Got it, let's break down how to solve this. You want to block direct traffic and only let visitors in if they come from Google or Yandex—this is totally manageable with PHP, though there are a few important caveats to keep in mind first.

Core Idea: Check the HTTP Referrer #

The main approach here is to look at the HTTP_REFERER header sent by the visitor's browser. This header tells you where the user came from. A quick heads-up though: this header isn't 100% foolproof—some browsers or privacy tools might strip it out, and technically it can be spoofed. That said, it works great for filtering most regular direct traffic.

Step-by-Step PHP Implementation #

Here's a practical code snippet you can add at the top of your PHP pages (or in a global include file like header.php so it applies site-wide):

<?php
// List of allowed Google/Yandex domains (add regional ones as needed for your audience)
$allowedReferrers = [
    'google.com',
    'google.co.uk',
    'google.de',
    'google.fr',
    'yandex.ru',
    'yandex.com',
    'yandex.ua',
    'yandex.kz'
];

// Get the incoming referrer (default to empty if the header isn't set)
$referrer = $_SERVER['HTTP_REFERER'] ?? '';

$isAllowed = false;

// Check if the referrer contains any of our allowed domains (case-insensitive)
if (!empty($referrer)) {
    foreach ($allowedReferrers as $domain) {
        if (strpos(strtolower($referrer), strtolower($domain)) !== false) {
            $isAllowed = true;
            break;
        }
    }
}

// Block access if not coming from an allowed source
if (!$isAllowed) {
    // Send a 403 Forbidden HTTP response
    http_response_code(403);
    ?>
    <!DOCTYPE html>
    <html>
    <head><title>Access Denied</title></head>
    <body>
        <h2>Access Forbidden</h2>
        <p>You can only access this site through Google or Yandex search results.</p>
    </body>
    </html>
    <?php
    exit; // Stop executing the rest of the page content
}

// If we reach here, access is allowed—proceed with your normal page code
?>

Key Notes to Consider #

• Add Regional Domains: Google and Yandex have tons of regional subdomains (like google.co.in for India, yandex.by for Belarus). Make sure to add all the ones relevant to your target audience to avoid blocking legitimate traffic.
• Case Insensitivity: The code uses strtolower() to make the check case-insensitive, since referrers might come in mixed case (e.g., Google.com vs google.com).
• Alternative Actions: Instead of showing a 403 page, you could redirect users to a Google search for your site—just uncomment the header redirect line in the code if you prefer that approach.
• Limitations: Remember, this won't stop determined users who spoof the referrer. If you need stricter control, you'd have to look into more advanced methods like tracking search parameters in sessions, but that's significantly more complex.

Testing the Setup #

To make sure it works as expected:

1. Try visiting your site directly (you should see the 403 access denied page).
2. Search for your site on Google/Yandex and click the result—you should be able to access the page normally.
3. Use your browser's dev tools to modify the Referer header to an allowed domain and test access.

内容的提问来源于stack exchange，提问作者KameliaUK