Tag: Linux

Using .htaccess to stop remote image linking (hotlinking) and bandwidth theft

Hotlinking, remote image linking, direct image linking is when a remote website embeds images from your site on their webpage(s) – this causes the image to be served from your website to anyone browsing their site – thus they are robbing your bandwidth.

How can you stop this? Well, using an .htaccess file in your images folder(s), there are a number of options.

The most straightforward is to simply create an .htaccess file with the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?tomrafteryit.net [NC]
RewriteRule \.(png|gif|jpe?g)$ – [NC,F]

The first line here turns on mod_rewrite (a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly) and only needs to be done once per .htaccess file.
The next line is needed to allow your site to be viewed through proxy caches. If you take it out, then anyone without a referer won’t be able to view your site. Many proxy caches, for instance, block referers… and that looks the same as a directly-entered URL.
The third line tells the .htaccess file where to allow image files to be served from – in this case it will allow images be served from http://tomrafteryit.net and http://www.tomrafteryit.net (remember to update this for your own domain!) and
The final line is case insensitive (the NC) and instructs the .htaccess file what file types to restrict the serving of. You could just as easily use this to protect .mp3s, .pdf’s or any other file type by substituting the file type in this line. The F in the square brackets forces the current URL to be forbidden.

For more infomation on this see the Apache mod_rewrite URL Rewriting Engine page.

There are more things you can do via .htaccess to stop people hotlinking to your images that I’ll cover in my next post.

Warning – The .htaccess file is very powerful (it can potentially take your entire site offline) and sensitive to typo’s – always test your site after making changes and be sure you have a plan to revert in the event of a problem arising.

How to create an .htaccess file

The .htaccess file is a very powerful tool – amongst other things, it allows you to password protect folders, redirect users automatically, use custom error pages, change your file extensions, ban users by IP address, only allow users with certain IP addresses, stop directory listings and use an alternate index file.

Creating the file is easy, you just need enter the appropriate code into a text editor (like notepad). You may run into problems with saving the file because .htaccess is a strange file name (the file actually has no name but a 8 letter file extension). You may need to name it something else (e.g. htaccess.txt) and then upload it to the server using an ftp client program (.htaccess files must be uploaded in ASCII mode, not BINARY). Once you have uploaded the file you can then rename it using your FTP program.

You may need to CHMOD the htaccess file to 644 or (RW-R–R–). This makes the file usable by the server, but prevents it from being read by a browser, which could seriously compromise your security.

For more information on .htaccess files see the Comprehensive guide to .htaccess.

In my next post I’ll be going through some cool things you can do with the .htaccess file