A chisel-end hammer, cracked, near smashed to pieces by Anti-Hammer, in semi-transparent greyscale.Setup

This page will (hopefully!) tell you everything you need to know to setup Anti-Hammer protection on your web site. It's usually straightforward.

If you need help with any aspect of the seup, I am an email away.

Quick-Start Guide:


If you have a question, feel free to leave a comment, below. I don't expect it to get too busy; Anti-Hammer usually just works. If you think you have found a bug, please mail me about it, with full details, preferably attaching your script to thte mail. Thanks!

Welcome to the comments facility!

previous comments (four pages)   show all comments

Voyager - 24.06.13 3:22 am


Since php_value auto_prepend_file is not an option for us, i would like to ask if this script could be turned in a function(s) and called with an available "hook" that most php applications have.


I have no idea what you mean by 'hooks' (php has similar things, which you may be referring to) but sure, I'm happy to do any custom work on Anti-Hammer.

Just get in touch. ;o)

Voyager - 24.06.13 11:00 pm

Tried to run this as include in my index.php.

No errors but the blocking doesn't work well. Blocks right away in some pages (login or register for example).

That won't work.

Assuming you say you cannot run Anti-Hammer as a auto_prepend (why? you didn't say),. you could try assigning a specific file extension to files you want to run with Apache as a module, something like (in .htaccess)..

AddType application/x-httpd-php .phpx
AddType php-cgi .php

Or override regular php files in a specific directory..

AddType application/x-httpd-php .php


Voyager - 25.06.13 6:18 am

>Assuming you say you cannot run Anti-Hammer as a >auto_prepend (why? you didn't say),. you could try assigning >a specific file extension to files you want to run with >Apache as a module, something like (in .htaccess)..

>AddType application/x-httpd-php .phpx
>AddType php-cgi .php

>Or override regular php files in a specific directory..

>AddType application/x-httpd-php .php

My hoster doesnt allow it (HostGator).

I don't understand the two alternatives you say ? Could you explain a bit more ?

This reply intentionally blank! ;o)

tomato - 09.08.13 2:19 pm

Hi! thanks for your script... I installed it and uses php.ini

; Automatically add files before any PHP document.
auto_prepend_file =

When I tested it with my ELGG open source software based site ... when I go to mysitenameur.com (site mentioned here is not the real site name) and hit <5> the anti-hammer workssmiley for :lol: however when I navigate to other pages on the site like.... mysitenameur.com/blog/all the anti-hammer does not work.smiley for :blank:

When I came to your site and tried your extension-less url, https://corz.org/serv/tools/anti-hammer/ and hit refresh several times, the anti hammer seams to work... any how to use anti-hammer with extension-less urls or files?


Mine isn't an extensionless URL, it's just a standard directory URL. Apache automatically serves index.php (or whatever is the default).

It sounds like you have more .htaccess files inside /blog/, overriding your main .htaccess. You may want to add the anti-hammer command to that file, too.


Jim S. Smith - 22.08.13 6:17 am


Finally, I find a site with some useful scripts and great, easy-to-understand .htaccess info.

I find this especially useful in that I have my own site and domain for it. I do all of my own "webmastering", and this makes my "headaches" in web-administration a whole lot simpler!smiley for :D

After viewing the source of your Anti-Hammer code (which, by the way, is very useful and ingenious), I was thinking of integrating it with my own web-stats module I have written. I have created a PHP module for the purpose of identifying and logging unique hits to include for each website page on each day. I believe Anti-Hammer may go very well with it in that this will also allow me to better-control what legitimate hit-stats get recorded and counted.

I may also look at integrating it with my own guestbook script so as to attempt to block some of the spamming that has been going on. It is such a big shame that spamming activity has been picking up a lot over the last six months!

Great job on a very informative and useful website!smiley for :D

I will be sure to check back more often (hopefully we will not be having too many problems visiting, since I always use a privacy proxy, especially in light of today's "political atmosphere"! smiley for :eek: )

I also really liked your idea and implementation of a very creative way in controlling "hot-linking". Very good idea to use such attempts to actually promote your site!smiley for :idea: I am getting ready to set up a web-store, and THIS idea would go great with it!

- BRAVO! smiley for :Dsmiley for :Dsmiley for :D

- Jim S.

Jim S. Smith - 29.08.13 5:07 am

Just an update from one of the users of your Anti-Hammer:

It works great!!!

However, it took me a bit of conversation with one of the tech-support folks to find out that I needed to use the php.ini-directive to run Anti-Hammer, and NOT from the .htaccess file. This being because my hosting provider's server(s) do not have that version of mod_rewrite installed which would work with setting PHP environment variables from the .htaccess file.

So, I had to create a custom php.ini file for my site in order to use A-H. However, it is looking good! My hosting provider uses an "suPHP" subsystem, BTW.

I hope this little bit of "techie" wisdom will help some of those who are in the same predicament as I was! ;-)

I have also decided to alter where the "Hammer_ID" files and the "Counter" file are to be stored. I NEVER liked storing temporary and data files in the same folder or folder-tree as my executables!

Also, because the MD5 hashing algorithm has been compromised (IE: due to its limited 128-bit hash - it IS possible to have more than one input value produce the same hash) as was demonstrated in one of the advanced tech forums, I changed the code to use the SHA1 hashing algorithm. This gives a 160-bit hash signature, which means fewer possible "clashes" - IE: more likelihood of only ONE set of input data to result in ONE hash signature.


Great coding and great idea! I love it!

- Jim S.

There is an updated version which has improved documentation, amongst many other things - I'm still in two minds whether or not to release it as some kind of payware, because it's just so good! (the product of much thought and effort, of course!) - which covers the SuExec business.

Thanks for the thoughtful input! Of course you are free to alter any prefs, that's why they are there! The defaults are simply intended to make for easier installation. The new version uses a completely different structure, anyway. Besides, storing data files inside your web root is fine, so long as your permissions are setup correctly. SuExec systems are great, but never forget that now all your files are writable by the server process, not just ones we specify!

By the way, SHA1 is overkill in this situation. MD5 is simply used as a handy way to store the signature of a bunch of concatenated data, a sort of container. If you think about it, collisions would actually be a good thing. CRC16 would provide better protection!


tom - 16.09.13 12:43 am

Hi! Thanks for your input... I was able to make a plugin from your application for Elgg Software and the plugin.

If you have time you can check it at...


Where can I find "an updated version which has improved documentation, amongst many other things" ?

Let me know if you have any question.


My question is, why is there no mention of me anywhere except deep inside the package? And why has the license been removed? And why is there no valid link back to corz.org on the page? And you changed the name. Really? Disappointing stuff.

Next version, payware.


tom - 16.09.13 1:17 pm

Hi, while finishing the plugin, i run into an emergency and did not finish everything the way it was supposed to be...

On the Valid Link back to corz.org, Last time I made a plugin and then left a link to an .org website, I realized that Elgg does not allow plugin developers to have back links on the html pages. Some plugin developers were embedding back links to infected sites... So, due to those reasons they decided to stop all plugin developers from embedding back links to their personal sites or any external site except Elgg plugin Download locations

On the plugin download page, I just edited the page and I have give the credit where credit is due!

Your work can change the world... And yes it has already changed the world.

Harry Betlem - 23.11.13 2:53 pm

Dear Cor, (sounds Duitch to me

I'm trying to get it running on my localhost, it isn't working.
What changes should be made?

Y.T. Harry Betlem

Unless you are specific about the error you are getting, I have no idea!
Check your logs! ;o)

Angela - 08.12.13 7:09 pm

Hi Cor,

I read here, under the "Now with Referer Spam and h4x0r Protection!"section, that we can immediately ban baddies, but I don't see anything about how to turn that on, either here or in the code. Am I just missing it? If not, could you please post how to go about adding that feature?

BTW, this is a great script. I love using it on my server. When will you be releasing the new version you mentioned above?

Thank you!

Ah yes!

Apologies! This page is a bit of a pre-empt, it escaped prior to my major site update (coming up in the next few days!). The page is unfinished, but Anti-Hammer Pro is working great. Everything here at the org has been updated and upgraded, so it's a big job!

Anti-Hammer Pro will be available /soon/.

If you urgently need a copy meantime, mail me.

for now..


Ian - 24.10.19 4:03 am

My black-list.txt gets 100% false positive, despite level 3 checking accuracy. It would be better if all listed links are initially commented out then leave it upto me if I want to approve any of them.

First, confirm that you are human by entering the code you see..

(if you find the code difficult to decipher, click it for a new one!)

Enter the 5-digit code this text sounds like :

lower-case vee, Upper-Case Why, f-hive, lower-case ee, Upper-Case Gee


Welcome to corz.org!

I'm always messing around with the back-end.. See a bug? Wait a minute and try again. Still see a bug? Mail Me!