How to block Spam Trackbacks in WordPress

wordpress-iconTrackbacks are a great way for other blogs to notify your blog about a link back to you. Many blogging platforms support this feature, including WordPress.

But sometimes it’s very obvious that those trackbacks aren’t coming from a legitimate source, especially when you get several dozen of them every day from the same source.

No one loves you that much.

The most recent two examples are semalt.com and buttons-for-website.com, the latter can’t even properly mix a plural with a singular. But that’s not for here.

To make sure those trackbacks don’t bother our WordPress site anymore, we can add a bit of code to your re-reite rule file. If your host is using Apache then this will be your .htaccess file, famously in use for Pretty Permalinks and some cache plugins.

A typical .htaccess file is either empty or contains a block of code courtesy of WordPress. It’s a simple text file. If we add this little snippet to the bottom of the file, friendly trackbacks from semalt.com will no longer notify our website:

# Block Semalt Trackbacks
RewriteEngine On
RewriteCond %{HTTP_REFERER} semalt\.com
RewriteRule ^.* - [F,L]

This rather strange looking code is a rewrite rule. It says “if you encounter a link or a visitor from semalt.com, then forbid them access to anywhere on this site”.

Notice the backslash, followed by the domain extension in semalt\.com. This is necessary to escape the dot character, otherwise Apache would interpret it as an instruction. In our other example, buttons-for-website.com, we need to deal with the slashes in the domain name in the same way:

# Block buttons-forwebsite Trackbacks
RewriteEngine On
RewriteCond %{HTTP_REFERER} buttons\-for\-website\.com
RewriteRule ^.* - [F,L]

You can stack these rules in your .htaccess file and add as many as you like for your very own Trackback Spammers. Simply replace the URL in the code with your own, escaping special characters as seen above (a special character is anything that isn’t “a to z” or “0 to 9”).

Note that these rules do not prevent such websites from linking to you. However as soon as someone from the offending website clicks a link to your website, they will be denied access. On the other hand, when the same visitor would type in your URL, or come from a different website, they will be able so see your content without problems.





Jay is the CEO and founder of WP Hosting, a boutique style managed WordPress hosting and support service. He has been working with Plesk since version 9 and is a qualified Parallels Automation Professional. In his spare time he likes to develop iOS apps and WordPress plugins, or draw on tablet devices. He blogs about his coding journey at http://wpguru.co.uk and http://pinkstone.co.uk.