If you own a link list or directory where the listings are ranked (on some page) on the number of outgoing hits, you’re possible victim of click fraud. There are not only people clicking their own listings many times, ther eare also click bots (remote scripts) which drive the click count “into the sky” in a relative short time.

Click fraud is bad for your sites reputation and is not fair to the listings from other websites. In this PHP code show case we will explain what a webmaster need to do to get his click counter visitor friendly and safe.

First of all don’t worry about if a click doesn’t get counted!

Objectives and requirements

We need to use a link which is informative for the visitor, a link like http://www.domain.com/click.php?id=234 doesn’t show the visitor the target link. better would be http://www.domain.com/browse.php?url=www.external-site.com

We need to identify our visitor, that a click is not counted twice because the visitor click a link twice or more. We store the IP address from the visitor together with a link ID in a database.

We need to protect us against click bots: Many click bots are very smart, they use many IP addresses from different subnets that they look like real people. Some of them even pre-load the website to get the sites referrer information. Since we store the IP address, the click bot can’t be very effective for the fraudulent listing. Check your click results frequently and check outstanding results (if a regular listing gets normally 10 clicks a day and on some days there are many hundreds, then some one has tried hack your click system).

You need two database tables, one for the links and one for the clicks. The first one need only an ID and a column for the URL. The table for the clicks needs a column for the URL id, one for the IP address and one for the timestamp:

CREATE TABLE `links` ( `ident` INT NOT NULL, `url` VARCHAR( 100 ) NOT NULL , INDEX ( `ident` ) , UNIQUE ( `url` ) ) ENGINE = MYISAM ;

CREATE TABLE `clicks` ( `site_id` int(11) NOT NULL, `click_time` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP, `ip_adr` varchar(30) NOT NULL, KEY `site_id` (`site_id`) ) ENGINE=MyISAM;

After we created the database tables we need to enter a few links, use a clean way to insert your links. Don’t use the protocol in the beginning (if you need this, store protocol in a extra table column)

At the moment some one has clicked the link our redirect script is executed (don’t forget the PHP tags and the building a database connection):

if (empty($_GET['url'])) {
	$url = 'http://www.yoursite.com/';
} else {
	if (get_magic_quotes_gpc()) $_GET['url'] = stripslashes($_GET['url']);
	$gURL = mysql_real_escape_string($_GET['url']);
	$result = mysql_query("SELECT ident FROM links WHERE ident = '".$gURL."'");
	if (mysql_num_rows($result) == 1) {
                $url = 'http://'.$gURL;
		$id = mysql_result($result, 0, 'ident');
		$IP = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
		$time_diff = 3600*24*14; // count ones in 14 days
		$sql = sprintf("SELECT COUNT(*) AS testval FROM clicks WHERE ip_adr = '%s' AND click_time+%d > NOW() AND site_id = %d", $IP, $time_diff, $id);
		$res = mysql_query($sql) or die(mysql_error());
		$test = mysql_result($res, 0, 'testval');
		if ($tell == 0) {
			mysql_query(sprintf("INSERT INTO clicks SET ip_adr = '%s', site_id = %d", $IP, $gURL));
		}
	} else {
		$url = 'http://www.yoursite.com/';
	}
}
header('Location: '.$url);
exit;

First we test if the variable URL exists and check also if there is a records for that URL. I the record exists, we test if there is a click records for the user with from the collected IP address. I the result is empty we add a new click record to our database. If the link is valid the user get redirected to the URL he already clicked, otherwise the visitor gets back to the site homepage.

There are a lot of free or paid scripts with a bad click counting mechanism. Use this snippet to protect your site for click fraud! In most of the cases you need only to add the click database table and you need to modify the SQL data for the links. That’s all!Similar Posts:

• Limit the number of downloads per client
• More advanced features in phpMyAdmin
• Some nice Google Adsense updates

I think the best WordPress Plugin is Akismet, without this useful tool every WP blog owner need to review all comments to select the good comments. There is a lot of work to do for this weblog, more then 100 “spammy” comments a day, and strange enough most of them are coming via the same IP addresses.

Thanks Akismet, you’re doing a really good job!

Ok, next action was to block these IP addresses via .htaccess, but this doesn’t work for me. I guess the reason is that most of the spam is send via the trackback URL and it looks like that .htaccess will not work (at least on the server where this blog is hosted, regular access blocking via .htaccess works fine). Maybe these spammer connect the trackback URL via a proxy?

I didn’t like that some comments from our blog readers become trashed because of the big amount of spam on the internet, so I checked once a week >1000 spam messages. But enough is enough, there is a way to block this guys which posting spam via the trackback URL without disabling this important feature. Just add this code to your wp-config.php file:

$blocked_ips = array("82.146.53.67", "72.232.173.170", "209.200.238.182", "64.111.117.7", "67.159.5.246", "82.146.53.67");
if (in_array($_SERVER['REMOTE_ADDR'], $blocked_ips)) {
header('HTTP/1.0 404 Not Found');
exit;
}

The array $blocked_ips is the “container” of all IP addresses where spam was caught by Akismet or a not recognized comment has reached your Inbox. After every repeating spam attack from one IP address you should at the IP address to this array.

Very useful for people with several weblogs is to host one file which holds all IP addresses from the spam posts from all your blog(s). Just replace the array declaration with this code:


$blocked_ips = array_map('rtrim', file('http://your.host.com/all_ip_addresses.txt'));
// changed the regular file command to remove the line ends from the array


Of course this is very time intensive but very effective, btw. the owner of each IP address is also blocked to access your website. I found this list of IP addresses from WordPress Spammers and have also a look on this project.Similar Posts:

• E-mail links, protective solutions against SPAM
• New Support forum for finalwebsites.com
• How-to choose a WordPress Hosting Provider