How to Prevent Hotlinking in WordPress (5 Easy Methods)

Updated on June 05, 2017

Nothing is worse than someone stealing your images or bandwidth, but this happens fairly regularly as everything is out in the open on the internet for people to easily link to. This can cost you money and is even illegal if the person is linking to stock photos in which you had to acquire a license to use. Today we’ll explain what hotlinking is, why it is bad, and how you can prevent hotlinking on your WordPress website.

What Is Hotlinking?

The concept of hotlinking is very simple. You find an image on the internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location. This is very convenient for the hotlinker but it’s actually theft as it is using the hotlinked site’s resources. It’s like if we were to get in our car and drive away with gas we siphoned off from our neighbor’s car.

Hotlinking is like driving away with gas you siphoned off from your neighbors car. 🚗 Click to Tweet

Below are a couple things to be aware of when it comes to hotlinking:

1. Hotlinking Costs the Original Website Owner Money

Someone linking to your images from their website might not seem like a big deal, but it could generate a lot of extra costs for you. The Oatmeal is a great example. The Huffington Post hotlinked a cartoon of his which consisted of multiple images. Since we’re talking about a major publication with a lot of traffic, this incurred a lot of extra costs for The Oatmeal, as thousands of people were being delivered the images. In a classic Oatmeal move Matthew Inman, creator of The Oatmeal, replaced all of the hotlinked files with the following:

The new hotlinked image

hotlinking example

He also took care to replace the last image with a drawing of a behind and a pee-pee. Awesome! But as you can see, the costs can add up quite rapidly, especially if a high-traffic site is the one hotlinking your content. Do you want to trust that all writers and bloggers know how to properly use images? Probably not. And that is why hotlink protection exists.

2. Hotlinking in Most Cases is Illegal

Hotlinking in a lot of cases is actually illegal. Why? Because many of the photos you see around the web have licensing restrictions attached to them. Here are a couple of common image restrictions on licensing from popular stock photo sites:

  • No commercial use is permitted under any circumstance.”
  • “Publication on a website or blog you own (in articles or news for illustrative purposes only).”

Both of the above restrictions could easily be broken if someone links to your image and uses it on their website. They most likely don’t have permission to do so, as they did not pay for the license. This also goes hand in hand with not linking to it correctly on their site, but also proper attribution to the original creator.

3. Drain of Server Resources

Hotlinking can be a huge drain on resources for the target server. Imagine if you are on a shared WordPress host and Huffington Post suddenly links to your images. You could go from a couple hundred queries an hour on your site to a couple hundred thousand. This could even result in a suspension of your hosting account. This is definitely a reason to not only use a high-performance host (which can handle hiccups like this), but also to enable hotlink protection so this doesn’t happen.

4. Hotlinking is Just Plain Lazy

Do people hotlink simply because they are lazy? Well, a lot of times, people don’t intentionally hotlink to your images and are not aware that this is even an issue. They are usually just busy writing and are simply copy-pasting URLs and files. They might not even know how to properly link to an image. However, this is still not a good excuse. If you write content on the web, it is important to understand best practices for linking to other people’s images, along with proper attribution.

5. Hotlinking Doesn’t Hurt Your SEO

Hotlinking won’t hurt your SEO, but it does need to be setup correctly. There are crawlers from Google, Bing, Yahoo, etc. that require access to your images to be able to index and properly display them. For example, when you see an image on Google image search, the thumbnail is served up from Google’s image cache. But the original version (if you click on it) is actually serving from your server.

google image search

Hotlinking in Google image search

And you want your images in Google image search. As WordStream put it, Google image search traffic is an “easy win” and in fact can drive conversions and leads for your business that you might not have gotten otherwise.

How To Prevent Hotlinking

There a few easy ways to protect your images against hotlinking, let’s take a look at the options we have.

Utilize a CDN with Hotlink Protection

Most of you serve content around the globe from your websites and in turn use a CDN provider to speed up the delivery of your assets. CDN providers such as KeyCDN and Cloudflare have great hotlink protection already built in for free that you can enable. This is the recommended method as they have very fine-tuned rules for bots and other referrers that actually shouldn’t be blocked. Another benefit from doing it on your CDN is that you don’t have to change anything with your WordPress installation.

If you are using KeyCDN, simply click into Zonereferrers and add the rules. Crawlers will still be able to access and index your images.

keycdn hotlink protection

KeyCDN hotlink protection

They even have a one-click option to allow empty referrers per zone.

keycdn allow empty referrer

KeyCDN allow empty referrer

This would enable hotlink protection for assets on your CDN, but not your origin server. So if you are very worried about someone hotlinking to your images directly on your server you could also enable hotlink protection on your origin server (see Apache and NGINX rules further below). This is very unlikely though as someone would have to manually remove the CDN URL. But it could happen.

If you are using Cloudflare, you can easily enable hotlink protection under Scrape Shield in your account. Since Cloudflare is a fully proxy service you don’t need to worry about enabling hotlink protection on your origin server.

cloudflare hotlink protection

Cloudflare hotlink protection

If you are using Amazon S3, you can enable hotlink protection with bucket policies, which is located under “Permissions” on your bucket.

amazon s3 hotlink protection

Amazon S3 hotlink protection

Simply add the following code below:

{
  "Version": "2008-10-17",
  "Id": "preventHotLinking",
  "Statement": [
    {
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-brand-new-bucket/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://yourwebsitename.com/*",
            "http://www.yourwebsitename.com/*"
            "https://google.com/*"
            "https://bing.com/*"
            "https://yahoo.com/*"
          ]
        }
      }
    }
  ]
}

Enable Hotlink Protection on Apache

If your WordPress site is running on Apache, all you need to do is open the .htaccess file in your site’s root directory (or create it) and add the following:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]

The second line allows blank referrers. You will most likely want to enable this as some visitors use a personal firewall or antivirus program that deletes the page referrer information sent by the web browser. If you don’t allow blank referrers, you could inadvertently disable all of your images for those users.

The third line defines the allowed referrer, the site that is allowed to link to the image directly, this should be your website (update yourdomain.com above with your domain). The fourth, fifth, and sixth lines add search engines to the allowed list, because you don’t want to block crawlers such as Google bot or Bing bot. This could prevent your images from showing and indexing in Google image search.

And the seventh line defines the image you want the visitor to see in place of the hotlink protected image. This not required, but you could give them a friendly warning. If you want to allow multiple sites you can duplicate this row and replace the referrer. If you want to generate some more complex rules, take a look at this htaccess hotlink protection generator.

If you are using the above rules along with a CDN, you might also need to whitelist your CDN subdomain.

Enable Hotlink Protection on NGINX

If you are running on NGINX, all you need to do is open your config file and add the following:

location ~ .(gif|png|jpeg|jpg|svg)$ {
     valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;
     if ($invalid_referer) {
        return   403;
    }
}

If you are a Kinsta user and aren’t using a CDN, we can add this for you. Just open up a quick ticket with our support team from the MyKinsta dashboard. If you are using the above rules along with a CDN, you might also need to whitelist your CDN subdomain.

WordPress Plugins

There are a few WordPress plugins related to hotlinking but many of single-use ones aren’t very well maintained or have bad reviews. We don’t recommend using them. We suggest taking a look at the All In One WP Security And Firewall plugin which is an excellent all-around security plugin with the ability to prevent hotlinking built-in. However, it is generally better to enable hotlink protection at the server or CDN level.

All In One WP Security & Firewall

All In One WP Security & Firewall

All In One WP Security & Firewall currently has over 500,000 active installs with an impressive 5 out of 5-star rating. You can download it from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.

Note: If you are a Kinsta user this plugin is not allowed as we apply many of these same security precautions at the server-level. This helps to ensure that it doesn’t affect the performance of your WordPress site and that they are fined tuned for our environment. If you need hotlink protection enabled, simply reach out to our support team.

Rename Files

If you suddenly discover a high traffic site or multiple sources hotlinking to a single image a simple method you have at your disposal is to simply rename the file. Change the link on your own site and let the hotlinkers stew in anger as their images become 404 errors. While handy, this method is more of a quick-fix, it’s a bit unwieldy to use against large-scale hotlinking.

cPanel Settings

If you have cPanel or WHM installed for your domain you can use the built-in hotlink protection tool. Take a look at the cPanel documentation for more information, it’s as easy as enabling a setting.

How to File a DMCA Takedown Notice

Another solution is that since they don’t own the image and are using it without your permission, you can always file a DMCA takedown notice. This can be a quick way to ensure that it gets taken down. You would be surprised what a quick “abuse” letter will do. Many website owners will handle the issue right away, as they fear legal action.

Conclusion

If you’re a content aggregator and avid sharer make sure to play nice and link to websites, don’t display images directly. If you’re truly a fan of what you’re showing you’ll be supporting the original author a lot more! If you’re a content creator make sure to protect yourself against theft, hotlinking is one area which is not too difficult to prevent. Any of the methods mentioned above will ensure you save money, time, and bandwidth.

Have you ever dealt with people hotlinking to your images? If so, we would love to hear about it below.

This article was written by Daniel Pataki

Daniel is the editor of the WordPress section on Smashing Magazine. He loves board games and going on runs with his dog.

Hand-picked related articles

  1. Gravatar for this comment's author
    Eric Kangiri May 10, 2017 at 9:49 pm

    Thanks for the tips, very insightful and helpful.

    1. Gravatar for this comment's author
      Brian Jackson May 11, 2017 at 9:04 am

      Glad they were helpful Eric!

Leave a Reply to Eric Kangiri Cancel reply

Use WordPress?

Join 20,000+ others who get our FREE weekly newsletter with WordPress tips on how to drive more traffic and revenue to your business!

You have Successfully Subscribed!

Send this to a friend