Using .htaccess to stop remote image linking (hotlinking) and bandwidth theft

Hotlinking, remote image linking, direct image linking is when a remote website embeds images from your site on their webpage(s) – this causes the image to be served from your website to anyone browsing their site – thus they are robbing your bandwidth.

How can you stop this? Well, using an .htaccess file in your images folder(s), there are a number of options.

The most straightforward is to simply create an .htaccess file with the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)? [NC]
RewriteRule \.(png|gif|jpe?g)$ – [NC,F]

The first line here turns on mod_rewrite (a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly) and only needs to be done once per .htaccess file.
The next line is needed to allow your site to be viewed through proxy caches. If you take it out, then anyone without a referer won’t be able to view your site. Many proxy caches, for instance, block referers… and that looks the same as a directly-entered URL.
The third line tells the .htaccess file where to allow image files to be served from – in this case it will allow images be served from and (remember to update this for your own domain!) and
The final line is case insensitive (the NC) and instructs the .htaccess file what file types to restrict the serving of. You could just as easily use this to protect .mp3s, .pdf’s or any other file type by substituting the file type in this line. The F in the square brackets forces the current URL to be forbidden.

For more infomation on this see the Apache mod_rewrite URL Rewriting Engine page.

There are more things you can do via .htaccess to stop people hotlinking to your images that I’ll cover in my next post.

Warning – The .htaccess file is very powerful (it can potentially take your entire site offline) and sensitive to typo’s – always test your site after making changes and be sure you have a plan to revert in the event of a problem arising.

11 thoughts on “Using .htaccess to stop remote image linking (hotlinking) and bandwidth theft”

  1. Aw, this is an interesting idea. I have become more aware of security lately and think I’ll give this a try.

    Thanks for posting in a manner that is easy to understand.

  2. Thank you for the easy to understand instructions. I will be trying this out as soon as I get a chance.

    Thanks again.

  3. I see that there are ways to block all other sites from using your images, and to allow a particular few, but is there a way to block only -certain- sites and their subdomains (I have a lot of problems with myspace and other similar sites)?

  4. Strange, doesn’t work for me. I did have hot linking disabled via “Preventing Hotlinking” button on my cPanel but I was looking for way to allow certain sites. It was only after I used this code that I say there was an option to allow sites. Duhh. Anyway the script stopped working and I tried writing the above manually to my .htaccess file but nada. Guess I am off to support.

  5. I see my post dated 1/5/08 was deleted. Hmmm, I wonder if it was because of the link to my Homepage and my political views. Perhaps you shouldn’t offer your viewers to link to their sites, if you’re going to surpress free speech.

    Instead of answering my question, you’ve deleted my post. Unbelievable!

  6. Ironside, put the mouse down, step away from the paranoia!

    Your previous comment wasn’t deleted, it simply went into the modeeration queue until I got around to checking the queue and approving the comments.

  7. Hi,

    I want to thank you for this great tutorial.
    It all works fine until I altered the Referrer settings to my own host name(ex. in “Orbit,” which is a download manager. And the protected PDF files was successfully downloaded 🙁

    Before reading this tutorial, I used .htaccess to password-protect the whole directory containing sensitive data.
    However, it also prevents my PHP scripts from accessing those files.
    People who logged into my site to legally download files are also faced with a daunting dialog asking for password from Apache.

    Any suggestions?

    Many thanks

Comments are closed.