How To Block Hotlinkers

By: Danny Wirken

Hotlinking or bandwidth theft is direct linking to a website's file including images, video and others on the external website. It has become prevalent in the many forums and message boards on the web that allow users to insert images. The user resorts to hotlinking those when creating the tag as it is not possible to keep on the host site.

The Harm Caused by Hotlinking

When an tag is used to display a JPEG image found on someone else's webpage so that it will appear on one's own site, journal, weblog or forum posting, hotlinking is taking place. Other people might find it flattering to know that someone would be interested in a photo they have taken. This practice, however, consumes bandwidth and slows down the web server. When done excessively, the unknowing victim ends up footing an extra bill from his/her hosting provider.

One sure sign of hotlinking is the appearance of strange web sites in one's referrer logs. When sites that wouldn't normally be interested in one site are the ones that are appearing, then something is definitely up. When the offending sites are visited, photos owned by the other site are sure to be posted there. They do not make copies of the photo but rather link directly to the photo hosted on the website. Higher than normal bandwidth consumption is another sign. The log analysis tools might even show a higher number of hits for an image than for the page that displays it.

Blocking Hotlinking

The only fool-proof way to stop hotlinking is to turn-off one's website. This is rather extreme and does not present a viable option to site owners. The best bet lies on creating an .htaccess file. Although there are many variations that exist on the specific regular expressions that can be written, they all accomplish the same thing. One can either throw the client a "forbidden" which means that the image is not there or the client gets to be redirected to another image which is usually something suitably offensive. Using the Rewrite Rule to forbid display of image is a simple rule which effectively blocks the display on remote sites. Redirecting requests for images from remote web pages to an image of choice on one's website is taking this rule a step further. A good example of this is an image which says "This image is stolen". A person who tries to link directly to the original images of a site is inadvertently serving the redirected image to his/her pages.

Redirecting a browser from one file type to another is essentially not a good idea. The best approach is to make a separate version of the redirected image in each format that one uses on a site such as one for gif format, one in jpeg format, one on jpg format and so on. Each hot linked image is then redirected to the matching file type.

If one is feeling a little bit mischievous, other interesting images can be served to people hotlinking to one's images. If the offender site is into selling, for example, an image that says "Free Shipping Worldwide" would surely discourage the offender as the very reason for hotlinking is to make money, even in an unacceptable manner. No company can survive, much less earn with a guarantee such as shipping for free worldwide.

Some people recommend the white list approach. This is basically blocking all referrers except for those sites that are specifically allowed to do so. Again, this approach borders on the extreme as it blocks all requests, legitimate or otherwise. Accidentally blocking legitimate requests from search engines, feed readers and others would be very disadvantageous to the site.

The black approach is a better option as it intends to block some specific sites that are considered the worst offenders. A website owner has to find out if his/her website is on an Apache Server and if the use of .htaccess is allowed by them. A simple email to the web space provider will provide a swift answer. The .htaccess file should go into a website's root directory on one's web server.

Verification that everything is working properly on one's site has to be done. Mod-rewrite is very powerful but it only needs one typo for hell to break loose. The block listed sites should be checked out if the stop image is being shown. It might be a nice twist to include one's URL on the image. It wouldn't hurt to get some free advertising in the process.

This is how to disable hot linking of certain file types on one's site through .htaccess by simply adding the code below to one's .htaccess file. Uploading the file either to the root directory or a particular subdirectory is necessary to localize the effect to just one section of the site.

RewriteEngine on
RewriteCond%{HTTP_REFERER}!^$
RewriteCond%{HTTP_
REFERER}!^http://(www.)?mydomain.com/.$[NC]
RewriteRule.(gif/jpg/js/css)$-[F]
The "mydomain.com" is to be replaced by one's own. The above code creates a failed request when hot linking of the specified file types occurs. A broken image is shown in case of the image.

To block traffic from a single referrer:
RewriteEngine on
#Options+Follow-Symlinks
RewriteCond%{HTTP_REFERER}badsite.com[NC]
RewriteRule.
-[F]

To block traffic from multiple referrers:
RewriteEngine on
#Options+Follow-Symlinks
RewriteCond%{HTTP_REFERER}badsite.com[NC.OR]
RewriteCond%{HTTP_REFERER}anotherbadsite.com
RewriteRule.*-[F]

JavaScript can be used to prevent right-clicking an image when already in a browser. This is a very weak defense though as people just need to switch JavaScript off and/or use a decent browser and it's all there. Using JavaScript to write images into a page does not offer sufficient protection as hotlinkers can easily link to images once they know the origin URL.

FileProt is a protection script that is simple to set up and use. It does not allow anyone coming from unauthorized places access to certain files in one's web server. This allows for the specification not only of unauthorized domains but pages in one's domain as well. It can be specified to allow file or image download from certain pages in one's domain. Hotlinkers and bandwidth leeches are completely blocked but this script is not intended for super high-traffic sites.

Download Tracker is a CGI script that manages downloads from one's web page. Options include requests for email address and anti-leech system. It is multi-platform compatible and has a back-end control panel.

Top Searches on
World Wide Web
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 
 • 

» More on World Wide Web