Php mail script being activated by bots

increase · January 7, 2025, 11:52pm

I have two php scripts which send out mail to a group and are executed by site admin from a password ptotecetd menu, but the scripts keeps getting activated by bots scarping the site.

I have tried to set a robots.txt file in the domain root as follows

User-agent: *
Disallow: /Monibot/ # This is an infinite virtual URL space
Disallow: /.index_cron.php
Disallow: /de/component/customfilters/
BrowserMatchNoCase "Monibot" bots

Order Allow,Deny
Allow from ALL
Deny from env=bots
User-agent: *
Disallow: /

The robots.txt has no effect,
Next I set the two php scripts permission to 600 with no effect.
What I want to do is turn off the whole domain to bots can anyone suggest how to do this effectively.

phdr · January 8, 2025, 12:01am

You should be using a post method form when performing an action on the server and the code on each page must enforce user authentication and query to get the current user’s permissions/role to control what the user can do and see on that page.

increase · January 8, 2025, 1:23pm

I am not using a form it is a mail send, my host suggested this
What about moving that file completely out of your public_html folder? Then it’ll be completely separate and won’t be scrapable.

But how can I access the php outside of the public_html folder?

PCHome · October 31, 2025, 9:24pm

I have two folders on my sites that are outside any of the domains, yet are accessible to them. One is an Alias in which I keep code common to all the sites and can be accessed as part of the domain, ie https://domainname1.com/common/ or https://domainname2.com/common/ even though it does not actually reside there while the other, which is similar, is not set up as an Alias yet is also available to the sites. This is where MySQL login and other details are kept. These are in public_html but are outside any domains which are in their own folders within public_html.

PCHome · October 31, 2025, 9:27pm

At appears that something was inserted into my code “is for sale | HugeDomains” that I did not put there and which is not visible when I edit it.

PCHome · November 1, 2025, 1:44am

Thank you for fixing that. What happened to cause it and why did it not show when I opened it again in the editor?

phdr · November 1, 2025, 2:26am

When the forum software displays posts, it attempts to parse (some) markup in the post. In this case, it is attempting to produce a link to domainname2.com, which is parked at HugeDomains, and the textual/display part of the <a href='...'>...</a> tag it produced is what it got from the page <title> at that URL. To cause the forum software to display in-line markup it can parse, as is, you must surround it in single back-ticks.

PCHome · November 1, 2025, 7:12pm

Thank you for the explanation. As there is a facility in the posting editor specifically for links, it’s odd that it tries to do so on its own. Never occurred to me to make a domain into an inline comment but I will do so moving forward. Again, thank you for fixing it.