WP-Mix

A fresh mix of code snippets and tutorials

PHP trap for bad bots

Another effective trap for bad bots and spammers, built with PHP and a slice of .htaccess.

Update! If trapping bad bots is your game, you may want to check out my standalone PHP script, Blackhole for Bad Bots, and free Blackhole WP plugin!

Step 1: robots.txt

First, instruct all bots to ignore our trap script (to be named “testing.php”). Add these lines to your site’s robots.txt file:

User-agent: *
Disallow: /testing.php

Step 2: .htaccess

In your site’s root .htaccess file, include the following code at the beginning of the file:

# trap for bad bots
SetEnvIf Request_URI "^(/403.*\.html|/robots\.txt)$" welcome
<Files *>
 Order deny,allow
 Deny from env = goodbye
 Allow from env = welcome
</Files>

Note: the next step adds a script that needs write-access to this .htaccess file. It’s critical that you do not use a more permissive setting than 606, which should work fine. DO NOT use this bot trap technique if anything greater than 606 permissions (or equivalent) are required for the .htaccess file.

Step 3: PHP

Next, create a blank PHP file named “testing.php” and add the following code:

<?php // trap for bad bots
	$htaccess = "/var/www/public_html/.htaccess"; // specify correct path to root .htaccess file
	$content  = "SetEnvIf Remote_Addr ^".str_replace(".","\.",$_SERVER["REMOTE_ADDR"])."$ goodbye\r\n";
	$content .= fread($handle, filesize($htaccess));
	$handle   = fopen($htaccess, 'r');
	fclose($handle);
	$handle = fopen($htaccess, 'w+');
	fwrite($handle, $content, strlen($content));
	fclose($handle);
	mail( // customize mail with your infos
	"admin@domain.tld", 
	"Another bad bot bites the dust..", 
	"Banned IP: "  . $_SERVER["REMOTE_ADDR"] . "\r\n" . 
	"User Agent: " . $_SERVER["HTTP_USER_AGENT"] . "\r\n" . 
	"Referrer: "   . $_SERVER["HTTP_REFERER"], 
	"From: trap@domain.tld"
	);
	die("Sorry no access.");
?>

This file must be “readable” by visitors, so make sure its permissions are CHMOD 604 or equivalent.

Things to edit: the path to your .htaccess file, and the “to” and “from” email fields in the mail() function. Once everything is in place, visit the testing.php in your browser to see how it all works. Customize as needed to suit your needs.

Learn more

.htaccess made easy