Protect any PHP/MySQL site from Spambots and Hackbots

Ash has already shared a useful WordPress tutorial earlier, if you have missed it, Do read: Supercharge your WordPress blog in one hour. If you run a PHP/MySQL site, forum, CMS, or blog and want to keep hackers and spambots from filling up your content with spammy posts or comments, then keep reading. If you like free solutions, then keep reading.

ZB Block is a free script from the famous Zaphod, who has been active on Usenet since the late 1980s. He doesn’t like spam content, so he wrote this great script that you can install.

How to install ZbBlock:

Unzip the file and upload the contents of the zbblock folder to the /zbblock folder on your server:

Upload to /zbblock on the server

If you want to keep out the Chinese and Korean spammers, you are effectively blocking innocent people from those countries. If you don’t care about that, then also download and unzip the China and North Korea blocks file.

Take the file and in the provided gap insert the contents of the above file. It looks like this:

Chinese and Korean IP blocks

You can add any other country blocks using the above formats but keep in mind that the smarter spammers use proxies and infected PCs, so nothing is 100% foolproof. I notice that Asian spammers get a web host in the US where they run a proxy server so I tend to block popular US hosting providers as this doesn’t block normal Americans who go directly from their home/work PC to your site. Too bad for the few Americans who use legit proxies on their web host accounts.

Run the setup.php script and follow the instructions. (After you have run it successfully, you can’t reach it again.)

Essentially, you have to add a special tag at the very beginning of every page you want to protect. For a WordPress site, you can open up header.php:

Insert the ZB Block tag at the start of the page.

Notice that there is no space between the ZBB tag and the start of the doctype. This is very important.

Testing security of your WordPress blog

You can fly to China, er, no, there is an easier way. At the end of your site URL after the slash, add “?test=xtestx” and you should see a screen like this:

That’s it.

Go ahead, and improve your WordPress blog security. If your blog is hacked, there are many WordPress plugins to check your blog. Also, try WordFence WordPress plugin, which will help you to further improve the security of WordPress blog.

This is a guest post by Ash NallaWalla who blogs at If you like to write for Shoutmeloud, do read: Shoutmeloud revenue sharing program.

Subscribe on Youtube

Article By
Search marketing consultant by day, affiliate marketer by night. Based in Melbourne, Australia.


COMMENTs ( 18 )

  1. Lane Lester says

    The hacker type I have showing up on my WordPress sites is the “C4 Parana Defacer.” I have a number of security fixes in place, but they still get through. I hope this script will do the job, and I will spend some time at the ZB Block site to learn more about it.

    Thanks for posting about it and how to use it with WordPress. Also thanks for having the email followup function.

  2. ash_nallawalla says

    Thanks, Zaphod. For the benefit of others, the link requires one to be logged in, else it returns an error. Will be updating my signatures in the morn.

    • Zaphod says

      Strange, I logged out, and it still displayed, as it should.

      The update forums are supposed to be public. So I am a little surprised.

  3. Zaphod says

    How is my script working out for you guys?

    (Yes, I have Google alerts set to provide notice of people talking about my script. Sorry for the intrusion.)

    Zap :)

  4. Najeeb Puthiyallam says

    Great but i think its not an effective way to do so. Still hacking is possible i believe. Anyway lets give a try :)

    • ash_nallawalla says

      What would be a better way to do it? A cracker would prefer to bring down some prominent site than a random one where the owner might not even know about it. Witness those sites that still show the defacement by Turkish hackers on the home page.

    • ash_nallawalla says

      It can’t prevent botnets because their IPs are random PCs all over the world. But a lot of site owners get fed up of dealing with Chinese spam in particular and I am seeing >90% from Beijing area IPs. I also block large chunks of US web hosts because hosting accounts are used for some spam proxies.

        • ash_nallawalla says

          An AK47 is quite effective, I am told. :)

          Did you mean preventing botnets from occurring, or preventing a botnet from attacking your site? The former won’t happen until perhaps IPv6 becomes ubiquitous. You can’t prevent a botnet attack other then by disconnecting from the Internet, since they can use any IP address. All you can do is install a script like this one, follow some of the recommended changes, harden the server, and then cross your fingers.

    • ash_nallawalla says

      But this is what Zbblock does.

      From its website: “This php security script is designed to detect certain behaviors detrimental to websites, or known bad addresses attempting to access your site. It then will send the bad robot (usually) or hacker an authentic 403 FORBIDDEN page with a description of what the problem was. If the attacker persists, then they will be served up a permanently reccurring 503 OVERLOAD message with a 24 hour timeout.”