256 Kilobytes

Preventing Hotlinking with .htaccess

Articles in Server-Side | By Hash Brown


Hotlinking can be bad. It can choke your website, use all your resources and even cost you $100's in bandwidth charges. You should stop hotlinking with .htaccess.

707 views, 1 RAM, and 0 comments

It's fairly common for people to steal images on the internet. Sometimes that's fine, you don't care, you might never even find out.

On the otherhand these people will not even have the decency to host the content on their own server. They will just use the image in the location you uploaded it, using your bandwidth and possibly slowing down your website.

This is what we call hotlinking. Every time these images are loaded they come directly from your server, it's not good for you.

But we can stop it, using .htaccess!

What is hotlinking?

Hotlinking is when you take the URL of a file or resource from one website and then use it on another website, loading the file externally from the website you're publishing it on.

For example, when you upload an image on imgur.com and then use it on a high level forum for highly educated men you're loading the image file from imgur, this is hotlinking.

How to stop hotlinking with .htaccess

If you just want the finished code with no explanation, here you go.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YOURDOMAIN.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ http://domain.com/redirect.jpg [NC,R,L]

For everyone else, follow along.

Step 1: Create a .htaccess file

A .htaccess file is a dotfile, these are text based config files for unix systems. In our access .htaccess controls lets us enable/disable settings for features in Apache. In this case we are going to disable access to files based on where they are being loaded from.

When creating a .htaccess keep in mind that it doesn't have a file extension.

Step 2: Open the .htaccess file

Using a text editor like notepad++ or a code editor we can do the magic we need to do. Paste in the block of code above, we will talk about what each line does.

RewriteEngine on

The first line turns on RewriteEngine, this makes sure that mod_rewrite is enabled in apache.

mod_rewrite allows us to modify urls on the fly, this can be used to redirect users or block access entirely.

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YOURDOMAIN.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]

The next 3 lines of code is essentially a white list of referring domains that we allow content to be used on.

The first line allows websites with a blank referrer to hotlink. This is good for users who are viewing the web behind a firewall. 

The next line is for your domain. It's important that you replace YOURDOMAIN.com with your real world domain here.

Finally we are allowing Google to hotlink, this is used in Google images search results. This can send a little traffic to your website so it's good to allow.

If you don't want to allow blank refferers to see your content or Google to hotlink in image results, just delete the lines.

You can also add more lines for things like RSS feeds or other websites that you work closely with (multilanguage websites for example).

If you're also using AMP, you're going to need to add a line for this.

RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ http://domain.com/redirect.jpg [NC,R,L]

Finally, we have the RewriteRule. This is split into 2 parts, the first is a list of file extensions that the redirect will activate for and finally the image that will load instead of the requested file.

You should probably review the file exentions listed and edit as such, simply remove them or add more by separating them with "|".

The redirect.jpg image should be in a location that allows hotlinking. This could be on a subdomain or external (nothing stopping you from using imgur.com or something)

Step 3: Upload with FTP

I won't tell you how to do this, you should know if you got this far.

Upload your .htaccess file to the root of your domain.

Hotlinking FAQ

Why is hotlinking bad?

It's not bad all the time. Imgur and many other image platforms allow users to hotlink and it's how it makes money in some weird way.

If your content is being hotlinked and it's using your server resources, your content is being stolen, people don't have permission to use it or you're paying for servers based on how much bandwidth you're using you may want to stop it.

There have been cases of newspapers hotlinking images from small blogs and the traffic loading these images on their own has caused the blogs to go down. It's not ideal.

Is hotlinking illegal?

If you're in Europe pretty much everything is illegal.

How to avoid hotlinking?

To avoid hotlinking other peoples content you should make sure you're allowed to use that piece of content, download it and upload it on a platform that allows hotlinking or ideally to your own website/server.

How do I find out who is hotlinking your content?

View your server logs, it will show up in there.

Users Who Have Downloaded More RAM:
August R. Garcia (2 years ago)
🐏 ⨉ 1
Posted by Hash Brown 2 years ago 🕓 Posted at 09 March, 2019 19:30 PM PST

Post a New Comment

Do you like having a good time?

Register an Account

You can also login to an existing account or reset your password. All use of this site is subject to the terms of service and privacy policy.

Read Quality Articles

Read some quality articles. If you can manage to not get banned for like five minutes, you can even post your own articles.

View Articles →

Argue with People on the Internet

Use your account to explain why people are wrong on the Internet forum.

View Forum →

Vandalize the Wiki

Or don't. I'm not your dad.

View Wiki →

Ask and/or Answer Questions

If someone asks a terrible question, post a LMGTFY link.

View Answers →

Make Some Money

Hire freelancers and/or advertise your goods and/or services. Hire people directly. We're not a middleman or your dad. Manage your own business transactions.

Register an Account