The Apache server provides directory-level configuration via .htaccess files. This file can override Apache default configuration and change it for the local directory.

If you are not a lazy blogger, you may be intrested in some tips I recently discovered to optimize your .htaccess file in order to have better search engine position, avoid spam comments and protect your content.


search engines see and as two different sites… this is bad for two reasons:

  1. search engines penalize sites with duplicated content, removing some (if not all) the duplicated pages
  2. some sites will link you as and other as, this is bad because your pagerank and your link popularity will be halved

to avoid this, you can simply redirects all the request from to or viceversa adding some directives to your webroot .htaccess file.

Use the following code:

RewriteEngine On
RewriteCond %{HTTP_HOST} !^ [NC]
RewriteRule ^(.*)$$1 [R=301]


RewriteEngine On

activate the rewrite engine (that is, the ability to change the requested url to something else)

RewriteCond %{HTTP_HOST} !^$ [NC]

this say that the rewrite action (specified in the RewriteRule line) should be applied if the file requested does not (that’s the !) start with (that’s the ^). The [NC] says to check in case insensitive mode

RewriteRule ^(.*)$$1 [L,R=301]

this says that each request matching the RewriteCond should be rewritten as follow: put the string that starts with (that’s the ^) any string (that’s the .*) and then finish (that’s the $) in the first variable (called $1), then rewrite as$1 and to redirect using 301-Moved permanently (that’s the R=301) and to stop applying rules from .htaccess (L for Last). This means a request directed to will be redirected to

Spam Blocking

wp-comments-post.php protection

In wordpress when a user posts a comment the file wp-comments-post.php is accessed.
The normal user post the comment from one of your blog’s page, sending an inside referral (i.e. the page that took the user to wp-comments-post).
A spammer access directly the wp-comments-post.php file, having no referral or an outside (not from your domain) referral. You can use this difference to block spam comments via .htaccess. If you don’t use wordpress you have to change the file name to the one that fits for you, but the tecnique can still be used.
Here’s the code

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Here’s the explanation:

RewriteEngine On

activate the rewrite engine


if the request method is POST

RewriteCond %{REQUEST_URI} .wp-comments-post\.php*

if the request uri (the page requested) is [single character or nothing]wp-comments-post.php[anything]

RewriteCond %{HTTP_REFERER} !.** [OR]

if the referrer is not in your domain or (the [OR] flag does an or with the next rule)

RewriteCond %{HTTP_USER_AGENT} ^$

if the user agent is empty

RewriteRule (.*) ^$ [R=301,L]

redirect to

Tor servers blocking

The tor network is a nobile thing… but it’s often used by spammers to run spambots.
I would not recommend this, but if you really need to, you can block the entire tor proxies network using the tor blacklist (just copy the content of the file into your .htaccess file)


Ip banning

say you want to block a spammer that use always the same ip…

deny from

this is gonna deny access to . Note that you can use also 192.168.0.* to ban an entire class of addresses, or to ban a subnet using subnet mask.

Deny .htaccess access

this can be used to prevent .htaccess file access

<Files .htaccess>
order allow,deny
deny from all

This way all requests to .htaccess file will return a 403 error code (Access denied).

Stop hotlinking

If you don’t want other sites to link directly to your images on your server, you can redirect the png/jpg request to a particular image (saying something like “this site is trying to steal my images”) with code like this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com/.*$ [NC]
RewriteRule .*\.(jpg|png)$ [R,NC,L]

Here’s the explanation

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com/.*$ [NC]

this says that this rule should be applied if the referrer does not start with or (case insensitive)

RewriteRule .*\.(jpg|png)$ [R,NC,L]

this says that requests ending with .jpg or .png (not case sensitive) should be redirected to and that this will be the last rule to be applied (the L flag).


some useful resources

francesco mapelli