Our server logs are a joy to behold this morning, peppered with delightful “403″ errors as far as the eye can see.

Perhaps we should explain.

This blog, in common with most blogs, gets hundreds of hits a day from spam robots. Sometimes, they’re trying to spam the comments or trackbacks, and WordPress does a pretty good job of filtering those bots out. We have not had a single spam comment or trackback make it through to appear on the site, and only a couple of “false positives,” genuine comments that were held up for moderation.

All well and good, but most of the spam hits are “referer spam,” fake page requests meant to fill up our referer logs with spam URLs. These aren’t as malicious as comment spam, perhaps, but they do distort the hit logs, and can suck up bandwidth and tie up the server, since it treats them as real hits and sends the requested pages to them.

Well, it used to send the requested pages to them. Yesterday I added some ingenious .htaccess commands to deny any request from a list of offending referers. Now all they get is a beautifully concise 403 error. Wherever possible, the .htaccess file is better for handling spam control than PHP code, because with .htaccess there is much less processing load on the server.

Many thanks to the WordPress Codex for this trick.