Is someone else posting your images on their site, but linking to your original? If so, that’s called hotlinking. And it’s costing you in system resources at your host, especially in bandwidth.
See 3 ways to hotlink protect your images so others can’t run you into system overages with your host.
And see the caveats with using hotlink protection so you can decide if it’s right for you.
Why to Hotlink Protect Images and Files
It’s all about bandwidth theft.
When you search for free images to use on your site, the Terms of Service (ToS) of the resource site will explicitly state that you are not allowed to link directly to the image on their site.
They prefer that you download the image, then upload to your own site.
That way every time someone visits your page/post your site uses up your bandwidth at your host to deliver it and the image, not the site where you got the image.
If you linked to their image directly, it would use up their bandwidth and probably get you banned from ever using their images again.
Why Not to Hotlink Protect Images and Files
There are 2 conditions where you can’t use hotlink protection.
Link parties.
They are a very popular way to combine forces with other bloggers to gain more readers.
One blogger hosts the party on their site.
And they feature posts, including links and images, from their blogger buddies participating in the party.
They usually hotlink to those images, meaning that they are pulling the image from their buddie’s site, not their own. That saves their bandwidth on their hosting service, because the image is being delivered from another site.
So, if you run or participate in link parties, you can’t use hotlink protection.
Syndication.
If you are fortunate enough to get your content syndicated on bigger sites, they will want to pull the images from your site.
So, you won’t be able to use hotlink protection in that case.
Other Files to Hotlink Protect
Torrent sites love to steal PDF files.
They think there is money attached to them.
Because of that, they attract bad bots to crawl your site looking for them.
If they find a PDF of interest, they may hotlink to it on a Torrent site.
Or worse, they may initiate an man-in-the-middle attack and redirect visitors to a porn site.
You may want to consider hotlink protecting your PDF files too. But check that folks can still download it, depending on the method you use.
3 Ways to Hotlink Protect Your Images and Files
There are 3 basic ways to hotlink protect your images.
- Insert rewrite rule code directly into your .htaccess file.
- Use the Hotlink Protection Tool in cPanel to write the code in .htaccess for you.
- Use a plugin with hotlink protection that creates the code in .htaccess for you.
We’ll cover all 3 ways in this post.
Important – Read This First
Be aware that adding these rewrite conditions in .htaccess may interfere or conflict with other rewrite conditions or redirects.
Order matters!
Be sure the new code is below all other rewrite or redirect conditions.
You need to be especially careful with the placement of this code if you have converted your site to HTTPS.
If you use the Hotlink Protection Tool via cPanel, it should add the code to the bottom of your .htaccess file, but best to double check it to be sure.
Backup First
Be sure to take a full backup of your site before starting this process.
And be absolutely, 100% sure that backup contains your .htaccess file, as that is the one that will be modified by this process.
Most backup plugins and services do not include files outside of WordPress. The .htaccess file is below your WordPress files, in the root of your public_html folder. So, you may need to download or make a copy of it using another method.
If you will be manually altering your .htaccess file via File Manager in cPanel, simply make a backup copy of it using the Copy function in File Manager.
If you’ll be modifying via an FTP program, download a copy of the .htaccess file first, or use your FTP program to make a copy, if that option is available.
Need Help?
If these warnings about backing up and copying files are already making you nervous, let a qualified geek buddy help you.
This is a quick and inexpensive task for someone who knows what they are doing.
Contact me and we’ll get this taken care of for you.
Site audit clients – if you’re comfortable handling the code and just want another set of eyes as you do it, we can likely take care of it in a quick, live session.
Add Rewrite Rules Directly in .htaccess
You can add rewrite rules and conditions directly to your .htaccess file.
There is a very clean regex generator for hotlinking on the htaccessTools site here
It will generate code that looks like this
To use this generator, input your domain without http(s) and without www.
Example: mysite.com
In the Allow Blank Referers section, you’ll need to decide if you want to allow or block.
Some site visitors use either a firewall or antivirus program on their computers that will block access to the site if there are no page referrers available.
Many social media platforms also require allowing blank referrers to access images and other data from your site to display in their feeds.
So, best to leave this set to the default of allow.
I wouldn’t bother with a substitute image or redirect. That just chews up more of your bandwidth while turning the hotlinker away.
Place the code at the bottom of your .htaccess file.
Check your site, and anywhere you have images linked, to ensure they are in working order.
cPanel Hotlink Protection
If you’re not comfortable handling your .htaccess file, and you have a cPanel control panel at your host, it will give you an easy-to-use interface to create the code below in .htaccess. Not as clean as the regex code above, but serves the same function.
To use this method, log into your hosting cPanel.
Hotlink Protection Tool
To help you find the Hotlink Tool quickly, in the search field, type hotlink.
Click the icon for Hotlink Protection
Enable Hotlink Protection
Do not click this button yet!!!
Near the top of the tool page, you’ll see the Enable button to turn on Hotlink Protection.
If you did click it, simply click the Go Back link somewhere on the page you were redirected to and follow the rest of this tutorial.
URLs Allowed
Ensure all versions of your site’s URLs are in the next field, including http, https, and www and non.
File Types to Block
The next field should already be populated with all popular image file types.
Check to see that every type you use is listed.
Note that each type is separated by a comma with no spaces between.
Allow Direct Requests
The description here makes you think that it’s only for folks using a Mac.
But it’s the same type of referrer directive as mentioned in the .htaccess regex code generator section above.
Check the box to allow direct requests.
Redirect the Request
If you want to let someone know why their hotlink to your image is not working, you can send them to a page you created with an explanation.
The redirect will cause a page to open on your site, which chews up system resources and bandwidth.
Honestly, I wouldn’t bother with this, as the only folks hot-linking are stealing from you and/or don’t care about how much in system resources this causes you.
Save Your Changes
When you’ve completed your settings, click the Submit button to save them.
Hotlink Protection Enabled Confirmation
Once you hit Submit, you’ll be redirected to a page confirming that your Hotlink Protection is enabled, and showing you a summary of your settings.
That code should have been written to the bottom of your .htaccess file.
Check your site, and anywhere you have images linked, to ensure they are in working order.
Hotlink Protection Plugins
There are multiple hotlink protection standalone plugins.
And some of the bigger site security plugins also include a hotlink protection option.
But, those behemoth security plugins have lots of other settings and can cause other conflicts and issues, plus be more of a resource hog than they are worth.
I do not advocate using a complex security plugin at all, much less for simple hotlink protection.
(It’s not that all of those plugins are bad. It’s that I use and recommend a different combo that works better.)
Since I strongly prefer to hard code these rewrite conditions to ensure they don’t cause other problems, I don’t use standalone hotlink protection plugins and don’t have one to recommend.
If you do use one, be sure to take a look at your .htaccess file before and after you activate/configure the plugin.
Also be sure there are no other plugin conflicts.
And be sure to check if the plugin has to be configured, not just installed.
Will You Use Hotlink Protection?
Have you encountered a good reason to consider hotlink protecting your images or other files?
Tell us about it in the comments and what method you used.
And let us know if you ran into any issues with it.
This book could save you hundreds of dollars and months of frustration. Get it free with your subscription to
Since I’ve been online with my website for 18 years now, I’ve had a TON of photos pirated from my site and also taken right off Google Images, of course. In most instances that I’ve caught, after requesting a take-down, site owners have done so. But there are some that I’ve had to turn in on a DMCA report. In fact, I just made another DMCA report on a Youtube video where someone had used my photo as the background through the entire video!
I’m soooo happy to hear about this hardcoded way to prevent this robbery! Will save me hundreds of hours tracking down all this BS. Thanks MaAnna!
Cathryn, I was thinking of you when I wrote this post, and how you’ve been using hotlink protection for so many years.
It won’t keep folks from outright stealing your images, meaning downloading their own copy. But it will keep them from linking directly from your site for them.
You’ll still need to do the DMCA report for folks outright stealing via a download.