How to remove Facebook’s fbclid parameter using mod_rewrite on Apache 2.4

I was unaware that Facebook recently had started to add a unique click identifier to all outbound links on facebook.com. Coincidentally, one of the security measures of this server is to disallow query strings as part of the URL. Thus, any visitors coming over from Facebook were suddenly blocked and banned on sight.

I receive no traffic to speak of from Facebook so I don’t consider banning Facebook users as much of an offense, but hey it’s the season to be jolly. Let’s forget about this particular server’s security policies for a moment and look at how we could use Apache’s mod_rewrite module to stop Facebook from defiling our URLs.

Eliminating fbclid from a URL

Let’s pretend I have a backlink on facebook.com containing the following query string:/?foo=bar&fbclid=FaceSp00k&bar=foo.

What I’d like to accomplish is to eliminate the fbclid parameter and value from the URL while keeping the other parameters intact, and redirect visitors coming from Facebook to the “new” URL.

Facebook click identifier
Stripping Facebook’s fbclid parameter and value from the URL with mod_rewrite.

With mod_rewrite, we can manipulate the query string and remove any occurrence of fbclid=whatever while preserving the remaining parameters. The following rewrite rule does exactly that:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteCond %{QUERY_STRING} ^(.*)(?:^|&)fbclid=(?:[^&]*)((?:&|$).*)$ [NC]
  RewriteCond %1%2 (^|&)([^&].*|$)
  RewriteRule ^(.*) /$1?%2 [R=301,L]
</IfModule>

Additional query string examples are available from wiki.apache.org.

This approach is a bit of an overkill as I believe the fbclid parameter will always be the last parameter of the query string, but at least it’s flexible. It’s also somewhat hard to read with its non-capturing groups, so here is a a quick rundown of the processing:

1) RewriteCond %{QUERY_STRING} ^(.*)(?:^|&)fbclid=(?:[^&]*)((?:&|$).*)$ [NC]
# Matches fbclid=anything and captures the remaining parameters in backreferences (%1%2)

2) RewriteCond %1%2 (^|&)([^&].*|$)
# Captures any leading '&' char and the remainder of the string in backreferences (%1%2)

3) RewriteRule ^(.*) /$1?%2 [R=301,L]
# Redirects to the requested path ($1) and appends the query string (%2)

Please note that the above configuration uses the default WordPress .htaccess file. The rewrite rule must be placed before the WordPress rewrite rules (# BEGIN WordPress … # END WordPress).

Addendum

The following section is only relevant if you’re explicitly validating the HTTP request line and need to allow inbound traffic from Facebook before running the query string manipulation.

<IfModule mod_rewrite.c>
  RewriteCond %{THE_REQUEST} !^(GET|HEAD)\ (/|/[a-zA-Z0-9/\-_#]+)(\.jpe?g|\.gif|\.png|\.woff2?|\.ttf|\.xml(\.gz)?|\.xsl|\.ico|\.css|\.txt|\.html(\.gz)?|\?fbclid=[a-zA-Z0-9\-_]+|\.well-known[a-zA-Z0-9/\-_]+(\.txt)?)?\ HTTP/(1\.1|2\.0)$  
  RewriteCond %{REMOTE_HOST} !^127\.0\.0\.1$
  RewriteCond %{REMOTE_HOST} !^1\.2\.3\.4$
  RewriteRule ^(.*)$ - [L,R=403]
</IfModule>

Conclusion

Happy holidays!

#deleteyourfacebook
#richardstallmanwasright

Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed or check out the human-readable sitemap for more content.

Related posts