1. Home
  2. Developers
  3. Development
  4. Site
  5. Block Hotlinking with .htaccess
  1. Home
  2. Developers
  3. Development
  4. Website Basics
  5. Block Hotlinking with .htaccess

Block Hotlinking with .htaccess

Legacy Content

This is Legacy Content. For up-to-date tutorials and information, see our current knowledge base.








Commerce Pro

High Volume

What is Hotlinking?

“Hotlinking” is when someone links to your site’s resources, such as videos or images, and displays it on a different site. Even if they don't have any malicious intent, hotlinking steals bandwidth from your server.

When someone does this, bandwidth will be used on your end every time someone views the resource on the other site.

For certain hosting account types, bandwidth is limited. If this is the case, using over the designated amount will cause an over-usage fee or a decline in site functionality.

How to Block Hotlinking in .htaccess  

Luckily, you can block people from hotlinking in your .htaccess file. For help finding your .htaccess file in the ACC, check out our article, Accessing Your .htaccess File.

Once you’ve found your .htaccess file, you’re going to add a few lines of code to disable hotlinking from your site.

Stop All Hotlinking

This blocks all hotlinking to your server. A 404 will be displayed in its place.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)siteName.com/.*$ [NC]

RewriteRule \.(gif|jpg|jpeg|mp3|png|pdf|zip)$ - [F]

This code functions by checking the URL trying to summon the resource. If it comes from the desired URL (which is determined in the third line of this code), the resources will be loaded for viewing. If the URL does not match, the resources will not load and a 404 will display in its place.  You want the site name in the third line of code to match your domain.

The second line allows “blank referers.” Blank referers are visitors to your website who have a firewall or antivirus system. Since this code relies on checking the URL, a firewall or antivirus will sometimes thwart this inquiry. Most hotlinking will still be rejected by the script if you allow blank referers. Allowing blank referers is optional, but if you don’t, those people will not be able to view your site.

If you want to block blank referers, simply take out the second line of the code. Note that this will also keep images from being directly accessed by typing in their URL.

Fun Fact: “Referer” is purposely misspelled because the computer scientist who coined the term misspelled the word in his original proposal.

In the third line, replace siteName with your domain name.

The fourth line- the RewriteRule line - establishes which file types can’t be hotlinked. Enter the file extensions you want to be protected in the parenthesis. Separate each file type with a vertical bar ( | ).

Show Different Content When Your Resources are Hotlinked

This blocks hotlinks to your content and instead displays a resource of your choice in its place. For example, you may instruct .htaccess to display a custom error image.

This approach will still use some of your bandwidth.

The error image would only display when someone tries to hotlink to your resources. Your server images are safe from hotlinking and the .htaccess server would hand the hotlink an error image every time someone tries to view it.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)?siteName.com/.*$ [NC]

RewriteRule \.(gif\jpg)$ http://www.siteName.com/customError.jpg [R,L]

In the third line, replace siteName.com with your domain name.

The fourth line - the RewriteRule line - establishes the type of hotlinks to block and replace, as well as what to replace the hotlink with.

In this line, replace (gif\jpg) with the file types you want to be replaced. All hotlinks that try to establish a link to one of these file types will receive the replacement image.

Also, replace http://www.siteName.com with your own site URL and customError.jpg with the filename of the replacement image.
Once you have finished inputting your hotlink blocking code into the .htaccess file, click Save Changes. Now hotlinks will be blocked from your site.

Updated on April 24, 2019

Was this article helpful?

Related Articles