/HowTo: Prevent Image Hotlinking on your site

HowTo: Prevent Image Hotlinking on your site

A lot of webmasters run into bandwidth problems due to hotlinking, inline linking, direct linking, leeching or bandwidth theft. Whichever term you use to refer to it, it means the same exact thing, losing your bandwidth to someone else that didn’t pay for it. While it’s a practice that’s frowned upon by mostly everyone, it’s still quite rampant throughout the web which is why you need to know that there’s some tools you can use to prevent sites from jacking your precious bandwidth.

The most common way of preventing hotlinking is the of the .htaccess file (considering your webserver is apache, not lighttpd or nginx :D). Apache will use the directives on your .htaccess file to redirect / block requests from hotlinkers depending on your configuration. Below are three examples of how you can prevent hotlinking:

IMPORTANT NOTE:
Please note that you should know what you are doing. Modifying the .htaccess file carelessly will result in your site throwing error 500 (configuration error)

For WordPress users, you can insert these lines of code right before the line # BEGIN WordPress in your .htaccess file. Make sure you make a backup of your .htaccess file before editing it.

Allowing certain sites to link to your images (whitelisting)

This code will allow you to block all other domains but allow sites you want to have access to your images (like feedburner, netvibes, bloglines and other accredited syndication sites). Sites that make requests for your image but aren’t listed below will encounter a 403 Forbidden Error instead of the image on your server.

RewriteEngine on
#List sites that you own below
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite1\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite2\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite3\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ - [F]

Blocking certain sites from linking to your images (blacklisting)

This code will allow you to block certain domains like blogspot, myspace, other social networks or specifically a site that hotlinks your images. Sites listed below that make requests for your image will encounter a 403 Forbidden Error instead of the image on your server.

RewriteEngine on
#Block sites that hotlink your image
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?facebook\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ - [F]

Redirecting to a no hotlink image

If you don’t want to use a 403 Forbidden Error but want to deliver a strong message to the hotlinker or the readers of the site that’s hotlinking your image, you can use the code below. Instead of the image his/her site requested, the hotlinker will get an image that you specify below.

RewriteEngine on
#List sites that you own below
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#image to return if your image is getting hotlinked
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ http://mysite.com/nohotlink.jpg [NC,R,L]

A combination of all examples above

For the perfect anti-hotlinking .htaccess file, you have to use combinations of the examples listed below. A word of warning, if you’re going to use THIS example, be sure to whitelist all sites (that you want) that have access to your feeds (like feedburner, netvibes, bloglines and other accredited syndication sites) or else they’ll be getting the nohotlink image.

RewriteEngine on
#Block sites that hotlink your image
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?facebook\.com/.*$ [NC]
RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F]
#List sites that you own below
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite1\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite2\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite3\.com/.*$ [NC]
#RSS syndicators and online readers
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feedproxy.google.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?.google.com/reader/view/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?.google.com/reader/m/view/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ http://mysite1.com/nohotlink.jpg [NC,R,L]

Once you’ve uploaded your new souped up .htaccess file, just head to this hotlink checker tool to see if your configuration works :D. Be sure to clear your browser cache.

If you’ve done it right, then you won’t have to worry about hotlinkers for a long, long time :D. Post a comment if you need to ask anything.