Title: Blocking site?
Last modified: August 21, 2016

---

# Blocking site?

 *  Resolved [Aria13](https://wordpress.org/support/users/aria13/)
 * (@aria13)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/)
 * Hi
    My site is getting more and more visits from semalt.semalt.com crawler. Do
   you know what code I could use to block the site? And also in which section of
   the custom code will I need to place the code? Thanks
 * [https://wordpress.org/plugins/bulletproof-security/](https://wordpress.org/plugins/bulletproof-security/)

Viewing 12 replies - 1 through 12 (of 12 total)

 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115179)
 * Yes, semalt.com is a known domain used in a Referer stats phishing scam.
 * [http://wordpress.org/support/topic/advise-1/page/2?replies=74#post-5129735](http://wordpress.org/support/topic/advise-1/page/2?replies=74#post-5129735)
   
   [http://forum.ait-pro.com/forums/topic/security-log-issue/#post-15224](http://forum.ait-pro.com/forums/topic/security-log-issue/#post-15224)
 * I guess you could also block the semalt.com Referer domain name by doing this….
   
   [http://wordpress.org/support/topic/advise-1?replies=74#post-5128748](http://wordpress.org/support/topic/advise-1?replies=74#post-5128748)
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115245)
 * Did this answer all of your questions? If so, please resolve this thread. If 
   not, please post any additional questions you may have about this specific issue.
   Thank you.
 *  Thread Starter [Aria13](https://wordpress.org/support/users/aria13/)
 * (@aria13)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115281)
 * Thanks for your reply.
    I looked at the links you gave me, but I must say I’m
   rather lost about what to write. I don’t know anything about codes. So it’s probably
   a silly question but do I have to add the code exactly as it is to CUSTOM CODE
   BPSQSE BPS QUERY STRING EXPLOITS: Modify Query String Exploit code here:
 *     ```
       # BEGIN BPSQSE BPS QUERY STRING EXPLOITS
       # The libwww-perl User Agent is forbidden - Many bad bots use libwww-perl modules, but some good bots use it too.
       # Good sites such as W3C use it for their W3C-LinkChecker.
       # Add or remove user agents temporarily or permanently from the first User Agent filter below.
       # If you want a list of bad bots / User Agents to block then scroll to the end of this file.
       RewriteCond %{HTTP_REFERER} ^.*(\.opendirviewer\.|users\.skynet\.be|dummy1\.com|dummy2\.com).* [NC,OR]
       RewriteCond %{HTTP_USER_AGENT} (havij|libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
       RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
       RewriteCond %{HTTP_USER_AGENT} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
       RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|python|nikto|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
       RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
       RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
       RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
       RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
       RewriteCond %{THE_REQUEST} (%0A|%0D|\\r|\\n) [NC,OR]
       RewriteCond %{REQUEST_URI} owssvr\.dll [NC,OR]
       RewriteCond %{HTTP_REFERER} (%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
       RewriteCond %{HTTP_REFERER} \.opendirviewer\. [NC,OR]
       RewriteCond %{HTTP_REFERER} users\.skynet\.be.* [NC,OR]
       RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [NC,OR]
       RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [NC,OR]
       RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
       RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
       RewriteCond %{QUERY_STRING} (\.\./|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e\.%2f|%2e\./|\.%2e%2f|\.%2e/) [NC,OR]
       RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
       RewriteCond %{QUERY_STRING} http\: [NC,OR]
       RewriteCond %{QUERY_STRING} https\: [NC,OR]
       RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
       RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
       RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
       RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} (\<|%3C).*embed.*(\>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} (\<|%3C).*object.*(\>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
       RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
       RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
       RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
       RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
       RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|%3c|%3e).* [NC,OR]
       RewriteCond %{QUERY_STRING} ^.*(\x00|\x04|\x08|\x0d|\x1b|\x20|\x3c|\x3e|\x7f).* [NC,OR]
       RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
       RewriteCond %{QUERY_STRING} (\.{1,}/)+(motd|etc|bin) [NC,OR]
       RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
       RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
       RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
       RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
       RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
       RewriteCond %{QUERY_STRING} \-[sdcr].*(allow_url_include|allow_url_fopen|safe_mode|disable_functions|auto_prepend_file) [NC,OR]
       RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
       RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
       RewriteRule ^(.*)$ - [F,L]
       # END BPSQSE BPS QUERY STRING EXPLOITS
       ```
   
 * or do I have to replace with or add semalt.com or semalt.semalt.com somewhere?
 * Also would I still need to add to Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/
   FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous 
   code here:
 *     ```
       # Block/Forbid dummies based on Referer
       RewriteCond %{HTTP_REFERER} ^.*(dummy1.com|dummy2.com).*$ [NC]
       RewriteRule ^(.*)$ - [F,L]
       ```
   
 * And same silly question do I replace dummy with semalt?
    Thanks
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115284)
 * I believe WP allows you to edit previous comments up to 1 hour so delete all 
   the code you posted above. I don’t think it is relevant to the point. will post
   an additional reply in a minute.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115285)
 * Back on topic. semalt.com is a know Referer phishing scam. The way this scam 
   works is that in your “stats” application results you will see links to the semalt.
   com domain. The goal is to get you to click on those Referer stats phishing links.
   Yeah pathetic… I don’t think this particular scam manipulates folks in any other
   way that i am aware of.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115286)
 * [@modlook](https://wordpress.org/support/users/modlook/) – please delete the 
   massive block of code above or `tag` it. sorry and thanks.
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115287)
 * …anyway maybe what I need to do is explain some basic things here that will put
   everything into perspective. To be honest I would have to say this form of manipulation
   falls under the general category of “spammer” due to the intended result, which
   is to get you to click on a stats link to the semalt.com domain. This is a really
   pathetic thing that does not really fit into any category other than “pathetic
   spammer” that i can think of. Maybe this would fit into “link troll” or other
   similar pathetic categories. So the links above have info on how to do something
   about this, but to be honest with you…this is just pathetic stuff…best ignored.
   😉
 * It has been a very effective spammer campaign though if you look at Alexa results:
   2,553 world ranking. I guess that means that a lot of folks fall for this type
   of manipulation…
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115342)
 * Is this issue/problem resolved? If so, please resolve this thread. If not, please
   post a status update. Thank you.
 *  Thread Starter [Aria13](https://wordpress.org/support/users/aria13/)
 * (@aria13)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115347)
 * Sorry, I am trying to understand what I need to do. Are you saying that it’s 
   better to just ignore it and do nothing? Thanks
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115349)
 * The way this Referer phishing scam works is that by clicking on a Referer link
   in your stats you are visiting the semalt.com website. So if you never click 
   on a semalt.com link then nothing would happen. I think the only goal is to get
   you to click on a semalt.com link. Whether you want to block this is entirely
   up to you. You can use the methods above or just ignore this scam. Totally up
   to you.
 *  Thread Starter [Aria13](https://wordpress.org/support/users/aria13/)
 * (@aria13)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115350)
 * Thanks
 *  Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
 * (@aitpro)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115351)
 * Yep, no problem. This link says pretty much the same thing. And if you look around
   on the Internet there is nothing malicious going on. It is more of a nuisance
   thing.
    [http://en.forums.wordpress.com/topic/do-you-have-information-about-semalt-dot-com](http://en.forums.wordpress.com/topic/do-you-have-information-about-semalt-dot-com)

Viewing 12 replies - 1 through 12 (of 12 total)

The topic ‘Blocking site?’ is closed to new replies.

 * ![](https://ps.w.org/bulletproof-security/assets/icon-128x128.png?rev=1731938)
 * [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
 * [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
 * [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)

 * 12 replies
 * 2 participants
 * Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/)
 * Last activity: [11 years, 10 months ago](https://wordpress.org/support/topic/blocking-site/#post-5115351)
 * Status: resolved