Visitor Blocker (IP / Referrer / User-Agent) — Drop-In PHP Include
🛡️ Lightweight Visitor Blocker (Drop-In PHP Include)
Need a simple way to stop a specific site, bot, or abusive visitor from accessing your pages? This tiny PHP include lets you block requests using: IP addresses, referrer domains, and user-agent substrings. It returns a clean 403 Forbidden and can optionally write a small log line for review.
What it blocks
- IP (strongest option): best when you see a repeat offender in access logs.
- Referrer domain: blocks traffic that arrives with a matching HTTP_REFERER host.
- User-Agent substring: useful for obvious scrapers that identify themselves.
Install
- Save this file as:
visitor_block.php(example:/includes/visitor_block.php) - Add this at the very top of pages (before output):
require_once __DIR__ . '/includes/visitor_block.php'; - Edit the block lists in one place any time you need to add/remove targets.
Important note
Many scrapers do not send a referrer at all. If you want the most reliable block, add the offender’s IP from your server access logs.
<?php
// visitor_block.php — lightweight visitor/domain/IP blocker (drop-in include)
// Usage (top of every page): require_once __DIR__ . '/visitor_block.php';
// Keep it compatible with older PHP (no str_ends_with)
if (!function_exists('vibe_ends_with')) {
function vibe_ends_with($haystack, $needle) {
$haystack = (string)$haystack;
$needle = (string)$needle;
if ($needle === '') return true;
$len = strlen($needle);
if ($len > strlen($haystack)) return false;
return substr($haystack, -$len) === $needle;
}
}
// -------------------- EDIT THESE LISTS --------------------
// Block if HTTP_REFERER host matches exact domain or any subdomain of it
$BLOCK_REFERRER_DOMAINS = array(
'spyhost.site',
// 'example.com',
);
// Block if User-Agent contains any of these substrings (case-insensitive)
$BLOCK_UA_SUBSTRINGS = array(
'spyhost.site',
// 'badbot',
);
// Block specific IPs (best + most reliable)
// Add IPs you see in your server access logs
$BLOCK_IPS = array(
// '81.91.178.193',
);
// Optional: log blocks (leave empty string to disable)
$BLOCK_LOG_FILE = ''; // e.g. __DIR__ . '/blocked.log';
// -------------------- INTERNALS --------------------
if (PHP_SAPI === 'cli') { return; }
$ip = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '';
$ua = isset($_SERVER['HTTP_USER_AGENT']) ? strtolower($_SERVER['HTTP_USER_AGENT']) : '';
$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
$uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '/';
$refHost = '';
if ($referer !== '') {
$p = @parse_url($referer);
if (is_array($p) && !empty($p['host'])) $refHost = strtolower((string)$p['host']);
}
$blockedReason = '';
// 1) IP block
if ($ip !== '' && !empty($BLOCK_IPS) && in_array($ip, $BLOCK_IPS, true)) {
$blockedReason = 'IP';
}
// 2) Referrer host block (exact or subdomain match)
if ($blockedReason === '' && $refHost !== '' && !empty($BLOCK_REFERRER_DOMAINS)) {
foreach ($BLOCK_REFERRER_DOMAINS as $d) {
$d = strtolower(trim((string)$d));
if ($d === '') continue;
if ($refHost === $d || vibe_ends_with($refHost, '.' . $d)) {
$blockedReason = 'REF:' . $d;
break;
}
}
}
// 3) User-Agent substring block
if ($blockedReason === '' && $ua !== '' && !empty($BLOCK_UA_SUBSTRINGS)) {
foreach ($BLOCK_UA_SUBSTRINGS as $s) {
$s = strtolower(trim((string)$s));
if ($s === '') continue;
if (strpos($ua, $s) !== false) {
$blockedReason = 'UA:' . $s;
break;
}
}
}
if ($blockedReason !== '') {
if ($BLOCK_LOG_FILE !== '') {
$line = sprintf(
"[%s] %s %s %s UA=%s REF=%s\n",
date('c'),
$blockedReason,
$ip,
$uri,
substr($ua, 0, 180),
substr($referer, 0, 300)
);
@file_put_contents($BLOCK_LOG_FILE, $line, FILE_APPEND | LOCK_EX);
}
header('HTTP/1.1 403 Forbidden');
header('Content-Type: text/plain; charset=utf-8');
echo "403 Forbidden\n";
exit;
}
?>
Comments (0)
No comments yet — be the first.