Prevent Hotlinking

Using .htaccess file to Prevent Hotlinking

definition | substitute image | .htaccess coding

What is Hotlinking?

Hotlinking is embedding linked files from your website into a page on an external domain without your permission. Hot linked files are most often images, but can also be media files, scripts, and pretty much anything which is not a web page.

Hotlinking of your files, both intentional and inadvertent, can be a literal drain on your website without any benefits to you. A regular visit to your website draws on your bandwidth. This is a legitimate draw.

However, if a remote site, unrelated to yours in any way, is able to hotlink your files, whenever people view that remote site, you are paying for the bandwidth being used by the other site owners. Those site owners are getting something for nothing – your file(s) AND your bandwidth. This is an illegitimate draw.

Many webservers offer different amounts of allowed bandwidth (with Crosswinds, this is the “Transfer” amount that is detailed in each hosting plan). Intentional hotlinking is a way that unscrupulous website owners pay the lowest rate for their service but still use more than their allowed bandwidth without being penalized monetarily.

This is how it was explained in the article What is Hotlinking?:

A simple analogy for bandwidth theft:
Imagine a random stranger plugging into your electrical outlets, using your electricity without your consent, and you paying for it.

Offer a substitute file

Some misguided people decide to use offensive images as hotlink replacements. But there is no need to be rude. Much of the hotlinking that occurs is done out of ignorance and is entirely unintentional. Any intentional hotlinkers wouldn’t be fazed by rudeness anyway…. It’s far better to be firm and informative by employing an image along these lines:

no hotlinking example

To produce the above, paste the following text (or something similar) into a graphics program such as Paint, Irfanview, Gimp, etc. etc. (Please don’t use our example – make your own, containing YOUR website address!):

unauthorized link to image
 
This is a replacement. "Hotlinking"
(aka "direct linking", "inline linking",
"leeching", or "bandwidth theft")
has been prevented. Please go to
[your domain name]
to view the actual image.

Save it as no_hotlinking.gif and upload it via BINARY to your image folder.

.htaccess

Open a text editor and copy and paste the following (make sure you change “yourdomain.com” and “other_allowed_site.com” to reflect actual domain names):

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([-a-zA-Z0-9_]+\.)?yourdomain.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://([-a-zA-Z0-9_]+\.)?other_allowed_site.com.*$ [NC]
RewriteRule \.(jpe?g|gif|bmp|png|ico)$ images/no_hotlinking.gif [L,NC]

The first line starts the rewrite for image replacement. The second line allows empty referrals. The third line allows requests from your own domain. [NC] stands for “No Case”: it will match upper or lower case letters. The fourth line allows requests from another domain allowable by you. The last line is an instruction to match any files ending with the extension jpeg, jpg, gif, bmp, png, ico. On any server except yourdomain.com and other_allowed_site.com, hotlinked images will be replaced by the no_hotlinking.gif that is in your image folder.

Save the file as .htaccess and upload it via ASCII to your root folder. (If you already have an .htaccess file there, open it and add the new code below what is there already.)

Note that your bandwidth will be used up by the “no_hotlinking” image so it is a good idea to keep it small in bytesize. To save yourself from any bandwidth drainage, you can choose to show no image at all and put the following in your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([-a-zA-Z0-9_]+\.)?yourdomain.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://([-a-zA-Z0-9_]+\.)?other_allowed_site.com.*$ [NC]
RewriteRule \.(jpe?g|gif|bmp|png|ico)$ - [F,NC,L]

[F] stands for “forbidden”. [L] stands for “last” and tells the server that if HTTP request matches this rule, it should not go to any other rewrite rules in the .htaccess file.
Other hotlinking information

For more information on hotlinking prevention, please see the following: