@francislavoie If you’re happy with the revised update, I’ll update the issue on the WP doc tracker.
Thanks for persevering with me in nutting out something for handling no referrer requests. On reflection, it’s just so important to test out code and not make any assumptions about its validity. I’ve been burnt 
A couple of points to wrap up…
You’re killing me! 
I actually think the code you’ve designed is quite useful. Unless the bot injects the host into Referrer, the code seems like it will do a pretty good job of rejecting comment and login spam. 
In my travels around the web while trying to get my head around this issue, I stumbled on the following GitHub repo GitHub - Stevie-Ray/referrer-spam-blocker: Apache, Nginx, IIS, uWSGI, Caddy & Varnish blacklist + Google Analytics segments to prevent referrer spam traffic 🤖. Interestingly, the spam db was updated just over a week ago. Curiously, the Caddy component is only applicable to V1.
The reason I brought this up wanted to understand the two very different approaches. The spam blocker seems like it would require a lot of work just to try to keep the spam db up to date. Wouldn’t the Caddy code developed here achieve the same result without having to maintain a spam db?
