5 Powerful Hacks for Preventing Hotlinking on Your WordPress Site

There are tons of reasons why WordPress site owners should prevent hotlinking at all costs.

Picture this: You’ve poured your heart and soul into your WordPress website. You carefully curated every image, perfected every line of code, and published content that speaks to your audience. 

But you notice something unsettling.

Someone is siphoning your images and bandwidth, leaving you with slower load times and skyrocketing bandwidth costs. This digital heist is called hotlinking.

It’s a nightmare.

But fear not because this article will show you how to prevent hotlinking on your WordPress site and protect what’s rightfully yours. 

What is Hotlinking?

Hotlinking is when someone links to a file, like an image on their website, directly from your site. Instead of downloading the image, hosting it on their server, and then uploading it on their web page, they use your image URL directly on their site.

This digital heist can happen to your site’s images, audio files, videos, animations, and other digital assets. People using your media without your permission is bad enough, but hotlinking is dreadful as it slows your site.

Some people hotlink because they don’t know what they are doing.

Unethical marketers know it’s bad but won’t hesitate to hotlink the same way they use other black hat SEO practices like keyword stuffing, paid links, and content spam to improve rankings on the search results.

How It Affects You

  • Increases Costs: If someone hotlinks to your site, the images are loaded from your server. This means extra hosting costs, especially if you use shared hosting or your bandwidth allocation is limited.
  • Increases Server Load: Hotlinking puts extra stress on your web server. It has to serve content to legitimate visitors and those hotlinking your files. It overloads and may even crash if the hotlinking site has significant traffic or during traffic spikes. A good example is when the Huffington Post hotlinked to The Oatmeal.
  • You Lose Control of Your Content: Hotlinking means you have less control over where your content is displayed. You may not want your images or content associated with certain sites or contexts.
  • Copyright and Licencing Infringement: If the hotlinked content is subject to copyright, hotlinking can violate intellectual property rights. This could lead to legal issues if the content owner decides to take action.
  • Your Site Performance Suffers: Hotlinking can slow down loading times. This, plus server overload, causes poor user experience.

How to Prevent Hotlinking

1. Use a CDN

Most people use a CDN to deliver content faster, but did you know it has features for protecting against hotlinking?

Top CDNs like Cloudflare and KeyCDN have built-in hotlinking protection—you only need to enable it. They let you restrict access to your content to authorized domains or users only.

For KeyCDN, create and add Zone Referrers to allow them access to your content. Turn the “Allow Empty Referrer” setting on or off to specify access for blank HTTP referrers.

For Cloudflare, go to your dashboard and click on the Scrape Shield app on the far right of the apps bar. Toggle to enable hotlink protection.

2. Edit Your .htaccess File

If your WordPress site runs on Apache, edit your .htaccess file. You can access it through the file manager on the control panel of your hosting account. Alternatively, use an FTP client like Cyberduck or Filezilla.

Navigate to the public_html folder, then find the .htaccess file and download it. Make a copy and save it in case of anything. Be careful as you’ll be editing your site’s code—a minor mistake can have significant consequences.

Open the .htaccess file and copy and paste this code into the file:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]

RewriteRule \.(jpg|jpeg|png|gif|svg)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]

Enable blank referrers in the first line. This will allow visitors who use antivirus or personal firewalls to see your images.

Replace “yourdomain.com” on the second line with your site’s domain. In the next lines, add search engines to allow them to crawl and index your images so they can appear on image searches. You can duplicate this line and replace the referer to allow multiple sites.

The last line directs the user to the image you want them to see instead of the image with hotlink protection.

If your site runs on the NGINX web server, open the config file and add this code.

location ~ .(gif|png|jpeg|jpg|svg)$ {
     valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
     if ($invalid_referer) {
        return 403;
    }
}

If you use these rules (on Apache and Nginx) with a CDN, ensure to whitelist your CDN subdomain to give it access.

When you right-click on an image, you can copy the image address. Hotlinkers can copy the address and embed it on their site.

Disabling right clicks makes copying and pasting your images or content less convenient. It also stops individuals who hotlink unintentionally. 

Use the WP Content Copy Protection and No Right Click WordPress plugin to do this. You can also disable the CTRL+A, CTRL+C, CTRL+X, CTRL+S, or CTRL+V commands. It also disables the CTRL+U in Chrome, so users can’t view your page code and hotlink to your content.

Note that this is not a comprehensive solution. More determined and knowledgeable hotlinkers can easily bypass this restriction. Use it with other methods outlined in this article.

4. Use a WordPress Plugin

Most single-use WordPress security plugins are poorly maintained. But the All-In-One Security (AIOS) WP plugin is a decent option, with over 1 million active installations and a 5-star rating.

Besides protecting your site from malicious attacks, it prevents other sites from hotlinking to your files. But don’t rely 100% on this plugin; it is better to prevent hotlinking at the CDN or server level.

5. Rename Your Files

Rename your image and media files with unique, less predictable names to make it more challenging for hotlinkers to guess the URLs of your resources.

Hotlinkers find content to link to by examining the source code of a webpage where they’ve discovered an image or file they want to use. By renaming your files, you create a barrier to this process.

6. Generate Tokenized URLS

Some content management systems and CDNs can generate tokenized URLs. Tokenized URLs include a token parameter that is unique and frequently changing. Every time the same resource is accessed, the URL is different due to the changing token.

Many tokenized URLs are time-sensitive, expiring after a set duration. Even if someone shares or embeds the URL, it won’t work after a certain time.

You can reduce the risk of hotlinking and protect your website’s resources by

  • Adding a watermark or branding to your images
  • Displaying copyright notices on your website, making it clear that your content is protected, and unauthorized use is not allowed.
  • Regularly review your website analytics to identify unusual traffic spikes or unauthorized hotlinking activity.
  • If you discover unauthorized use of your copyrighted content, you can send DMCA takedown notices to the infringing websites’ hosting providers to have the content removed.

Prevent Your Site From Hotlinking

Hotlinking is a challenge you can’t ignore. But you’re not defenseless.

As we’ve seen, there are practical steps you can take to safeguard your website against this bandwidth bandit. With .htaccess rules, CDN solutions, and tokenized URLs, you have a toolkit at your disposal.

Doing so will safeguard your content, bandwidth, and user experience. The battle against hotlinking is one worth fighting, and now, you’re well-equipped to win it.

Karol Carter
Karol Carter

Karol Carter is an experienced author and expert in various aspects of web development, online business, and digital marketing. Having worked with notable companies such as Automattic, Adobe, Ahrefs, Ecommerce Platforms, WebsiteSetup.org, WPAstra.com, CodeinWP, WinningWP, and Smashing Magazine, Karol has honed a wide range of skills and knowledge in the industry. From monetizing a blog to understanding the basics of SEO, designing websites, creating engaging content, and optimizing online visibility, Karol has covered it all.

Articles: 20