Prevent image hotlinking

Overview

Hot linking or bandwidth stealing is a common problem. It happens when people link to files and images on a different server and display them on their own website; this uses the bandwidth of the original owner at their expense.

Creating an .htaccess file on your DreamHost web server

View the following article for instructions on how to create an .htaccess file on your web server:

If the file already exists, view the following articles for instructions on how to update it (depending on if you're using an FTP client or SSH):

What to change in the examples below?

The examples below can be entered into your .htaccess file exactly as shown.

Only if the example contains a URL in bold should you change that to your actual URL. For example, if you see the domain example.com, change this to your own domain name.

The examples below use http. If you have added an SSL certificate to your site, make sure you adjust the code to use https instead.

Adding code to your .htaccess file

By entering the lines below into an .htaccess file, you can prevent hotlinking to your website:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example.com/.*$ [NC] 
RewriteRule \.(gif|jpg)$ http://www.example.com/hotlink.gif [R,L]

In the example above, change example.com to your website URL. This causes any hotlinked image to fail to load. You can change the last line to point to any image you like. This image should explain that hot linking is disabled on your server.

Here is another example:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://example.com.*$ [NC] 
RewriteCond %{HTTP_REFERER} !^http://www.example.com.*$ [NC] 
RewriteRule .*\.(gif|jpg|jpeg|bmp)$ http://www.example.com/stophotlinking.jpg [R,NC] 

You can change the last line to point to any image you like. This image should explain that hotlinking is disabled on your server.

If you don't wish to take the manual approach, you can prevent hotlinking by enabling it in the panel. To enable, navigate to the Htaccess/WebDAV page. Click on your domain and proceed with the steps to enable this feature.

Blocking specific domains

The following code fails to load a hotlinked file, but no error is thrown. So, if the site example.com contains a hotlinked image to your site, it would fail to load on their site:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?example\.com(/.*)*$ [NC,OR]
RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F]

To protect other resources, such as video and audio files, add additional extensions to the RewriteRule parentheses block.

Allowing only specific domains

The following code only allows specific sites to load content. For example, the site example.com has all of the content. The following code allows only example.com and dreamhost.com to load the content. All other sites attempting to request any resource fail to load the resource, but no errors are thrown:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?dreamhost\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/.*)*$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpeg|gif|png)$ - [F]

In addition, since a user agent may not always specify an HTTP_REFERER value, the RewriteCond %{HTTP_REFERER} !^$ line allows the request to go through if the HTTP_REFERER value consists of a blank string.

For further examples on how to block traffic by IP or domain, please view the denying access article.

See also

Did this article answer your questions?

Article last updated PST.

Still not finding what you're looking for?