How to Block Visitors from Certain Sites in WordPress

Some WordPress sites receive a lot of negative traffic from certain forums or other areas which link to them. This usually results in a torrent of hateful comments or abuse from commenters arriving from that point. To a great extent, this is unavoidable. It’s the consequence of having an open website that anyone can visit. You can try and cut down on this behavior by mandating registration etc. but these will only hamper legitimate visitors.

Nonetheless, there’s nothing wrong with trying to make life a little more difficult for potential abusers and force them to go through a bit of extra hassle to access your domain. In this article, let’s look at how to block visitors who are arriving via an incoming link from a certain third-party websites. In certain cases, this might even be malicious. Someone may even have linked to you from a porn website!

Blocking Visitors from a Site

Open your functions.php file and paste the following code at the end before the closing PHP tag:

function block_domain( $atts ) {

	$ref = $_SERVER["HTTP_REFERER"];
	if (is_admin() || !isset($ref)) {
		return;
	}

	
	if (strpos($ref, 'badsite.com') != false) {
		echo 'Ha ha, you\'re blocked!';
		die();
	}
}

add_action('init', 'block_domain');

If you’re not sure on how or where to insert the above code, take a quick look at my earlier tutorial on adding custom code into WordPress.

The above code has two customizable sections which are in bold. The first is the domain name of the target you want to block. The second line is an optional message that you want to show someone when they’re unable to access your site. You can leave it blank if you want. Personally I would choose to not display any custom message so that the visitor doesn’t try and work around it by manually typing your URL into their browser. It’s better if they think that your site has malfunctioned.

Running the above code and visiting from a blacklisted website yields the following result:

If you want to block visitors from multiple websites, simply replicate the second “if” statement as many times as you want.

If you look at the code, you see that I’ve taken care to ensure that you can’t be blocked if you’re accessing the admin area of WordPress or if the user has arrived directly instead of through a link – like a bookmark for example.

Normally, this will be enough of a deterrent to casual visitors who arrive at your site by clicking a link. Obviously it won’t stop a dedicated troll who is trying various techniques to access your page, but it should be enough to put an end to the overwhelming majority of visits from that particular site. But there are certain types of visits that it won’t stop.

Limitations of this Blocking Tactic

The solution I showed you works great for a lot of situations and will typically have the effect you’re looking for. However, it’s important to keep in mind that the following situations will not apply:

1. Someone directly typing the URL into the browser;
2. If they deliberately forge the browser referrer URL;
3. If they visit from an HTTPS secure site and yours is just plain HTTP.

That last reason is important. According to the official HTTP protocol document, browsers are not supposed to send the source URL if the visitor is moving from a secure site to an insecure one. Hopefully though, the kind of sites you want to protect yourself from are not the type to use HTTPS in the first place. Moreover, you can try and avoid this problem by migrating your own site to HTTPS as well.

If you’re being targeted either maliciously or accidentally by visitors from unwanted links to your site, using this technique is a quick fix way to reduce its impact.