Say No To Image Hotlinking


WTF is Hotlinking?

It is the act of linking directly to media from another domain within your site. So, for example, if you add an HTML img tag into your post that points to an image on - YOU ARE A HOT LINKER! The image below is hotlinked directly from flickr :)

Hotlinked Zoidberg from

Now can probably handle the couple extra hits my site will bring, but when it happens to you and someone is leeching gigs of bandwidth at your expense, then you might want to prevent it from happening.

Prevent Hotlinking with .htaccess

If you host your site on Apache, then you will need to edit your .htaccess file to prevent hotlinking. There are a few ways you can do this. You can either choose to redirect the traffic to a special image you have prepared, or you can just give a 403 Forbidden response.

Show A Special HotLinking Image

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ [NC,R,L]

Lets go through it line by line:

line 1 : begin the rewrite rule
line 2 : allow empty referrers (you might want to exclude this)
line 3 : match any requests from your site (obv. replace YOURDOMAIN)
line 4 : match any file ending with jpg, jpeg, png, gif, bmp and replace with your cool hotlink image

Give A 403 Forbidden Response

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ - [F]

Only line 4 has changed, and it now matches the files ending with jpg, jpeg, png, gif, bmp and returns a 403 Forbidden response.

If you don’t want to mess with code, I found a cool code generator for .htaccess files that generates the above hotlinking code for you.

Prevent Hotlinking with web.config

If you host your site on a Windows server with IIS, then you will need to edit your web.config file and add in some rewrite rules. Here is the code for an inbound rule:

<rule name="Prevent hotlinking">
  <match url=".*\.(jpg|jpeg|png|gif|bmp)$"/>
    <add input="{HTTP_REFERER}" pattern="^$" negate="true" />
    <add input="{HTTP_REFERER}" pattern="^http://YOURDOMAIN\.com/.*$" negate="true" />
  <action type="Rewrite" url="/images/ihatehotlinkers.gif" appendQueryString="false" />

Lets go through this line by line:

line 1 : starting the rule and giving it a name
line 2 :  match any requests to files ending with jpg, jpeg, png, gif or bmp
line 3 : start your conditions
line 4 : match any referrers that are NOT empty
line 5 : match any referrers that are NOT from your own site
line 6 : close off conditions
line 7 : perform a rewrite to your specially prepared image

If you don’t feel like hacking the web.config, then you can add the rule within the IIS Manager. The above rule should look like the following: (click to view full size)

URL rewrite rule in IIS Manager

Useful WordPress Plugins

  • PictPocket - A plugin that allows you to identify and block content thieves.
  • WP Htaccess Editor - Simple editor for your .htaccess file without using an FTP client.
  • WP Hotlink Protection - Automatic Image Hotlink Protection plugin is a single step script designed to stop others from stealing your images.

Useful Links

  • Inline Hotlinking (WikiPedia explanation)
  • How Do I Stop Hotlinking And Bandwidth Theft? - very good and simple tutorial on how to edit your .htaccess file. It also includes a way to test the changes you make to your .htaccess file.
  • 10 URL Rewriting Tips and Tricks - 10 rewrite rules to use within IIS for a windows hosted site.
  • Hotlink Protection Of Images - a cool tool that generates the .htaccess code needed to prevent hotlinking.

Cool Hotlink Images

If you need an image to use when someone hotlinks to your site, then use a cool image. I searched google and found a few pearlers:

  • Get Livefyre
  • FAQ
Adam W. Warner
Adam W. Warner

This is very useful, thank you. I do have a follow up question about line 3 above that specifies the domain allowed to link to images.

Is there a way to specify multiple domains? I run several sites and sometimes I link to images on my other sites because of ease of use.


Hey Adam,

try adding a line above line 3 similar to this :

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC,OR]

The OR will match this or the next line. Let me know if this works, as I have not tested this before.