Whether you like it or not, spam is a big part of the internet.

Some types of spam are more interested in using your server space to send out requests, while some take advantage of users to send over harmful malware and viruses.

One type of spam is called referrer spam and it affects WordPress sites that aren’t prepared. In addition, it can get into your Google Analytics system, preying on your rankings and turning search engines against you.

It will never go away fully. But that doesn’t mean you can’t fight back against referrer spam.

Your best bet is to block referrer spam in Google Analytics and WordPress. How do you go about doing this?

You’re going to find out in just a minute, but first, let’s understand a little more about referrer spam and how it can affect your website.

What Is Referrer (Or Referral) Spam?

Referrer spam, or referral spam, is the technique of making repeated website requests using a fake referrer URL, often to a site that spammers wish to promote.

What is Referral Spam in Google Analytics and other FAQs

Inside Google Analytics, it looks like this:

What referrer spam looks like inside Google Analytics
What referrer spam looks like inside Google Analytics

Referrer spam has one purpose: To target search engines.

On the surface, here’s how it works:

  • A spammer has a website they want to boost the search engine rankings for.
  • The spammer sends out multiple requests with fake URLs that link back to the website they want to advertise.

In short, they want to improve how search engines see their site without providing valuable content to users. Therefore, your site can accidentally publish some of the access logs and statistics, unintentionally linking back to this site that the spammer is trying to promote.

This means that your site is now linking to a poor quality site, which can improve the rankings for that spam site like these:

Even more spam sites in Google Analytics
Even more spam sites in Google Analytics

Unfortunately though, if Google sees that you are linking to a junk website, your search engine rankings may decrease in the future.

These bots never actually visit your site. Instead, they just mess your javascript tracking code and skew your analytics data like bounce rate and other useful engagement metrics.

A diagram showing how ghost and referral spam works
A diagram showing how ghost and referral spam works (Image source: magistrateinc.com)

Although Google, and other search engines, have done quite a bit to discount spam sites like these, it’s a good idea to prevent them entirely, so you don’t run into any problems.

After all, if you’re linking to dozens of bad sites, the search engines may think that you did this intentionally.

Why Is It Called Referral Spam?

It’s also worth noting that this type of spam gets its name from the way it interacts with Google Analytics. These spammers take advantage of the fact that all website owners like to see that other sites are referring traffic to their platform.

You even have a referral report in Google Analytics to see where most of your traffic is coming from.

Unfortunately, some of your users may want to look at these referral reports in your access logs, and you may end up clicking one of the harmful links when checking out your referrals in Google Analytics.

It doesn’t matter who clicks them, because it’s all bad news.

What Are the Benefits of Blocking Bot Traffic?

Some people think that having bot traffic and referrer spam is not that big of a deal. It’s quite a big deal when you consider the amount of bot traffic out there:

Web traffic breakdown (good bots vs bad bots vs humans)
Good bots vs bad bots vs humans (Image source: voluum.com)

Almost 56% of bot traffic is used for malicious purposes. Not only does it skew your analytics data, it can also:

  • Contribute to DDoS attacks
  • Damage your SEO and website reputation
  • Hijack your accounts
  • Cost you money

Although it may not affect you that much, you still have the chance of accidentally linking to those spam sites and decreasing your search engine rankings.

Furthermore, legitimate website owners are in the business of generating quality content, so it is your duty as a responsible webmaster to prevent spammers from cluttering up the internet with poor links.

As an internet user, all they do is make things harder for you when searching. Finally, there is a chance that you, or one of your site visitors, clicks on one of the referrer spam links, leading you to a website that could contain harmful material.

How to Block Referral Spam Traffic in Google Analytics

Here are a few options you could use to block Google Analytics spam:

How to Block Referrer Spam in Google Analytics (Clean up Your Reports)

Let’s take a look at each of these methods:

1. Exclude Known Bots and Spider in Google Analytics Settings

Before more advanced ways to block Google Analytics spam, make sure to take advantage of a built-in feature you’ll find under Admin > View Settings > Bot Filtering:

Bot Filtering in Google Analytics
Bot Filtering in Google Analytics

Simply make sure to tick the checkbox and click Save at the bottom of the page.

2. Filter Spam Bots from Your Google Analytics Results

When you make any technical changes, you always want to have a backup you can refer back to if things go wrong.

This is no different in Google Analytics. You’ll want to keep an unfiltered view so that you’ll have data to compare with the filtered results to ensure they are working. It also gives you a view you can revert back to if one of your filters doesn’t work quite right.

Set up an Unfiltered View in Google Analytics

Go to the Admin section and click on View Settings in the third column.

Setting up an unfiltered view in Google Analytics
Setting up an unfiltered view in Google Analytics

Next, click on Copy View, and then name your view Unfiltered.

Copying and naming your new view in GA
Copying and naming your new view in GA

Now, go back to the main Admin page in Google Analytics and click Filters in the View section.

Note: this is different from All Filters in the Account section.

Creating a filter in Google Analytics
Creating a filter in Google Analytics

Click the red + Add filter button:

Add a new filter to GA (and give it a descriptive name)
Add a new filter to GA (and give it a descriptive name)

From here, there are a couple of different spam filters you can set up to block out Google Analytics spam.

For each filter you create, take a few minutes to test it and make sure it is working correctly. Once you’re happy that it’s accurate, click on Save.

Let’s take a quick look at the types of spam filters you can set up in Google Analytics:

Types of Spam to Look out for (And How to Remove Them)

There are three common types of spam. Here’s a quick rundown of what each is and how you can block it:

Ghost Spam

Ghost spam (sometimes referred to as ghost traffic or phantom traffic) is fake traffic and data inserted by hackers into your Google Analytics account, in an attempt to get you to visit their websites.

To find ghost spam in your Google Analytics account, go to:

Audience > Technology > Network > Hostname

This will show you a list of all hostnames engaging with your website. It should only show your domain, subdomains, and any other services you’ve linked with your Google Analytics account.

If you see something you don’t recognize, it could be ghost spam.

To remove ghost spam, build a custom filter that tells Google Analytics which hostnames belong in your account and which don’t.

Here’s How to Remove Ghost Spam in Google Analytics:
  1. Write a list of valid hostnames in a regular expression.
  2. Separate each hostname with a pipe character | and add a backslash \ before all periods and hyphens. (Example: kinsta\.com|youtube\.com)
  3. Now open up your Google Analytics account, go to “Admin” and select the right view.
  4. Go to “Filters” and click “Add Filter”.
  5. Name your filter, choose “Custom” for Filter Type, and select that you want to “Include” “Hostname.”
  6. Enter your expression, and use the “Verify Button” to check your new filter works.
  7. Hit “Save” to finish your ghost spam filter.

To make it even stronger, here’s something else you could do to fight ghost spam.

Open Google Analytics, and go to Audience > Technology > Network.

Scroll down to select Hostname as your Primary Dimension, and make it so that the results are shown by month.

Select hostname as your primary dimension in GA
Select hostname as your primary dimension in GA

Look at the entire list of hostnames. Identify the legitimate ones and write them down.

The key here is to make a list of the valid hostnames. Then, go to the Admin tab at the top, and click on Filters.

Create a list of valid host names in Google Analytics
Create a list of valid host names in Google Analytics

Click Add Filter > Custom Filter Type > Include. This field will ask you to punch in a list of the acceptable hostnames. The format for this requires you to put a ^ sign before each hostname, along with a $ sign after each one.

In order to separate the hostnames, use a | sign.

Adding a custom filter in Google Analytics
Adding a custom filter in Google Analytics

Select the Save button to complete the process. It should take about 24 hours to see changes in the Google Analytics dashboard. You can also take a look at this big list of spam/ghost referrer sites.

You should exclude all of them in your Google Analytics.

Crawler Spam

Crawler Spam is a type of spam generated by bots that browse websites and log information by performing automated tasks on websites. These bots crawl your pages, ignoring rules like those found in robots.txt.

Here’s How to Remove Crawler Spam in Google Analytics:

You’ll need to create custom filters in Google Analytics using the following expressions, which are created to exclude crawler spam detected in the last couple of years.

Expression #1:

(best|dollar|success|top1)\-seo|anticrawler|^scripted\.|semalt|forum69|7makemon|sharebutton|ranksonic|sitevaluation|dailyrank|vitaly|profit\.xyz|rankings\-|dbutton|uptime(bot|check|\.com)

Expression #2:

Datract|hacĸer|ɢoogl|responsive\-test|dogsrun|tkpass|free\-video|keywords\-monitoring|pr\-cy\.ru|fix\-website|checkpagerank|seo\-2\-0\.|platezhka|timer4web|share\-buttons|99seo|3\-letter|top10\-way

To create your custom filter, you’ll need to:

  1. Open up your Google Analytics account
  2. Go to Admin, Choose Filters, then click “Add Filter.”
  3. Give your filter a name, select “Custom” for Filter Type, and then select “exclude.”
  4. Set field equal to “campaign source” then paste one expression into the box.
  5. Verify the filter, then “Save.”
  6. Repeat the process for Expression #2.
Fake Language Spam

Language spam is typically used by spammers for a certain agenda or to promote their own sites or products. They manipulate the language used by real sites like thenextweb.com, lifehacker.com, reddit.com.

Here’s How to Remove Fake Language Spam in Google Analytics:
  1. Open up your Google Analytics account
  2. Go to Admin, Choose Filters, then click “Add Filter.”
  3. Give your filter a name, select “Custom” for Filter Type, and then select “exclude.”
  4. Set field equal to “language settings” then paste the following into the filter pattern box: \s[^\s]*\s|.{15,}|\.|
  5. Verify the filter, then “Save.”

3. Edit Your Domain’s .htaccess File or Add a Rule in Nginx

If your hosting uses cPanel, one of the most effective ways to block spam referral traffic is by editing your .htaccess file. This file is used to control your server and can be instructed to block any spam visits from a domain or IP address.

Blocking spam traffic in your htaccess is effective
Blocking spam traffic in your .htaccess is effective (as long as you are careful and don’t break your site)

This method not only blocks referral spam domains from your website, but it also removes them from your server. Which is handy for keeping your server speed nice and fast.

Here’s How to Block Spam in Your .htaccess File:

Let’s say you’d want to exclude Semalt, free-traffic.xyz, and buttons-for-website.com. Simply add the following command to your website’s .htaccess file:

## SITE REFERRAL BLOCK
RewriteCond %{HTTP_REFERER} semalt\.xyz [NC,OR]
RewriteCond %{HTTP_REFERER} free-traffic\.xyz [NC,OR]
RewriteCond %{HTTP_REFERER} buttons-for-website\.com [NC,OR]
RewriteRule .* – [F]

Not sure what all that means? Here’s a quick rundown of what is happening in that command:

  • ‘NC’ makes the command case insensitive, so even SeMalT.com or Free-Traffic will be caught by the filter.
  • ‘OR’ indicates that multiple referrers are to be blocked.
  • The final line is for what happens to a domain trying to access your website and getting denied.
  • ‘F’ equals fail and means the referrer will get a 403 error.

Now, when it comes to anything .htaccess related: be very careful.

Put just one character in the wrong place or accidentally typing a double space could take your whole website offline.

Here’s How to Block Spam in Nginx:

If your host takes advantage of Nginx as web server instead of Apache, you won’t be able to edit your .htaccess file and you’ll need to set up a rule in Nginx to block request by referrer:

if ($http_referer ~* "bad-site-to-block\.com") {
    return 403;
}

If you’re a Kinsta customer, you’ll need to reach to support and ask to add this rule.

4. Use a Third-Party Tool to Block Referral Spam

If you are a WordPress user, you can use a Google Analytics WordPress referral spam plugin to get rid of bot traffic.

Your best option is Sucuri which monitors referrer spam and removes it from your website. On top of this, this plugin can also protect your site against DDoS attacks as it’s an all-in-one website security solution.

If Sucuri sounds like too much to you, another plugin you may want to try is Stop Referrer Spam, which uses a public list of referrer spammers provided by Matomo, the company behind Google Analytics alternative Piwik.

There are a few additional options but they haven’t been updated in a while so they might not be compatible with your WordPress install. Also, running outdated software could raise some security threats but if you’d like to test them, here they are:

Please, always take a backup before installing a new plugin so you can easily revert back to a working site if anything wrong occurs.

Google Analytics Spam FAQs

Here are answers to some of the most frequently asked questions about Google Analytics spam:

Can I Visit the Spam Sites Found in Google Analytics?

The first (and most important) thing to remember is this: do not click on the link!

If you visit the website itself, the spammers are getting what they want. Instead, Google the website in quotation marks:

Search for spam referrer sites in Google to see if others sites have flagged them before
Search for spam referrer sites in Google to see if other sites have flagged them before

Doing it this way will avoid visiting the site but you’ll see results from other sites about it. If the site is a source of Google Analytics spam, someone else has probably written about it.

Why Is Filtering Spam from My Google Analytics Important?

Google Analytics data (and website analytics in general) are one of the best ways of tracking the performance of your site and see what is working with your online audience. Not only can they show what is working, but they can also show what isn’t (aka areas for improvement).

But if you throw referral spam into the mix, the accuracy of this data is at stake.

You could be getting a decent number of sessions that are basically junk visits:

Junk visits from Semalt in Google Analytics
Junk visits from Semalt in Google Analytics

If you don’t have the best data available in Google Analytics, you risk making bad decisions. Basically, because the data isn’t accurate, you can misinterpret things.

For example, you could spend extra time and money on improving a particular page on your site because it looks popular with your audience. But if all of this traffic is coming from bots, there is no point investing in improvements.

In summary: cleaning up your data, spam bot filters ensure your analytics deliver insights that are more accurate and useful.

Can I Clean up Historical Google Analytics Data?

Spam filters will get you cleaner data moving forward, but they won’t be applied to past data.

Once you’ve set up your filters, spam will be filtered out from that date onwards, but not backward. Your historical data will still include inaccurate data caused by bots.

However, it’s not all bad. You will be able to compare your with and without spam data in Google Analytics:

Comparing with vs without spam traffic in Google Analytics
Comparing with vs without spam traffic in Google Analytics

Seeing the comparison between your analytics before and after applying spam filters can help you understand just how much traffic was from bots, giving you a more accurate view of your site.

Summary

Unfortunately, avoiding spam completely is impossible. But you can control the impact it has on your Google Analytics data.

Using the right filters, plugins, and some technical know-how is the best way of stopping spammers and giving you back the accurate data in Google Analytics you need to build a good website.

Now it’s your turn: what’s your preferred way to get rid of spam in Google Analytics?

Matteo Duò Kinsta

Head of Content at Kinsta and Content Marketing Consultant for WordPress plugin developers. Connect with Matteo on Twitter.