Nothing is worse than someone stealing your images or bandwidth, but this happens fairly regularly as everything is out in the open on the internet for people to easily link to. This can cost you money and is even illegal if the person is linking to stock photos in which you had to acquire a license to use. Today we’ll explain what hotlinking is, why it is bad, and how you can prevent hotlinking on your WordPress website.
- What is Hotlinking?
- Why Hotlinking is Bad
- Does Blocking Hotlinking Hurt Your SEO?
- How To Prevent Hotlinking
- How to File a DMCA Takedown Notice
What is Hotlinking?
The concept of hotlinking is very simple. You find an image on the internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location. This is very convenient for the hotlinker but it’s actually theft as it is using the hotlinked site’s resources. It’s like if we were to get in our car and drive away with gas we siphoned off from our neighbor’s car.
Why Hotlinking is Bad
Below are a couple things to be aware of when it comes to hotlinking:
1. Hotlinking Costs the Original Website Owner Money
Someone linking to your images from their website might not seem like a big deal, but it could generate a lot of extra costs for you. The Oatmeal is a great example. The Huffington Post hotlinked a cartoon of his which consisted of multiple images. Since we’re talking about a major publication with a lot of traffic, this incurred a lot of extra costs for The Oatmeal, as thousands of people were being delivered the images. In a classic Oatmeal move Matthew Inman, creator of The Oatmeal, replaced all of the hotlinked files with the following:
He also took care to replace the last image with a drawing of a behind and a pee-pee. Awesome! But as you can see, the costs can add up quite rapidly, especially if a high-traffic site is the one hotlinking your content. Do you want to trust that all writers and bloggers know how to properly use images? Probably not. And that is why hotlink protection exists.
Related article: Content Scraping – Fight Back or Ignore?
2. Hotlinking in Most Cases is Illegal
Hotlinking in a lot of cases is actually illegal. Why? Because many of the photos you see around the web have licensing restrictions attached to them. Here are a couple of common image restrictions on licensing from popular stock photo sites:
- “No commercial use is permitted under any circumstance.”
- “Publication on a website or blog you own (in articles or news for illustrative purposes only).”
Both of the above restrictions could easily be broken if someone links to your image and uses it on their website. They most likely don’t have permission to do so, as they did not pay for the license. This also goes hand in hand with not linking to it correctly on their site, but also proper attribution to the original creator.
3. Drain of Server Resources
Hotlinking can be a huge drain on resources for the target server. Imagine if you are on a shared WordPress host and Huffington Post suddenly links to your images. You could go from a couple hundred queries an hour on your site to a couple hundred thousand. This could even result in a suspension of your hosting account. This is definitely a reason to not only use a high-performance host (which can handle hiccups like this), but also to enable hotlink protection so this doesn’t happen.
4. Hotlinking is Just Plain Lazy
Do people hotlink simply because they are lazy? Well, a lot of times, people don’t intentionally hotlink to your images and are not aware that this is even an issue. They are usually just busy writing and are simply copy-pasting URLs and files. They might not even know how to properly link to an image. However, this is still not a good excuse. If you write content on the web, it is important to understand best practices for linking to other people’s images, along with proper attribution.
Does Blocking Hotlinking Hurt Your SEO?
Blocking people from hotlinking won’t hurt your SEO, but it does need to be set up correctly. There are crawlers from Google, Bing, Yahoo, etc. that require access to your images to be able to index and properly display them. For example, when you see an image on Google image search, the thumbnail is served up from Google’s image cache. But the original version (if you click on it) is actually serving from your server.
And you want your images in Google image search. As WordStream put it, Google image search traffic is an “easy win” and in fact can drive conversions and leads for your business that you might not have gotten otherwise.
How To Prevent Hotlinking
There a few easy ways to protect your images against hotlinking, let’s take a look at the options we have.
Utilize a CDN with Hotlink Protection
Most of you serve content around the globe from your websites and in turn use a CDN provider to speed up the delivery of your assets. CDN providers such as KeyCDN and Cloudflare have great hotlink protection already built in for free that you can enable. This is the recommended method as they have very fine-tuned rules for bots and other referrers that actually shouldn’t be blocked. Another benefit from doing it on your CDN is that you don’t have to change anything with your WordPress installation.
If you are using KeyCDN, simply click into Zonereferrers and add the rules. Crawlers will still be able to access and index your images.
They even have a one-click option to allow empty referrers per zone.
This would enable hotlink protection for assets on your CDN, but not your origin server. So if you are very worried about someone hotlinking to your images directly on your server you could also enable hotlink protection on your origin server (see Apache and NGINX rules further below). This is very unlikely though as someone would have to manually remove the CDN URL. But it could happen.
If you are using Cloudflare, you can easily enable hotlink protection under Scrape Shield in your account. Hotlink protection has no impact on crawling, but it will prevent the images from being displayed on sites such as Google images, Pinterest, etc. Since Cloudflare is a fully proxy service you don’t need to worry about enabling hotlink protection on your origin server.
If you are using Amazon S3, you can enable hotlink protection with bucket policies, which is located under “Permissions” on your bucket.
Simply add the following code below:
{
"Version": "2008-10-17",
"Id": "preventHotLinking",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-brand-new-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://yourwebsitename.com/*",
"http://www.yourwebsitename.com/*"
"https://google.com/*"
"https://bing.com/*"
"https://yahoo.com/*"
]
}
}
}
]
}Enable Hotlink Protection on Apache
If your WordPress site is running on Apache, all you need to do is open the .htaccess file in your site’s root directory (or create it) and add the following:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]The second line allows blank referrers. You will most likely want to enable this as some visitors use a personal firewall or antivirus program that deletes the page referrer information sent by the web browser. If you don’t allow blank referrers, you could inadvertently disable all of your images for those users.
The third line defines the allowed referrer, the site that is allowed to link to the image directly, this should be your website (update yourdomain.com above with your domain). The fourth, fifth, and sixth lines add search engines to the allowed list, because you don’t want to block crawlers such as Google bot or Bing bot. This could prevent your images from showing and indexing in Google image search.
And the seventh line defines the image you want the visitor to see in place of the hotlink protected image. This not required, but you could give them a friendly warning. If you want to allow multiple sites you can duplicate this row and replace the referrer. If you want to generate some more complex rules, take a look at this htaccess hotlink protection generator.
If you are using the above rules along with a CDN, you might also need to whitelist your CDN subdomain.
Enable Hotlink Protection on NGINX
If you are running on NGINX, all you need to do is open your config file and add the following:
location ~ .(gif|png|jpeg|jpg|svg)$ {
valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}If you are a Kinsta user and aren’t using a CDN, we can add this for you. Just open up a quick ticket with our support team from the MyKinsta dashboard. If you are using the above rules along with a CDN, you might also need to whitelist your CDN subdomain.
WordPress Plugins
There are a few WordPress plugins related to hotlinking but many of single-use ones aren’t very well maintained or have bad reviews. We don’t recommend using them. We suggest taking a look at the All In One WP Security And Firewall plugin which is an excellent all-around security plugin with the ability to prevent hotlinking built-in. However, it is generally better to enable hotlink protection at the server or CDN level.
All In One WP Security & Firewall currently has over 500,000 active installs with an impressive 5 out of 5-star rating. You can download it from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.
Note: If you are a Kinsta user this plugin is not allowed as we apply many of these same security precautions at the server-level. This helps to ensure that it doesn’t affect the performance of your WordPress site and that they are fined tuned for our environment. If you need hotlink protection enabled, simply reach out to our support team.
Disable right click in WordPress
Another option you have to prevent hotlinking in WordPress is to disable the right-click functionality. This by no means is a bulletproof approach but can be a good way to ensure typical users aren’t stealing your images or copying them into other applications and it linking to your source domain.
There is a great free little plugin called Prevent Content Theft which will help stop that. You can download it from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins. There are no settings, simply install and you’re good to go.
This plugin not only disables right clicking on your images but also the entire page, therefore protecting your content as well. We installed and tested this on our development site and you can see an example below of what happens when a user tries to right click on an image. They are met with a notification box that let’s them know that this function is disabled.
Rename Files
If you suddenly discover a high traffic site or multiple sources hotlinking to a single image a simple method you have at your disposal is to simply rename the file. Change the link on your own site and let the hotlinkers stew in anger as their images become 404 errors. While handy, this method is more of a quick-fix, it’s a bit unwieldy to use against large-scale hotlinking.
cPanel Settings
If you have cPanel or WHM installed for your domain you can use the built-in hotlink protection tool. Take a look at the cPanel documentation for more information, it’s as easy as enabling a setting.
How to File a DMCA Takedown Notice
Another solution is that since they don’t own the image and are using it without your permission, you can always file a DMCA takedown notice. This can be a quick way to ensure that it gets taken down. You would be surprised what a quick “abuse” letter will do. Many website owners will handle the issue right away, as they fear legal action.
Conclusion
If you’re a content aggregator and avid sharer make sure to play nice and link to websites, don’t display images directly. If you’re truly a fan of what you’re showing you’ll be supporting the original author a lot more! If you’re a content creator make sure to protect yourself against theft, hotlinking is one area which is not too difficult to prevent. Any of the methods mentioned above will ensure you save money, time, and bandwidth.
Have you ever dealt with people hotlinking to your images? If so, we would love to hear about it below.
Hi, my name is Daniel, I'm the CTO here at Kinsta. You may know me from Smashing Magazine, WPMU Dev, Tuts+ and other WordPress/Development magazines. Aside from WordPress and PHP I spend most of my time around Node, React, GraphQL and other technologies in the Javascript space.
When not working on making the best hosting solution in the Universe I collect board games, play table football in the office, travel or play guitar and sing in a pretty bad band.
Thanks for the tips, very insightful and helpful.
Glad they were helpful Eric!
Thank you for this helpful article ! .htaccess protection immediately integrated on my various websites & worked perfectly !
Thank you for sharing. My web is celebrity picture-heavy and the majority of photos are subject to copyright, owned by us. So it is an extremely important topic. I used the CPanel option. Not sure how to test if/how it’s working though :)
For the nginx configuration, you have a dot after google and bing, but not yahoo – is it correct to assume a dot should be there?
valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;
Yes, there should be a period after ~.yahoo. We have fixed the post above. Thanks for the heads up!
Cloudflare Hotlink protection says the following “Hotlink protection has no impact on crawling, but it will prevent the images from being displayed on sites such as Google images, Pinterest, etc.”
So you may want to add that to your article. Thanks!
Thanks Brad! We have added that to the article above.
Currently my website hosted on Digital Ocean Nginx server.
Is above .htaccess method work for hotlink protection?
or i have to do follow niginx method only?
Hey Pooja! If you’re using Nginx, you’ll need to use the Nginx syntax/commands for hotlink protection as you won’t have a .htaccess file.
Does turning on hotlinking impact my SEO?
Hey Akhil! We have a section about SEO and hotlinking above in the post. Hotlinking won’t hurt your SEO if set up correctly.
Actually according to Google hotlinking isn’t illegal. I sent them a DMCA notice for someone who was using their services who was hotlinking my images. They refused to send them the DMCA notice. I asked why and they sent me a two page email explaining why it wasn’t illegal. I didn’t understand much of it and I didn’t get the images removed from that site. This is and a few other companies have refused to send my DMCA notice to the website owners for one reason or another.
Google can sometimes be hit or miss with hotlinking, in my experience just wait a few weeks and file the DCMA with them again, also be sure file a DCMA with the host of the offending site or if they are behind a CDN report abuse to the CDN and they will give you hostname. I have had more success getting images removed that way.
Dear Kinsta,
Thank you for your wonderful articles..You ‘re a life saver!
I want to ask this: If I install a plugin which disables the right click function on my wordpress site, will people still be able to hotlink images from my site from the google image search results? By “Copy link location” option
If yes, how can I prevent this from happening?
Thank you in advance,
Edward
I would just like to raise awareness of the new `Cross-Origin-Resource-Policy` HTTP header which is essentially a standardized method of preventing hotlinking. More info: https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
if cloudflare is going to deny hotlinking to ‘preferred’ sites like pinterest, facebook and twitter, then the htaccess option seems like the only really good solution. (it’s too bad that cloudflare doesn’t offer us the option to exempt certain sites.)
Hi Brian,
Do i have to rename this ”::my-brand-new-bucket/*”,” – to my bucket name?
Or should i leave it as it is?
Hi Kanyi, you should rename it to your own bucket.
Under the Ngnix you have config file listed to place the code in. Is this correct? It says if your running ngnix open your config file and add the code. So this would be the wpconfig file and not htaccess file?
Okay thank you 😊
Hi Jenn, does your host use NGINX or Apache? If you have an .htaccess file that is actively used, then that means the host uses Apache. If that’s the case, you can add the Apache-specific code for hotlinking protection. If your host is using NGINX, I recommend contacting the host to add the code to the NGINX config.
When I checked, I found hotlink protection is not enabled on Kinsta. I’m interested to know why?
Hello Akanka, thank you for your comment. Hotlink protection is not enabled by default on Kinsta. However, our support team is able to add hotlink protection to your site anytime.
Does Kinsta CDN automatically disable hotlinking to images?
Hello Liam, thank you for your comment! At this time, KinstaCDN does not provide hotlink protection. If that is a requirement for the site, we recommend using another CDN provider with hotlink protection.
Hi, today I noticed someone copied my wordpress site source code and design and some content also, when I checked Google search result they are ranking better than me and in that copied website source code I can clearly see my website address example com/wp-content/xyz
What should I do now i am using cloudflare please help me out. Because owner rejected my request i just want to remove my url from his website.
Hello, if someone is stealing your content, I’d suggest filing a DMCA takedown with their host.
Been using Kinsta at our agency for several years now with dozens of very happy clients and have to say, your blog and KB posts are top notch. Keep up the good work!
Thank you for your kind words and for the support, we appreciate it, Stephen!