question mark url return 200 not 404 – string query noindex or

I have been searching for hours – even checked for plugins.

My wp install is giving 200 status code to fake urls like

my dot com /page/3/?cpage=1%2Fpage%2F3%2F%2Fpage%2F5%2F%2Fpage%2F42%2F%2Fpage%2F42%2F%2Fpage%2F42%2F%2Fpage%2F5%2F%2Fpage%2F5%2F%2Fpage%2F2%2F%2Fpage%2F43%2F%2Fpage%2F42%2F
(HTTP/1.1″ 200 35386 “-” “Mozilla/5.0 (compatible; Baiduspider/2.0; )

This has become a major problem. My research led me to try some htaccess rules that would send any url with a question mark in it to a 403 – and some suggested htaccess mods.

These do not appear to work.

It dawned on me that there may be some legitimate urls like when people use the search function, and if an admin to doing admin stuff in the backend – so probably not a good idea to block all question mark / string query urls with a wordpress web site.

so trying to limit it some of the bad urls being called, tried:

# CLEAN MALICIOUS LINKS
<ifModule mod_rewrite.c>
 RewriteCond %{QUERY_STRING} (goiggs|cpage|pu992d35) [NC]
 RewriteRule .* http://mydotted.com/$1? [R=301,L]
</ifModule>

However that did not seem to change anything either.

Tried some plugins that are supposed to look for url injection and block, tried a few that are supposed to redirect 404s to home page or other page.

It appears that these are not getting the 404 status code even though the urls do not exist, and WP is showing / serving the home page for requests like these instead of the 404 page.

Is anyone aware of any way to block all string query urls that are not searches or in the admin area?

Anyone know of anyway to get wordpress to add a noindex, nofollow to pages like this when they are served?