their Tumblr blog, people would see a Forbidden message. This is because you have your images under the same domain as the blog. Keeping them on the sub-domain would save your visitors from this.
    2) Security – probably a minor issue, but when you get a Forbidden message from Apache, you also get a path to the content you were forbidden to access. And since you are using WordPress with caching, the message looks as follows:

    Forbidden

    You don't have permission to access /wp-content/w3tc/pgcache//block-domain/_index_search_engines.html_gzip on this server.

    Apache/2.2.3 (CentOS) Server at davidwalsh.name Port 80

    • Thanks for sharing Shimon. Per your points:

      1. If it’s only specific subdomains hurting you, listing them one by one would be best, I agree. In my case, I don’t care if legit Tumblr sites are linking to me. :)

      2. I’ll look into the Forbidden issue — thanks!

  2. Korri

    Wow. blocking anyone comming from tumblr seems pretty extreme to me, you could at least add a RewriteCond to block only static content.

  3. Bob

    Seems like a lot of work, when this doesn’t even require mod_rewrite:

    deny from .tumbler.com

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!