What is Hotlinking?
“Hotlinking” is when someone links to your site’s resources, such as videos or images, and displays it on a different site. Even if they don't have any malicious intent, hotlinking steals bandwidth from your server.
When someone does this, bandwidth will be used on your end every time someone views the resource on the other site.
For certain hosting account types, bandwidth is limited. If this is the case, using over the designated amount will cause an over-usage fee or a decline in site functionality.
How to Block Hotlinking in .htaccess
Luckily, you can block people from hotlinking in your .htaccess file. For help finding your .htaccess file in the ACC, check out our article, Accessing Your .htaccess File.
Once you’ve found your .htaccess file, you’re going to add a couple lines of code to disable hotlinking from your site.
Stop All Hotlinking
This blocks all hotlinking to your server. A 404 will be displayed in its place. For only HTTP links, use this code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?siteName.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|mp3|png|pdf|zip)$ - [F]
If you would like to use both HTTP and HTTPS links, use the following code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?siteName.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?siteName.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|mp3|png|pdf|zip)$ - [F]
Before you use the code, make sure to customize it for your website. Complete the following items to ensure the code will work with your website:
- Replace
siteName.com/ in the above code with your site's URL. - Remove
RewriteCond %{HTTP_REFERER} !^$if you want to block blank referers. See the How the Code Works section for more information about blank referers. - Add or remove the file types in the last line. Separate file types with a |
How the Code Works
This code functions by checking the URL trying to summon the resource. If it comes from the desired URL, the resources will be loaded for viewing.The desired URL is determined by the lines below:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?siteName.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?siteName.com/.*$ [NC]If the URL does not match the URL listed in the code (in this case "siteName.com"), the resources will not load, and a 404 will display in its place. You want the "siteName.com" in the code to match your domain.
The following line allows “blank referers:”
RewriteCond %{HTTP_REFERER} !^$Blank referers are visitors to your website who have a firewall or antivirus system. Since this code relies on checking the URL, a firewall or antivirus will sometimes thwart this inquiry. Most hotlinking will still be rejected by the script if you allow blank referers. Allowing blank referers is optional, but if you don’t, those people will not be able to view your site.
If you want to block blank referers, simply take out the second line of the code. Note that this will also keep images from being directly accessed by typing in their URL.
Fun Fact: “Referer” is purposely misspelled because the computer scientist who coined the term misspelled the word in his original proposal.
The last line establishes which file types can’t be hotlinked:
RewriteRule \.(gif|jpg|jpeg|mp3|png|pdf|zip)$ - [F]Enter the file extensions you want to be protected in the parenthesis. Separate each file type with a vertical bar ( | ).
Show Different Content When Your Resources are Hotlinked
This blocks hotlinks to your content and instead displays a resource of your choice in its place. For example, you may instruct .htaccess to display a custom error image.
This approach will still use some of your bandwidth.
The error image would only display when someone tries to hotlink to your resources. Your server images are safe from hotlinking and the .htaccess server would hand the hotlink an error image every time someone tries to view it.
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?siteName.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.siteName.com/customError.jpg [R,L]
In the third line, replace siteName.com with your domain name.
The fourth line - the RewriteRule line - establishes the type of hotlinks to block and replace, as well as what to replace the hotlink with.
In this line, replace (gif\jpg) with the file types you want to be replaced. All hotlinks that try to establish a link to one of these file types will receive the replacement image.
Also, replace http://www.siteName.com with your own site URL and customError.jpg with the filename of the replacement image.
Once you have finished inputting your hotlink blocking code into the .htaccess file, click Save Changes. Now hotlinks will be blocked from your site.