Herself’s Webtools

Webtools for Webmasters: Scripts, HowTos, Templates, Plugins, Widgets, Tips and Useful Information

Herself’s Webtools header image 1
Have you been splogged? How to eliminate Wordpress User Spam

Get rid of bandwidth image theft once and for all

November 5th, 2007 · No Comments

Once upon a time when TimesToCome was very young I had a section filled with background images. The expectation was that people would download the images and use them on their own sites. What happened was many people hotlinked to them. Hot linking is when you put a link to someone’s image on their server rather than host it on your server.

My first solution was to remove the images and replace them all with pastel colored smiley faces. While this worked it also meant I couldn’t put up background images for users to download.

There is a better way to do this. You can use .htaccess to prevent hotlinking of images, yet still make them available for your users to view and download. You can prevent all hotlinking of images on your site or just block specific images from being hotlinked.

Block ALL image hotlinking by adding this to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com(/?.*$)
[NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F,NC,L]

This sends a 403 forbidden error to the person doing the hotlinking and stops processing the .htaccess file.

To allow a domain ( Yours and any others you have ) to hotlink your files add this to the above code: RewriteCond %{HTTP_REFERER}
!^http://(www\.)?okdomain\.com(/)?.*$[NC]

Just add one line for each domain you wish to allow to hotlink.

To block hotlinking in specific directories create an .htaccess file and put it in that directory Then add these lines:
Rewrite Engine on
RewriteRule ^.*$ -

You can also replace the image so the hotlinker sees a different image than the one on your site: RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com(/?.*$)
[NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ /images/warningimage.gif [L,NC]

Now .htaccess is just that, nothing should be added to the file name. If you make a mistake you’ll likely take down your site. So try on your home computer first. If you do take down your site, just delete .htaccess or move it to old.htaccess until you can fix the problem.

You can also block specific sites like MySpace from hotlinking but allow all others ( like Google image search etc )

Block by server name:
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} evilwebsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherevilwebsite\.com
RewriteRule .*-[F]

To block an ip just add it to your blocked list: ( this blocks both 1.2.3.4 and 0.0.0.0 )

order allow,deny
deny from 1.2.3.4
deny from 0.0.0.0
allow from all

Tags: blogger · how to · security

0 responses so far ↓

  • There are no comments yet...Kick things off by filling out the form below.

You must log in to post a comment.