How to Prevent Hotlinking in WordPress

By , Updated: August 18, 2016


In this article I’ll explain why hotlinking is bad and how you can prevent hotlinking on your WordPress website.

What Is Image Hotlinking?

The concept of hotlinking is very simple. You find an image on the Internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location.

This is very convenient for the hotlinker but it’s actually theft as it is using the hotlinked site’s resources. It’s like me getting in my car and driving with gas I siphoned off my neighbour’s car.

This might not seem like a big deal, but it could generate a lot of extra costs for you. The Oatmeal is a great example. The Huffington Post hotlinked a cartoon of his which consisted of multiple images. Since we’re talking about a major publication this could incur a lot of extra costs for The Oatmeal.

In a classic Oatmeal move Matthew Inman – creator of The Oatmeal – replaced all of the hotlinked files with the following:

The new hotlinked image

He also took care to replace the last image with a drawing of a behind and a pee-pee. Awesome!

How To Prevent Hotlinking

There a few easy ways to protect against hotlinking, let’s take a look at the options we have.

Apache – htaccess

All you need to do is open the .htaccess file in your site’s root directory (or create it) and add he following:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ [NC,R,L]

The second row defines the allowed referrer – the site that is allows to link to the image directly, this should be your actual website. If you want to allow multiple sites you can duplicate this row and replace the referrer.

If you want to generate some more complex rules, take a look at this htaccess hotlink protection generator.

Nginx users

All you need to do is open the Nginx configuration and add the following:

location ~ .(gif|png|jpe?g)$ {
     valid_referers none blocked *;
     if ($invalid_referer) {
        return   403;

WordPress Plugins

There are a few WordPress plugins related to hotlinking but many of single-use ones aren’t very well maintained or have bad reviews.

I suggest taking a look at All In One WP Security And Firewall which is an excellent all-round security plugin with the ability to prevent hotlinking built-in.

Rename Files

The first two methods can’t really be used if you’re not hosting your media locally. You may be using a cloud service like Amazon S3 for example. The simpler method you have at your disposal is simply renaming a file. This is handy if suddenly a large source or multiple sources are hotlinking a single image.

You can rename the file on Amazon S3, change the link on your own site and let the hotlinkers stew in anger as their images become 404 errors.

While handy, this method is more of a quick-fix, it’s a bit unwieldy to use against large-scale hotlinking.


On Amazon S3 you can control a whole bucket using bucket policies and many other cloud services have something similar. Take a look at this helpful policy list for an example of how to prevent hotlinking in your Amazon bucket altogether.

cPanel Settings

If you have cPanel installed for your domain you can use the built-in hotlink protection tool. Take a look at the cPanel documentation for more information, it’s as easy as enabling a setting.


If you’re a content aggregator and avid sharer make sure to play nice and link to websites, don’t display images directly. If you’re truly a fan of what you’re showing you’ll be supporting the original author a lot more!

If you’re a content creator make sure to protect yourself against theft, hotlinking is one area which is not too difficult to prevent!

In case you are looking for ways and tips to format your images for better performance check out this tutorial.