working hotlink protection?

Avatar
  • Answered
I'm looking into hotlink protection for images on my site, but need input on whether it's the right idea and just how to get it active.

I understand how it's used in the .htaccess file, and how cPanel might be used. But when I tried it from cPanel earlier, it totally crashed my site (Server Error..) and I had to get help to fix something in .htaccess. Then I tried manually putting entries in .htaccess as I saw in a number of articles, but testing on some test sites didn't seem to show it working.

So, when it comes to RSS feeds and other possible needs, is hotlink protection really worth the risk of it blocking some sites where you may get more by leaving it off?
And, if it's the best idea, why doesn't it work in my root .htaccess file (according to what some test sites seem to report.)

With what else is in .htaccess currently, I basically added:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ http://www.mydomain.com/the/path/to/blocked.png [NC,R,L]

Any thoughts?
-CPL
Avatar
Tim S.
Hi CPL, Thanks for posting your question about hotlink protection. I'm more than happy to assist you today. First, let's examine the benefits of hotlink protection. When someone links to one of your image files, they essentially steal bandwidth. That's probably the biggest advantage to using hotlink protection. Since we do not actively monitor bandwidth on shared hosting, the advantage of using hotlink protection in minimized. How Hotlink protection in cPanel work by default, images will not show up in RSS feeds. I've never personally found a need for hotlink protection so I've dug around to find out if there's workarounds for it. This is what I've found: Normal, .htaccess rules for hotlink protection would look something like this. And using this code, your images will not show up in RSS feeds such as FeedBurner:

# Hotlink Protection RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://example.com$ [NC] RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.example.com$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC] RewriteRule .*\.(gif|jpg|jpeg|png|bmp)$ - [F,NC,L]

Now, Let's break down what this code is doing. In the first line, after the initial comment we're enabling mod_rewrite. Then the code checks the referrer's URL against the predefined strings in the next 5 lines. If the URL is not listed in the string then Apache is directed to deny access to the file types listed in the last line. Keep in mind, you can restrict any file type and you're not just limited to images files. At this point, RSS feeds, since they're not listed in the .htaccess rules the images will not display. So if we wanted to allow Feedburner access to images on the website we could modify the rules from above to this:

# Hotlink Protection with Feedburner Access RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://example.com$ [NC] RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.example.com$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.feedburner.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://feeds.feedburner.com/example-feed$ [NC] RewriteCond %{HTTP_REFERER} !^http://feeds.feedburner.com/example-feed-comments$ [NC] RewriteRule .*\.(gif|jpg|jpeg|png|bmp)$ - [F,NC,L]

Notice, the is last lines of code, we're now allowing feedburner to access the files on our site. Of course, in this code snippet you'd need to replace www.example.com with your actual domain and the feedburner feeds and feed comments with the actual URLs. Also keep in mind, .htaccess rules are overwritten in each folder. If you have an .htaccess file in the parent (root) folder and then a .htaccess file in one of the child folders, the settings in the child folder's .htaccess file overrides the parent .htaccess. The thing to remember is, what are you trying to gain for enabling hotlink protection? Does this goal out weight the possible disadvantages of using hotlink protection? I hope this helps! If you need further assistance please feel free to contact us. Thanks! Tim S