mod_rewrite: Forbid Unsavory Visitors

calendar Apr 23, 2006  · Updated: November 2, 2025 · 2 min read  ·
Share on: linkedin bluesky copy

I have another blog that mentions random words like "daughter","school", "dirty", "bad", "dog", "herself", "year", "nasty" and "old." Until I started reviewing my HTTP referers, it never even occurred to me that nasty perverts could end up on my site while looking for websites that contain the words "11 year old dirty asian daughter in school with dog." Even though my blog wouldn't come close to providing what they were looking for, I still didn't want these unwelcomed visitors seeing it so I enabled mod_rewrite on my Apache install and wrote the following script to detect people coming from search engines who are looking for unfavorable stuff.

 1# .htaccess (mod_rewrite)
 2RewriteEngine On
 3RewriteBase /
 4
 5# Not referred from my own site or name variations
 6RewriteCond %{HTTP_REFERER} !https://(www\.)?mywebsite\.com/.* [NC]
 7RewriteCond %{HTTP_REFERER} !.*my.*web.*site.* [NC]
 8
 9# Referred from a search engine
10RewriteCond %{HTTP_REFERER} ^.*(google|yahoo|msn|search).*$ [NC]
11
12# Contains objectionable combinations (fixed a typo: removed double "||")
13RewriteCond %{HTTP_REFERER} ^.*(daughter|herself|asian|dog|little|school|girls.*nasty|taste.*self|year|girl.*old).*$ [NC]
14
15RewriteRule .* - [F]

Here is what the script performs, step by step.

  1. If the module mod_rewrite is enabled, do the following
  2. Turn Rewrite Engine On
  3. Apply it to the entire site
  4. If referer is not www.mywebsite.com or a variation of my site's name
  5. AND they come from a search engine
  6. AND the URL includes the following combination of words/phrases: nasty AND (daughter or herself or asian or dog or little or school or girls) or taste AND self or old AND (year or girl)
  7. Give them a 403 Forbidden
  8. End of script

I placed this script in the root of my website and it worked perfectly. Of course, the person can easily get around this but I'd say over 99% just think the site is outdated/broken and won't even attempt it.

Update (2025): Modern browsers and search engines often restrict or omit the Referer/Referrer header due to privacy features and HTTPS referrer policies, so referer-based blocking is far less reliable today. Treat this as a historical example; use more robust filtering and moderation if you need to enforce access controls.