I’m using a self-hosted installation of PHPList to manage a newsletter.
Subscribers can be added via a POST to this URL:
https://www.[WEBSITE]/lists/?p=subscribe
It’s presently overrun by bots.
I added this to .htaccess to block this URL
RewriteEngine On
RewriteCond %{QUERY_STRING} ^p=subscribe$ [NC]
RewriteRule ^ - [F]
Now, if you visit the subscription page above it will give a 403 error.
But, you can still add subscribers by using a POST to this URL.
How can I actually block folks from using this URL to subscribe?
Do you have any access logs on the server? Or can you enable them? Examine your logs and see what the bots are accessing, then block that?