title: Hotlinking, WordPress and other Horrors link: https://onemoretech.wordpress.com/2009/09/11/hotlinking-wordpress-and-other-horrors/ author: lembobro description: post_id: 249 created: 2009/09/11 09:21:29 created_gmt: 2009/09/11 09:21:29 comment_status: open post_name: hotlinking-wordpress-and-other-horrors status: publish post_type: post

Hotlinking, WordPress and other Horrors

If you’ve worked around the web back in the days before unlimited bandwidth, you’ll know this trick: putting an .htaccess file at the root of your web site to prevent hotlinking to images you’ve got stored there by others (hotlinking is where someone else displays images they found on your site by creating a referral to them — taking advantage of not only your disk space but also your bandwidth).

Here’s the typical code you’d use when the web server is Apache:

`

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+.)?lembobrothers.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+.)?casalembo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+.)?google.com [NC]
# RewriteRule .*.(jpe?g|gif|bmp|png|bmp)$ /nolinking.jpe [L]
RewriteRule .(jpg|jpeg|png|gif|bmp)$ - [F]

`

The first line exempts “empty” referrers (e.g. browser bookmarks). The next two exempt a couple of your own domains (the example shows a couple of my own). The one after those makes an exemption for Google (in some cases you may want to leave this one out, e.g. where the images being protected are of your kids).

Finally comes the actual RewriteRule. The commented line is a “nice” rule, it displays an image to the referrer that might say something like “No linking here!” (note that using the .jpe extension allows linking to this replacement image, if it were a .jpg the operation would fail). Some people use an “embarrassing” image here. That’s not my style. Instead what I use is the last line, which returns a simple 403 Error, “FORBIDDEN”.

(see the Apache doc on mod_rewrite for the technical deails)

What I’ve described above will work for a whole web site, from the root down. If you have subdomains it should also work for them (not entirely sure about that).

But if you’re using WordPress or some other web app that sets up its own elaborate .htaccess regime, you’re going to need to go a little further. With WordPress, for example, you’ll have to put the same kind of .htaccess file under wp-content/uploads.

There’s a neat service that lets you try hotlinking to sites for testing purposes called, amazingly enough, the Free Hotlinking Checker. This tool is invaluable in debugging your rewrite directives.

This is another good, clear tutorial on creating the kind of .htaccess file I describe above. Unfortunately the hotlinking checker there doesn’t appear to be working.

Copyright 2004-2019 Phil Lembo