888.570.8166Stop SEO Spam from your Contact Forms
If you run a website that has a contact form, you’ve likely received the dreaded internet marketing spam in your inbox. Services claiming to get you on the front page of Google for your keyword or how a Facebook page can create qualified leads for your business.
Being an SEO myself, I know how aggravating this is because people aren’t even looking at what services I am offering! I am offering similar, legitimate services to my customers that they are trying to sell me. This is the type of thing that gives SEOs a bad name. In my experience I have noticed that most of the problems originate from one place, India. To combat today’s anti-spam tatics, blackhats have found a new trick, pay a live person in India who can get around these anti-spam methods for pennies on the dollar. Luckily I found a relatively easy way to stop them without shutting the entire country out of your website entirely. This will work for any country but again for the scope of this article, India is the example.
* For those of you who need to have people from a specific country like India contact you via a contact form, you cannot use this method unfortunately.
What I am going to show you is how to limit the POST function to specific countries. The POST request method is used when the client needs to send data to the server as part of the request, such as when uploading a file or submitting a completed form so keep in mind this will affect all POST methods on your site. For many, this is most forms that we want to be blocked for these spammers anyway.
This article is written for WordPress users running Contact Form 7 with DNS hosted through CloudFlare. I wrote a section for anyone running an Apache web server using the POST method who can still benefit even if not using CloudFlare.
Step 1
(Optional)
I can’t speak highly enough about CloudFlare, plus it is FREE for what we need. If you haven’t heard of CloudFlare, head over to their site to check out the short video explanation. I won’t get into detail about CloudFlare but it makes blocking certain countries much easier. Sign up for an account and get your site setup then come back. You should know what DNS is before signing up and proceeding through their setup wizard but for the 20 + sites I run through CloudFlare, the setup wizard was always as easy as just clicking next.
Step 2
In the root of your WordPress install, look for a file named .htaccess. Some FTP clients require you to show hidden files to find this file. .htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis however we are going to use the file in the root with /wp-admin/, /wp-content/, and /wp-includes/ to block forms (and all POST methods) from being submitted sitewide from India. Edit the file in your favorite text editor (I use Notepad ++). After the # End WordPress Tag on the next line, paste the following code in replacing XX with the two digit country code you want to block.
<Limit POST> SetEnvIf CF-IPCountry IN UnwantedCountry=1 Order allow,deny Allow from all Deny from env=UnwantedCountry </Limit>
To block the country of India from POST and stop most of this SEO spam, use the exact code I use:
<Limit POST> SetEnvIf CF-IPCountry IN UnwantedCountry=1 Order allow,deny Allow from all Deny from env=UnwantedCountry </Limit>
Keep in mind the code above is ONLY if you have your DNS and Nameservers hosted through CloudFlare. For those of you who wonder how it works; CloudFlare will pass a request to your webserver and insert a variable in the header: “CF-IPCountry”. The variable contains the standard internet two-letter country code: “US” for USA, “IN” for India and so on.
Full list of country codes.
I hope this helps some of you out. I do this for every client site right now who doesn’t have clientele in India. In the future more countires may jump on the bandwagon. Luckily if you only want people contacting you from say the US and Canada, there is a simple fix you can do right now. Just flip flop step 2 including the ‘Order allow,deny’ and ‘allow from’ and ‘deny from’.
<Limit POST> SetEnvIf CF-IPCountry US WantedCountry=1 SetEnvIf CF-IPCountry CA WantedCountry=1 Order deny,allow Deny from all Allow from env=WantedCountry </Limit>
Alternate Non-CloudFlare Solution
For those of you who don’t want to use CloudFlare (you really should), the above Apache method of limiting POST will work but it will be a little more of a hassle for you to maintain IPs. Below is an example from Country IP Blocks. They maintain lists of IPs for specific countries allowing you to block specific IPs. I only posted 5 ‘deny from’ IPs as the list is huge for India.
<Limit POST> order allow,deny # Country: INDIA # ISO Code: IN # Total Networks: 961 # Total Subnets: 34,673,664 deny from 1.6.0.0/15 deny from 1.22.0.0/15 deny from 1.38.0.0/15 deny from 1.186.0.0/16 deny from 1.187.0.0/16 # allow from all </Limit>
