How to Prevent Hotlinking in WordPress (7 Easy Methods)
- Category : Website Security
- Posted on : Aug 23, 2018
- Views : 2,042
- By : Kapueo I.
Nothing is worse than someone stealing your images or bandwidth, but this happens fairly regularly as everything is out in the open on the internet for people to easily link to. This can cost you money and is even illegal if the person is linking to stock photos in which you had to acquire a license to use. Today we’ll explain what hotlinking is, why it is bad, and how you can prevent hotlinking on your WordPress website.
- What is Hotlinking?
- Why Hotlinking is Bad
- Does Blocking Hotlinking Hurt Your SEO?
- How To Prevent Hotlinking
- How to File a DMCA Takedown Notice
What is Hotlinking?
The concept of hotlinking is very simple. You find an image on the internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location. This is very convenient for the hotlinker but it’s actually theft as it is using the hotlinked site’s resources. It’s like if we were to get in our car and drive away with gas we siphoned off from our neighbor’s car.
Why Hotlinking is Bad
Below are a couple things to be aware of when it comes to hotlinking:
1. Hotlinking Costs the Original Website Owner Money
Someone linking to your images from their website might not seem like a big deal, but it could generate a lot of extra costs for you. The Oatmeal is a great example. The Huffington Post hotlinked a cartoon of his which consisted of multiple images. Since we’re talking about a major publication with a lot of traffic, this incurred a lot of extra costs for The Oatmeal, as thousands of people were being delivered the images. In a classic Oatmeal move Matthew Inman, creator of The Oatmeal, replaced all of the hotlinked files with the following:
He also took care to replace the last image with a drawing of a behind and a pee-pee. Awesome! But as you can see, the costs can add up quite rapidly, especially if a high-traffic site is the one hotlinking your content. Do you want to trust that all writers and bloggers know how to properly use images? Probably not. And that is why hotlink protection exists.
Related article: Content Scraping – Fight Back or Ignore?
2. Hotlinking in Most Cases is Illegal
Hotlinking in a lot of cases is actually illegal. Why? Because many of the photos you see around the web have licensing restrictions attached to them. Here are a couple of common image restrictions on licensing from popular stock photo sites:
- “No commercial use is permitted under any circumstance.”
- “Publication on a website or blog you own (in articles or news for illustrative purposes only).”
Both of the above restrictions could easily be broken if someone links to your image and uses it on their website. They most likely don’t have permission to do so, as they did not pay for the license. This also goes hand in hand with not linking to it correctly on their site, but also proper attribution to the original creator.
3. Drain of Server Resources
Hotlinking can be a huge drain on resources for the target server. Imagine if you are on a shared WordPress host and Huffington Post suddenly links to your images. You could go from a couple hundred queries an hour on your site to a couple hundred thousand. This could even result in a suspension of your hosting account. This is definitely a reason to not only use a high-performance host (which can handle hiccups like this), but also to enable hotlink protection so this doesn’t happen.
4. Hotlinking is Just Plain Lazy
Do people hotlink simply because they are lazy? Well, a lot of times, people don’t intentionally hotlink to your images and are not aware that this is even an issue. They are usually just busy writing and are simply copy-pasting URLs and files. They might not even know how to properly link to an image. However, this is still not a good excuse. If you write content on the web, it is important to understand best practices for linking to other people’s images, along with proper attribution.
Does Blocking Hotlinking Hurt Your SEO?
Blocking people from hotlinking won’t hurt your SEO, but it does need to be set up correctly. There are crawlers from Google, Bing, Yahoo, etc. that require access to your images to be able to index and properly display them. For example, when you see an image on Google image search, the thumbnail is served up from Google’s image cache. But the original version (if you click on it) is actually serving from your server.
And you want your images in Google image search. As WordStream put it, Google image search traffic is an “easy win” and in fact can drive conversions and leads for your business that you might not have gotten otherwise.
How To Prevent Hotlinking
There a few easy ways to protect your images against hotlinking, let’s take a look at the options we have.
- CDN
- Apache
- NGINX
- WordPress plugins
- Disable right click in WordPress
- Rename files
- cPanel
Utilize a CDN with Hotlink Protection
Most of you serve content around the globe from your websites and in turn use a CDN provider to speed up the delivery of your assets. CDN providers such as KeyCDN and Cloudflare have great hotlink protection already built in for free that you can enable. This is the recommended method as they have very fine-tuned rules for bots and other referrers that actually shouldn’t be blocked. Another benefit from doing it on your CDN is that you don’t have to change anything with your WordPress installation.
If you are using KeyCDN, simply click into Zonereferrers and add the rules. Crawlers will still be able to access and index your images.
They even have a one-click option to allow empty referrers per zone.
This would enable hotlink protection for assets on your CDN, but not your origin server. So if you are very worried about someone hotlinking to your images directly on your server you could also enable hotlink protection on your origin server (see Apache and NGINX rules further below). This is very unlikely though as someone would have to manually remove the CDN URL. But it could happen.
If you are using Cloudflare, you can easily enable hotlink protection under Scrape Shield in your account. Hotlink protection has no impact on crawling, but it will prevent the images from being displayed on sites such as Google images, Pinterest, etc. Since Cloudflare is a fully proxy service you don’t need to worry about enabling hotlink protection on your origin server.
If you are using Amazon S3, you can enable hotlink protection with bucket policies, which is located under “Permissions” on your bucket.
Simply add the following code below:
{
"Version": "2008-10-17",
"Id": "preventHotLinking",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-brand-new-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://yourwebsitename.com/*",
"http://www.yourwebsitename.com/*"
"https://google.com/*"
"https://bing.com/*"
"https://yahoo.com/*"
]
}
}
}
]
}
Enable Hotlink Protection on Apache
If your WordPress site is running on Apache, all you need to do is open the .htaccess file in your site’s root directory (or create it) and add the following:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yahoo.com [NC]
RewriteRule .(jpg|jpeg|png|gif|svg)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]
The second line allows blank referrers. You will most likely want to enable this as some visitors use a personal firewall or antivirus program that deletes the page referrer information sent by the web browser. If you don’t allow blank referrers, you could inadvertently disable all of your images for those users.
The third line defines the allowed referrer, the site that is allowed to link to the image directly, this should be your website (update yourdomain.com above with your domain). The fourth, fifth, and sixth lines add search engines to the allowed list, because you don’t want to block crawlers such as Google bot or Bing bot. This could prevent your images from showing and indexing in Google image search.
And the seventh line defines the image you want the visitor to see in place of the hotlink protected image. This not required, but you could give them a friendly warning. If you want to allow multiple sites you can duplicate this row and replace the referrer. If you want to generate some more complex rules, take a look at this htaccess hotlink protection generator.
If you are using the above rules along with a CDN, you might also need to whitelist your CDN subdomain.
Enable Hotlink Protection on NGINX
If you are running on NGINX, all you need to do is open your config file and add the following:
location ~ .(gif|png|jpeg|jpg|svg)$ {
valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}
WordPress Plugins
There are a few WordPress plugins related to hotlinking but many of single-use ones aren’t very well maintained or have bad reviews. We don’t recommend using them. We suggest taking a look at the All In One WP Security And Firewall plugin which is an excellent all-around security plugin with the ability to prevent hotlinking built-in. However, it is generally better to enable hotlink protection at the server or CDN level.
All In One WP Security & Firewall currently has over 500,000 active installs with an impressive 5 out of 5-star rating. You can download it from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.
Disable right click in WordPress
Another option you have to prevent hotlinking in WordPress is to disable the right-click functionality. This by no means is a bulletproof approach but can be a good way to ensure typical users aren’t stealing your images or copying them into other applications and it linking to your source domain.
There is a great free little plugin called Prevent Content Theft which will help stop that. You can download it from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins. There are no settings, simply install and you’re good to go.
This plugin not only disables right clicking on your images but also the entire page, therefore protecting your content as well. We installed and tested this on our development site and you can see an example below of what happens when a user tries to right click on an image. They are met with a notification box that let’s them know that this function is disabled.
Rename Files
If you suddenly discover a high traffic site or multiple sources hotlinking to a single image a simple method you have at your disposal is to simply rename the file. Change the link on your own site and let the hotlinkers stew in anger as their images become 404 errors. While handy, this method is more of a quick-fix, it’s a bit unwieldy to use against large-scale hotlinking.
cPanel Settings
If you have cPanel or WHM installed for your domain you can use the built-in hotlink protection tool. Take a look at the cPanel documentation for more information, it’s as easy as enabling a setting.
How to File a DMCA Takedown Notice
Another solution is that since they don’t own the image and are using it without your permission, you can always file a DMCA takedown notice. This can be a quick way to ensure that it gets taken down. You would be surprised what a quick “abuse” letter will do. Many website owners will handle the issue right away, as they fear legal action.
Conclusion
If you’re a content aggregator and avid sharer make sure to play nice and link to websites, don’t display images directly. If you’re truly a fan of what you’re showing you’ll be supporting the original author a lot more! If you’re a content creator make sure to protect yourself against theft, hotlinking is one area which is not too difficult to prevent. Any of the methods mentioned above will ensure you save money, time, and bandwidth.
Categories
Subscribe Now
10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!Archive Calendar
Sat | Sun | Mon | Tue | Wed | Thu | Fri |
---|---|---|---|---|---|---|
1 | ||||||
2 | 3 | 4 | 5 | 6 | 7 | 8 |
9 | 10 | 11 | 12 | 13 | 14 | 15 |
16 | 17 | 18 | 19 | 20 | 21 | 22 |
23 | 24 | 25 | 26 | 27 | 28 | 29 |
30 |
Recent Articles
-
Posted on : Jul 25
-
Posted on : Jul 07
-
Posted on : Apr 07
-
Posted on : Mar 19
Optimized my.cnf configuration for MySQL 8 (on cPanel/WHM servers)
Tags
- layer 7
- tweak
- kill
- process
- sql
- Knowledge
- vpn
- seo vpn
- wireguard
- webmail
- ddos mitigation
- attack
- ddos
- DMARC
- server load
- Development
- nginx
- php-fpm
- cheap vpn
- Hosting Security
- xampp
- Plesk
- cpulimit
- VPS Hosting
- smtp
- smtp relay
- exim
- Comparison
- cpu
- WHM
- mariadb
- encryption
- sysstat
- optimize
- Link Building
- apache
- centos
- Small Business
- VPS
- Error
- SSD Hosting
- Networking
- optimization
- DNS
- mysql
- ubuntu
- Linux