Firstly, what exactly is image hotlinking? Well, say you are browsing the web and come across an image that you particularly like the look of. You then decide that you would quite like this image on your site. Instead of saving the image and uploading it to your own server, you place a link to their image on their site. For example,
<img src="/wp-content/uploads/2009/03/strawberry.jpg" />
If you decided to place The Web Squeeze’s Strawberry on your site, not only would it be a blatant image theft, but you would also be stealing their bandwidth as when their browser requests the image file, it is not from your server, it is from The Web Squeeze’s.
This is why image hotlinking is becoming a major issue for website owners today. People finding images on Google simply place a link to that image on their website, costing you bandwidth, and in the long run, money!
So what can we do to stop this? Well if you came across a site using your image, then you could rename your image, causing them to have a broken link or an alternate image displayed on their site for example. However, there are several obvious drawbacks to this method, you would have to trawl through your server logs looking for hotlinking sites, then you would have to go to the effort of renaming your image, updating all your webpages, uploading a new image … not a good use of your time.
Luckily there is an extremely efficient and easy way to prevent against hotlinking, using the Apache configuration file, .htaccess. Using your .htaccess file allows you to control things such as:
- What sites to block/allow
- Whether to allow/deny blank referrers
- Display custom images to hotlinking sites
- What file extensions to protect against hotlinking
Step by Step Guide
Adding in comments
#Stop Image Hotlinking
Any good programmer will tell you that comments are essential, regardless of the language you are writing in. When you begin to have a few different rules in your .htaccess file, comments help avoid confusion by allowing you to clearly see what each bit of code does.
Turn on the Rewrite Engine
RewriteEngine on
The code in this tutorial uses the Apache module mod_rewrite, we therefore need to tell the server to interpret this as such. It is similar to writing PHP, if you do not include the PHP tags the server will not know what to do with your code, the same principal applies here. This only needs to be declared once in your .htaccess file.
Allowing your domain(s)
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain2.com [NC]
You now need to state which sites are allowed to access your files, and obviously your site will be first on the list. There is no limit to the amount of sites that you can allow access to your files, for each additional domain simply add another line of code to the .htaccess file and amend as necessary.
Allow blank referrers?
RewriteCond %{HTTP_REFERER} !^$
Some users browse the web using things such as firewall or proxys, and therefore do not supply any referrer information. It is up to you whether to decide to block blank referrers. If you wish to then just delete this line from your .htaccess file.
Allow search engines?
RewriteCond %{HTTP_REFERER} !google. [NC]
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn. [NC]
RewriteCond %{HTTP_REFERER} !yahoo. [NC]
Search engines such as Google can link to your images in their search results, often providing a useful sources of traffic. If you are a Photographer for example, then it might be a good idea to allow this as people can follow the image to see more of your work. However the choice is entirely your own, if you do not wish to allow this then simply delete these lines of code form your .htaccess file.
Allow an image to be hotlinked
RewriteCond %{REQUEST_URI} !^hotlinker.gif$
If you are planning on getting revenge on people hotlinking your images, then you will need to allow this image to be linked to. The above line of code makes sure that the image that you choose to display them actually gets displayed.
Display a custom image
RewriteRule .(jpe?g|png|gif)$ hotlinker.gif [NC,R,L]
The final piece of code. This tells the server that if a request is made for a .jpg, .jpeg, .png or .gif file that is not from one of the named exceptions, then they get displayed the hotlinker.gif image. If you wish to add more file extensions then you can just adapt the code for your use.
Let’s see an example of how this technique can be used. If someone decides to link to The Web Squeeze’s strawberry logo,
then in the .htaccess file you could have the alternate squashed strawberry show. Alternately, one of the advertising banners such as this could be shown, providing your site with some free exposure.
If you are feeling particularly lazy then all the .htaccess code for stopping image hotlinking is provided below.
#Stop Image Hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain2.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !google. [NC]
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn. [NC]
RewriteCond %{HTTP_REFERER} !yahoo. [NC]
RewriteCond %{REQUEST_URI} !^hotlinker.gif$
RewriteRule .(jpe?g|png|gif)$ hotlinker.gif [NC,R,L]
Some Important Things
Before uploading your .htaccess file to your server make sure that there is not one there already! Applications such as WordPress use their own .htaccess file when installed, if this is the case then download the existing .htaccess file, add your extra code and then upload it back to the server.
In my opinion the most important thing to do when editing .htaccess file is to BACK UP. Make sure that you have a copy of the original .htaccess file in case everything goes ‘pear-shape’.
This method is not limited to just image files. You can add file extension such as .exe or .zip to protect against people stealing any other content off your site. Then you can either display them the alternate image, or have them download a .zip folder full of images promoting your site, the possibilities are endless.
Lastly, it is polite to ask your hosting provider if they allow .htaccess files to be used on their server, just in case they do not.
I hope this article has been helpful and has cleared up some of the confusion surrounding stopping image hotlinking with .htaccess.
Hope you all like the article, looking forward to hearing your thoughts
Craig
Can I apply this in my WordPress? I don’t have any idea of this htaccess programming
Really very good article!
Very, very cool. I’ll take note of this!
Hey Monie, yes you can apply this to any website, including WordPress.
However, WordPress will have already installed a .htaccess file in your root directory. As mentioned above you will have to download this file and then add your changes to it, then upload it again.
If you want to know what the WordPress .htaccess file does exactly there is an article on .htaccesstutorial.net about just this issue.
If there are any problems you know where to ask
Oh and remember to make a copy of the WordPress file!! Just in case things do not work.
Craig
Simple, yet effective. Nice post!
I saw a blog who had a problem with blatant hotlinking and blogged about it [ http://tinyurl.com/apert9 ]. I think that with more and more design-focused sites starting out [with tutorials as such], image-hotlinking will continue.
Thanks for the tut.
@Wibby – I totally agree, the frustrating thing is that it is so easy to stop.
Very useful info, thanks!
Cool and simple tut, thanks! im working on it!
I did that on my old website and the Results where quite funny
I made a image that said
“THIS GUY IS A HOTLINKER, Look DOWN on Him!!”
hello…my server does allow .htccess cause i use on my other sites. I tried this on another site i have that does not have an htaccess file. This doesn’t work for me here is my coding: (disreguard the **).
Stop Image Hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?*.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?*.com [NC]
RewriteCond %{HTTP_REFERER} !google. [NC]
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn. [NC]
RewriteCond %{HTTP_REFERER} !yahoo. [NC]
RewriteCond %{REQUEST_URI} !^1.jpg$
RewriteRule .(jpe?g|png|gif)$ 1.jpg [NC,R,L]
I have the 1.jpg in the same folder as htaccess as well. I hotlinked an image from my site with BBcode and html code to my other site that i did not set the allow for…but i still can see the image i was stealing from myself. My server uses apache also.
This isn’t entirely correct. The most critical line of all,
RewriteRule .(jpe?g|png|gif)$ hotlinker.gif [NC,R,L]
will fail because the “.gif” in the pattern will be matched, so you get circular rewrites (until the server reaches its limits, and quits). The file extension of your image can’t be in the pattern. Try something like
RewriteRule .(jpg|png|gif)$ hotlinker.jpeg [NC,R,L]
I’ve tested both on my server, and confirmed this.
Nice article. Now, how would I go about subdomains? Would it look something like this?
print("RewriteCond %{HTTP_REFERER} !^http(s)?://(subdomain.)?yourdomain.com");
or this:
print(“RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?subdomain.yourdomain.com);
Hi Craig,
One Quick Question …
Images on one of my blogs are of different sizes. Say for eg., 600×900 px. The custom image for replacement with warning message is 400x200px. When someone hotlinks my images, the replacement warning image is stretched to 600x900px which makes it blurred and hard to see the warning.
How to display the replacement image 400x200px as it is ?
Thanks.
Yeah, simple and realy useful thing, thanks!
Kad is right,
I’ve implemented the Replace hotlinked image with a default one and the server makes up to 20 requests.
Cheers Craig and Kad
Hi,
This works great thanks, but it won’t display the alternativee image on the hotlinking site. Any ideas?
RewriteCond %{REQUEST_URI} !(^/robots.txt|.ico)$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)thebagshopstamford.co.uk(/index.html)?.*$ [NC]
RewriteCond %{HTTP_REFERER} !google. [NC]
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn. [NC]
RewriteCond %{HTTP_REFERER} !yahoo. [NC]
RewriteCond %{REQUEST_URI} !^cpyright.jpeg$
RewriteRule .(jpg|png|gif)$ cpyright.jpeg [NC,R,L]
It works only on IE and not on firefox what can I do about it ?
SHut UP