i contacted my Script Author and he told me

You have to make sure through htaccess that your website using "your domain" instead of scraper domain.

The link I give you in the last post will solve your problem.

Thanks,

so this is the code that he gave me to add in htaccess file

1:

#Force www:
RewriteCond %{HTTP_HOST} ^example.com [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [L,R=301,NC]
2:

#Force non-www:
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^(.*)$ http://example.com/$1 [L,R=301]

this issue was that google analytic gave me Redundant Hostname error. "property mydomain.com is recieving data from redundant hostname. some of hostnames are... fakedomain.com

those are hostname canonicalization redirect directives.
both of those rulesets are problematic and you would use one or the other, but neither addresses the problem of framed or scraped content

so my developer is simply escaping from me by giving me other fixes lol i just don't understand why i can't block these website with my htaccess or any other code u provided...

i found a similer case on this forum

https://forums.cpanel.net/threads/can-i-stop-someone-from-displaying-my-website-on-his-domain.532661/

RewriteEngine on
RewriteCond %{SERVER_NAME} ^(www\.)?anotherdomain\.com$ [OR]
RewriteRule ^ - [F]

accept by htaccess but it is giving my access denied error on my domain as well...

past two weeks i have been trying to fix this issue and it is frustrating

it is giving my access denied error on my domain as well

Is that a copy-and-paste error, or does your last RewriteCond--the one immediately before the RewriteRule--really have an [OR] flag? For some reason this does not create a 500 error; instead the result is that the conditions always evaluate to "true" and, hence, the rule always executes. (I did not read this anywhere. I learned it by unfortunate, unintended direct personal experience. Ouch.)

ohh yeah i removed the [OR]

RewriteEngine on
RewriteCond %{SERVER_NAME} ^(www\.)?anotherdomain\.com$
RewriteRule ^ - [F]

and it worked im not getting access denied error anymore but fake site still online tho

Answer this please... If you do an edit on your page and then go to this fake site, is that site showing the same edit?

yes sir, it shows exactly the same thing... what ever i do it mirrors... if i stop my apache2 server and my website goes offline theirs too...

only difference is the URL (domain name)

So that is solid evidence your content is being framed... or some other method of importing your content in real time.

oh nooo :( thats why no matter what i do or what code i add this website never stops

Well if you successfully installed the anti-framing JavaScript and the x-frame header, then they are not framing your content.

The evidence will be in the source code on their page. As I asked earlier in the discussion, what is the wrapper around your content on their page? There will be some type of HTML tag, either an iframe, or a div, or some other tag immediately above & below your content.

i checked both source codes his and mine everything looks the same except for this code which is at the bottom

<script type="text/javascript"><!--
document.write("<a href='http://www.example.ru/click' "+
"target=_blank><img src='//counter.example.ru/hit?t12.11;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";"+Math.random()+
"' alt='' title='LiveInternet: &#1087;&#1086;&#1082;&#1072;&#1079;&#1072;&#1085;&#1086; &#1095;&#1080;&#1089;&#1083;&#1086; &#1087;&#1088;&#1086;&#1089;&#1084;&#1086;&#1090;&#1088;&#1086;&#1074; &#1079;&#1072; 24"+
" &#1095;&#1072;&#1089;&#1072;, &#1087;&#1086;&#1089;&#1077;&#1090;&#1080;&#1090;&#1077;&#1083;&#1077;&#1081; &#1079;&#1072; 24 &#1095;&#1072;&#1089;&#1072; &#1080; &#1079;&#1072; &#1089;&#1077;&#1075;&#1086;&#1076;&#1085;&#1103;' "+
"border='0' width='88' height='31'><\/a>")
//--></script>

[edited by: anthonyinit_2017 at 6:36 am (utc) on Nov 4, 2017]

Please use example.com instead of the actual address of the site.

Well you need to discover how they are displaying your content.

i'am sorry. edited :)

let me focus on getting javascript and x-frame header installation

When you get the JS and header installed... clear cache, close browser, then launch a new browser to check that site and see if your defenses are working.

did some search around and found a solution for my 500 internal server error when adding x-frame header code

used this code

a2enmod rewrite headers

after

service apache2 restart

lastly

apache2ctl restart

finally htaccess file accept

Header append X-FRAME-OPTIONS "deny"

this is what it looks like in htaccess file

# Enable Rewriting
RewriteEngine on

# Custom Rules START #
Header append X-FRAME-OPTIONS "deny"
RewriteEngine on
Order Deny,Allow
Deny from all
SetEnvIfNoCase User-Agent .*ozilla/5.* good_bot
SetEnvIfNoCase User-Agent acm.* good_bot
SetEnvIfNoCase User-Agent .*acme.* good_bot
SetEnvIfNoCase User-Agent auto.* good_bot
SetEnvIfNoCase User-Agent .*auto.* good_bot
SetEnvIfNoCase User-Agent bin.* good_bot
SetEnvIfNoCase User-Agent .*bing.* good_bot
SetEnvIfNoCase User-Agent .*ncryp.* good_bot
SetEnvIfNoCase User-Agent .*oogl.* good_bot
SetEnvIfNoCase User-Agent .*omod.* good_bot
SetEnvIfNoCase User-Agent .*pane.* good_bot
SetEnvIfNoCase User-Agent .*ande.* good_bot
Allow from 66.133.109.36
Allow from env=good_bot

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www.example.co [NC]
RewriteRule ^(.*)$ http://example.co/$1 [L,R=301]

# Custom Rules END #

and this is where i paste the java script. on my header.php

</script>
<script type="text/javascript">
if (parent.frames.length > 0) {
parent.location.href = location.href;
}
</script>
<!--link href="//cdnjs.example.com/ajax/libs/pace/0.6.0/themes/red/pace-theme-flash.css" rel="stylesheet"//-->
<link href="<?php echo $siteurl; ?>result_files/a.css" rel="stylesheet">
<?php $li_page = false;?>
<!--[if lt IE 9]>
<script src="http://html5shiv.example.com/svn/trunk/html5.js"></script>
<script src="//cdnjs.example.com/ajax/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="apple-touch-icon" sizes="57x57" href="<?php echo $siteurl; ?>images/apple-touch-icon-57x57.png">
<link rel="apple-touch-icon" sizes="114x114" href="<?php echo $siteurl; ?>images/apple-touch-icon-114x114.png">
<link rel="icon" type="image/png" href="<?php echo $siteurl; ?>images/favicon-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="<?php echo $siteurl; ?>images/favicon-160x160.png" sizes="160x160">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="msapplication-TileImage" content="<?php echo $siteurl; ?>/images/mstile-144x144.png">
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.example.com/gtag/js?id=UA-104239767-1"></script>
<script>
 window.dataLayer = window.dataLayer || [];
 function gtag(){dataLayer.push(arguments);}
 gtag('js', new Date());

 gtag('config', 'UA-104239767-1');
</script>

</head>
<body>

Good job. Hopefully that will do it.

Thank you sir,
i even managed to add this to my apache2.conf without apache server crash!

Header always append X-Frame-Options SAMEORIGIN

# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>

<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
Header always append X-Frame-Options SAMEORIGIN
#<Directory /srv/>
#Options Indexes FollowSymLinks
#AllowOverride None
#Require all granted
#</Directory>

everything installed correctly but still the fake website working... any idea what is going on?

Well, as I stated earlier, the header filed and that JS are good measure to have regardless.

When last looking at the fake website, did you try using a new browser, clearing cache first?

The fake website may be using another means of importing your content. I mentioned blocking RSS FeedFetchers by User Agent, which is a good thing to do unless you publish RSS feeds and want those bots coming by and scraping your content.

However, there are other ways your content could be imported to their page. There are hundreds of bots that scrape content. You need to investigate this until you find the answer. There's only so much advice a 3rd party person can do for you. I'm just guessing here, mentioning the most common methods for hijacking content.

Also, you could contact the offending site's upstream provider and serve a Cease and Desist notification. Do a web search to see how this is done and the standard format of the notice.

I recommend being diligent and seeing this all the way through. Don't give up. This may have an adverse & lasting affect on your site's indexing.

Do let us know how this turns out. Sorry I wasn't more helpful.

you have helped me a lot i took all your advice and i thank you so much for that... why i mentioned why is the fake site still on so that we could guess for another solution...

i will never give up i'am going to stop this somehow and this is going to be a good lesson for me.

so my next step is to fight for "RSS Feed Fetcher"

I've just looked back over this thread. Do you currently have a domain-name-canonicalization redirect? All I can find is the one with a positive Condition, and you need a negative Condition. It should look like this, assuming your domain name is www.example.com:

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]

"If the host is anything other than this-exact-form, then redirect to this-exact-form”. (If your site is https, there would be two Conditions, but for now we are only thinking about the hostname.)

There are several reasons for such a rule. The most basic reason is to force www--or to force not-www, depending on your preference. But another reason is to prevent others from pointing their DNS at your server, so they can’t serve up your content under their own domain name. This can happen either by accident or by design, and fortunately it is easy to stop it. I just can't find anywhere in the present thread where this approach is being stopped.

When i enter my domain name it comes like http://example.com (no-www)

in WMT i have setup my Preferred domain to the same way (no-www)

few weeks back i got a message in google analytics about Redundant Hostname error. "property mydomain.com is receiving data from redundant hostname. some of hostnames are... http:// fakedomain1.com , http:/ // www.fakedomain1.com

so what i did was apply only this code

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteRule (.*) http://www.example.com/$1 [R=301,L]

after few hrs time the error got resolved. and until now it is resolved even i try to click recheck and it came up resolved.

Try this test...

Go to: [centralops.net...] and run a look-up on this fake site (using the real domain name.) Record the IP address. This will be the actual server location, not the Cloudfare service.

Then do the same for your domain. Compare the IP addresses.

If they are the same, then both sites are your own server, but with a DNS discrepancy.

If they are different, try blocking the one that isn't yours.

so what i did was apply only this code

OK, good. That's one hole plugged, at least.

did a test here [centralops.net...] i'm seeing 2 IPs for that domain both are belongs to cloudflare... no other IPs showing even i checked my domain and it showing my cloudflare IPs not my real server IP.

i try to block fakedomain.com cloudflare IPs with htaccess file but nothing happens

You're also using Cloudfare?

Don't you think that might have been an important info point to mention? Telling us that could have saved a lot of time & effort.

Since both you and this fake site use Cloudfare, this is likely just a cross-domain error at Cloudfare's DNS routing.

Contat them and work it out. Keep at it until they fix it. Good luck.

i recently changed to cloudflare before i used my hosting providers DNS. this fake site issue was there before i changed to cloudflare.

update:
I moved my site to another server with a different IP. all fake site are now offline. so what advice i can get what you all think?

“Never attribute to malice that which can be adequately explained by stupidity.”

framing disallowed: check
hostname redirected: check
Cloudflare sorted out: check (?)

Honestly, unless you've got a phenomenally attractive site that malign operators are falling all over themselves to steal, you can now sit back and breathe easy.

OK I'm sorry but none of you guys are addressing the problem.

The problem is you can reach the site by typing in his IP address as well as the domain name and whilst that remains the case he is always susceptible to hijacking.

Banning IP ranges isn't going to stop a Proxy Network faking the site and if both the hijack site and the OP's site are both using Cloudflare you could end up in a right mess within the CDN network.

And changing your ip, well thats just going to delay things........

Simple php script to include in the header of your site that will make the whole problem go away

<?php 

$servername = $_SERVER['SERVER_NAME'];

if($servername == 'yourdomain.com'){

} elseif ( $servername == 'www.yourdomain.com'){

}else{
 die("Direct ip access not allowed!");
}
?>