I have noticed that the new plugin mostly catches hits with no Accept header or no User-Agent. All browsers send these headers when they access a web page. Robots are hitting wp-comments and wp-login over and over again without an Accept header and mostly without a user agent.
This made testing the plugin’s other functions difficult so I disabled it and started getting some spam. I enabled it again and the spam stopped.
It turns out that there must be lots of zombie sites using some code that does not send out the accept header, and some of them manage to leave spam before they are reported to SFS. I also put lots of ip blocks on the Allow List, and sometimes these get through, although it is a temporary problem.
I did some research and found it is possible to block these types of hits on my sites using .htaccess. I added these after the Order
directive in the htaccess file. If you don’t have an order directive, just add this code to the top of the file.
SetEnvIf Accept ^$ bad_bot
SetEnvIf User-Agent ^$ bad_bot
Deny from env=bad_bot
The only drawback is that my installation of OwnCloud.org is being blocked. I had to add an Allow from All
to that folder in order to undo the Deny stuff. I am heavily using OwnCloud now for development as it allows me to work on personal projects at my home desktop computer, on the road on my laptop, and at work (when no one is looking).
It is truly amazing how much crap is being blocked by the three lines above.
Please don’t link to this page. If the spammers find out about this they might fix it.