Hotlinking is the practice of loading a image on your site that resides on a different server. Back in the days when hosting companies metered your bandwidth, which is much rarer these days (or at least the caps are much higher), people would “steal bandwidth” by hotlinking to images. Rather than download them to your own server, you’d simply load the image from the remote server and thereby having them pay for the bandwidth.

These days, the bandwidth cost is less of an issue and it’s more about processing. While it’s often better to load the image from your own site, you trade bandwidth for a DNS lookup, it still happens. Most often it’ll be a content scraper but every so often you get a naive blogger or site owner who just doesn’t know any better. The easiest way to prevent this is to modify your .htaccess file. The server will know if someone else is trying to load an image from your server, so you can tell it to load another image or return a 403 Forbidden error.

Stop Hotlinking Entirely

These directives tell your server to only load images on your server if your site requests it, replace “mysite” with your domain. This code will return a 403 Forbidden error anytime another domain tries to load an image from your server.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

The directives instruct the server to do this for JPE, JPEG, GIF, BMP, and PNG files. If you want to extend this to other filetyles, simply add a pipe “|” (it’s the shift-letter above the backslash underneath the backspace key) and the extension. If you want to return an image, rather than a 403, replace the dash in the final line with the path to an image.

Stop Hotlinking from Specific Domains

If you want to allow some hotlinking but not others, you can specifically pick them out:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

This prevents hotlinking from blogspot and myspace domains. The NC tells .htaccess to ignore case sensitivity (so MySpace is the same as myspace) and the OR tells it to prevent blogspot OR myspace. If you want to add another line, make sure it has an OR in the arguments (unless it’s the last one in the list).

Finally, don’t hotlink to other people’s images. I think it’s OK if it’s a huge site like Flickr or Imgur, which is designed for and expects it, but not if it’s an individual’s own site.

RSS Subscribe Like this article? Get all the latest articles sent to your email for free every day. Just click "Subscribe" and enter your email. Your email will only be used for this daily subscription and you can unsubscribe anytime.

One Response to “How to Stop Hotlinking Images with .htaccess”

  1. Craig Says:

    More awesomeness from this site! I’m bookmarking this for when I get a chance to dig into my htaccess files.

    Do you know if there is an way to tell if someone is linking to an image of yours?

Leave a Reply