Block User-Agent in htaccess for Apache Webserver

Oh Dear! monitors your entire site, not just the homepage. We crawl and search for broken pages and mixed content, send alerts when your site is down and notify you on expiring SSL certificates.

Start your free 10 day trial! »

Image of Mattias Geniar

Mattias Geniar, August 09, 2015

Follow me on Twitter as @mattiasgeniar

This guide will show you how to block requests to your site if they come with a certain User-Agent. This can be very useful to fend of a WordPress pingback DDoS attack or block other unwanted requests.

Assuming .htaccess is already enabled on your server (it is on most servers running Apache), add the following near the very top to block this user-agent from accessing your site.

$ cat .htaccess
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP_USER_AGENT} ^WordPress [NC]
  RewriteRule .* - [F,L]
</IfModule>

The example above will block any request that has a User-Agent that starts with (the ^ regex modifier) “WordPress”. I used this particular example to defend against a WordPress pingback attack, where old versions of WordPress are tricked into attacking a single target.

If you want to block multiple User-Agents in htaccess, you can combine them into a single line like this.

$ cat .htaccess
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTP_USER_AGENT} ^(WordPress|ApacheBench) [NC]
  RewriteRule .* - [F,L]
</IfModule>

The example above blocks all requests with a User-Agent that starts with WordPress or ApacheBench.

Alternatively, you can use a SetEnvIfNoCase block, which sets an environment variable if the condition described is met. This can be useful if, for some reason, mod_rewrite isn’t available.

$ cat .htaccess
<IfModule mod_setenvif.c>
  SetEnvIfNoCase User-Agent (sqlmap|wordpress|apachebench) bad_user_agents

  Order Allow,Deny
  Allow from all
  Deny from env=bad_user_agents
</IfModule>

The example above will deny access to everyone that has a User-Agent that has either SQLMap, WordPress or ApacheBench in the string. It’s case insensitive and the User-Agent does not have to start with that string, because it lacks the ^ modifier.

Will you help me share this post?

It would mean a lot to me if you could help share this post on social media. 🤗