What is hotlinking and how to prevent it

Hotlinking is a process when a direct link to some media (image, video, audio file, etc) is being shared instead of a full website page where it is actually hosted.

Why should hotlinking bother you?

While hotlinking is great for the one sharing the URL, it can cause troubles for the owner of the content. First of all, such actions can be qualified as a copyright infringement, since images are displayed with no information on the author. Secondly, hotlinking uses resources (bandwidth) of the hosting account where the website is hosted.

How do I find out if the images I own are hotlinked?

There is an accurate and really simple way to check if the images you host are being hotlinked - Google Images. The following command has to be inserted in the search bar:

inurl:yourdomain.com -site:yourdomain.com
Use your domain instead of yourdomain.com.

It looks up all your website's image links, automatically removing from the results the legitimate ones (those that you actually own) leaving only hotlinked URLs.

Hotlink protection and SEO

You may wonder if the hotlink protection influences the website's ranking. It does not. Your website may even load faster because its bandwidth is not stressed by constant illegitimate requests from re-posted images. And that actually improves your ranking. The issues appear when the hotlink protection is not implemented properly and blocks access to the images for crawlers. This causes the images to not display in search results or even for the website to not being properly indexed. That is why we recommend using a hotlink protection rule or a plugin that allows specifying blank referrers and search engines as allowed fetchers for providing direct URLs to the images.

Ways to prevent hotlinking cPanel

In cPanel there is a menu called Hotlink Protection, that was created specifically for this purpose. Find the detailed step-by-step guide with screenshots here.


There are many plugins that offer hotlink protection. For example, you may choose All In One WP Security And Firewall as a multipurpose plugin for WordPress. Configurable Hotlink Protection script deals only with one issue and allows configuring the strictness of the block. When using any plugin of this kind, make sure to backup your account before making any changes. Another useful tip is to clear cache in a cache plugin after enabling the hotlink protection (in case you use one).

General .htaccess rules

It is possible to block hotlinking by editing an .htaccess file in the root folder of the domain in question. It allows to disable usage of the direct URLs to the files, but does not block them from being displayed on the original website. The following rule should be added to the .htaccess:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Where yourdomain.com should be replaced with the actual website name and jpg|jpeg|png|gif are the types of files to protect.

This rule allow blank referrers - requests from users of specific firewalls and antiviruses that hide the information about the sender of the requests. Blocking blank referrers will also prevent visitors with such settings from viewing the media content on the website, specifically protected images.

To have a customized page informing that hotlinking is not allowed instead of usual error message, you may slightly modify the rule. It is necessary to specify the file to be displayed instead of a hotlinked image. The file has to be created and uploaded to a folder that is not blocked for viewing and direct linking. For example, it might be a subdomain, specifically created for this purpose or an open media storage. The rule with the customized error image link will look the following way:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://domain.com/nohotlinking.jpg [NC,R,L]

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://domain.com/nohotlinking.jpg [NC,R,L]

Where http://domain.com/nohotlinking.jpg is the direct link to the image you are using as a customized error message.

While saving your bandwidth from theft and maintaining stable website performance you may still want to allow certain search engines and social media platforms to access your files. This will allow the images to be shown in search results and shared via widgets. For this purpose, the hotlink protection rule can be added to the .htaccess file with special lines, specifying the allowed requests:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://domain.com/nohotlinking.jpg [NC,R,L]

Where yourdomain.com should be replaced with the actual website name and jpg|jpeg|png|gif are the types of files to protect.
Regarding the allow referrers, it is possible to add more lines with those websites, that you want to whitelist.
Just as in the previous rule, http://domain.com/nohotlinking.jpg is the direct link to the image you are using as a customized error message.

That's it!

Need any help? Contact our HelpDesk

23216 times

Need help? We're always here for you.