Block Domains & Subdomains Using .htaccess

By  on  

A large focus of my redesign was improving site speed, and in doing so, I took a look at my site's error_log for the first time in a long time.  I was shocked when I found out that 90% of my site errors were either hacking attempts or hot-linked files from hundreds of different tumblr.com subdomains.  Thousands upon thousands of PHP fatal errors due to lack of memory saw me seeing red pretty quick -- no wonder I was having periodical speed issues!  Luckily this bit of .htaccess code allows me block all of those sites:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*tumblr\.com [NC]
RewriteRule .* - [F]
</IfModule>

These days I only see PHP notices in my error_log, and that makes me a very happy man.  I've also noticed less SPAM commenting, so maybe Tumblr is used a SPAM hub too?  Either way, blocking domains and subdomains did the trick for me!

Recent Features

  • By
    Responsive and Infinitely Scalable JS Animations

    Back in late 2012 it was not easy to find open source projects using requestAnimationFrame() - this is the hook that allows Javascript code to synchronize with a web browser's native paint loop. Animations using this method can run at 60 fps and deliver fantastic...

  • By
    Introducing MooTools Templated

    One major problem with creating UI components with the MooTools JavaScript framework is that there isn't a great way of allowing customization of template and ease of node creation. As of today, there are two ways of creating: new Element Madness The first way to create UI-driven...

Incredible Demos

  • By
    JavaScript Speech Recognition

    Speech recognition software is becoming more and more important; it started (for me) with Siri on iOS, then Amazon's Echo, then my new Apple TV, and so on.  Speech recognition is so useful for not just us tech superstars but for people who either want to work "hands...

  • By
    MooTools Accordion: Mouseover Style

    Everyone loves the MooTools Accordion plugin but I get a lot of requests from readers asking me how to make each accordion item open when the user hovers over the item instead of making the user click. You have two options: hack the original plugin...

Discussion

  1. There are 2 issues with your solution:
    1) If a legit person linked to your blog from their Tumblr blog, people would see a Forbidden message. This is because you have your images under the same domain as the blog. Keeping them on the sub-domain would save your visitors from this.
    2) Security – probably a minor issue, but when you get a Forbidden message from Apache, you also get a path to the content you were forbidden to access. And since you are using WordPress with caching, the message looks as follows:

    Forbidden

    You don't have permission to access /wp-content/w3tc/pgcache//block-domain/_index_search_engines.html_gzip on this server.

    Apache/2.2.3 (CentOS) Server at davidwalsh.name Port 80

    • Thanks for sharing Shimon. Per your points:

      1. If it’s only specific subdomains hurting you, listing them one by one would be best, I agree. In my case, I don’t care if legit Tumblr sites are linking to me. :)

      2. I’ll look into the Forbidden issue — thanks!

  2. Korri

    Wow. blocking anyone comming from tumblr seems pretty extreme to me, you could at least add a RewriteCond to block only static content.

  3. Bob

    Seems like a lot of work, when this doesn’t even require mod_rewrite:

    deny from .tumbler.com

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!