Support

Referer spam was a thing back in the olden days (late 90s, early 00s) when sites published their analytics for everyone to see, including a table of the sum total of requests made per referrer, sorted descending (most requests appear first, usually only the top 10 to 50 Referers listed). People who wanted to index-spam your site would make a gazillion requests using a specific referrer so they make the top of the list. This list would be indexed by search engines which would naively think it as an endorsed link, therefore pushing these URLs higher in search engine results.

Of course, all that happened thirty to twenty years ago. The world was a different place back then. Heck, Nickelback was a cool band back then! Sometime around that time, the mid-2000s i.e. twenty years ago, sites stopped publishing their analytics and search engines stopped treating every random link as an endorsement (Google's original PageRank algorithm has not been a thing since 2000!). Therefore, Referer spam does absolutely nothing of value, and nobody does it as a result. Selling you "protection" against it is meaningless. It's just one of the many nonsensical things people flog to WordPress site owners for no other reason than to make them part with their money. We don't do that. We offer features which improve the security of your site in a meaningful way.

If you really want to, you can of course block specific Referer headers in the .htaccess file of your site. You can do this in the .htaccess Maker by adding the following in the custom code to add to the top of the file:

SetEnvIfNoCase Referer "www\.example\.com" stayout=1

where www.example.com is the domain name in the Referer header you want to block. For this to work you will have to enable the "Block access from specific user agents" feature in the .htaccess Maker.

Again, this is a meaningless thing to do. The only effect you have is seeing some useless URL in your Google Analytics. You can readily filter out such URLs if you want. They have no effect on your site, your search engine ranking, or these sites' search engine rankings. In my opinion, wasting time on a non-problem like this is a very bad use of your time. Spending a tenth of that time to optimise caching of your site to drastically improve its SEO is far more worth the effort.

Finally, a note about Sucuri. Since they are a service, not a plugin, they can crowd-source data. When you report a URL as spammy and so do hundreds or thousands of other folks Sucuri automatically blocks that URL and/or domain. They also have an appeal process in case a URL is mistakenly blacklisted. You will never get this with a plugin for the simple reason that it's running on your site only, it does not share its data with a central service. In the end of the day you have to weigh what is more important to you: convenience, or privacy. If you want convenience, you get to use a service which gets to see all traffic going into and out of your site with everything that entails (do check each service's privacy policy about whether they can sell aggregated data and / or metadata).  If you want privacy, you don't get the convenience of crowd-sourced data.