Updated on May 12, 2023
With the Internet being such a vast well of images, it is no surprise that image theft is a genuine issue and often goes unnoticed until it is too late. It happens more often than one might think and has real-world consequences for those from whom the images were stolen. How can an image be stolen, though, if it is on the Internet and is publicly visible to anyone who finds it? That is what Hotlinking is, and we will explain how it works and, more importantly, how to prevent it.
This post includes:
Hotlinking is the act of taking advantage of someone else’s hosting resources to use an image on your website. How it works is not complicated and relatively easy to understand.
Any image on the Internet has a URL assigned to it, and that URL leads to the place where that image is being hosted. Whether it is with us, at FastComet, or anywhere else, an image will have a URL linking it to the host. However, since it is on the Internet, the image is widely available, and so is the URL. Using that URL to show or embed the image on your website is nothing new and has been around for a long time. However, you are using someone else’s resources to host that image and then serve it to your website when someone visits it. That is what Hotlinking is: using an image not hosted by you, therefore utilizing someone else’s hosting resources for your own website.
The problems start when the original host has to deal with the consequences of Hotlinking. Imagine, for a moment, that you have a small photography website on a shared hosting plan with us. You upload your photos but have never really gone over the allotted resources your hosting plan comes with because it is still a small website. However, one day, a big, high-traffic website finds your photographs, and they want to showcase them on their own blog and embed the URLs of your images into their article.
Each time someone clicks on an image in that article, it will serve them the image from your hosting plan, generating hits and bandwidth. Since most shared hosting plans - in general, not just ours - come with strict hits and bandwidth quotas, you can see how a big website like that can max out your monthly resources very quickly if they hotlink your images to their articles. Your website has gone up from a few hundred hits a month to a few hundred thousand: which can exhaust your available resources very quickly, leading to the suspension of your hosting account.
It doesn’t stop there, though. Some hosting providers will charge you depending on how much bandwidth or hits your hosting generates. That is even worse because instead of a simple suspension, it can have an unpredicted financial impact. Take the above example again, but with a different host this time: you are used to a hosting bill that is relatively the same every month, but then that bill doubles or triples when your images start getting served to that much more people because they got Hotlinked. Nobody wants that, and that is why Hotlinking is also illegal.
Yes, Hotlinking is Illegal in most cases. A lot of things are copyrighted nowadays, and images are no different. Many images come with restrictions or disclaimers, and here are a couple of the more popular ones:
“No commercial use is permitted under any circumstance.”
“Publication on a website or blog you own (in articles or news for illustrative purposes only).”
As you can imagine, such restrictions can be broken willingly or unwillingly. It is a simple URL embed, after all, and sometimes people know that they are Hotlinking, but other times they don’t know what that is or that they are doing it.
Fortunately for all of us, protecting your images from Hotlinking can be done in various ways, most of which are very easy to implement. These are the ones we will discuss in this article, as they can all be used with our hosting services:
Our services utilize cPanel, which comes with its own Hotlink protection. It is a tool in cPanel itself.
And they have excellent documentation on how to use it.
Our hosting services also utilize the Apache web server, which uses the “.htaccess” file. Within that file, you can place the following rules:
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC] RewriteRule \.(jpg|jpeg|png|gif|svg)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]
What this will do is it will disable Hotlinking for all websites except Google, Bing, Yahoo, and your own website (you need to change “yourdomain.com” to your actual domain name). The last line will actually show the visitor the image from the URL instead of the hot-linked image. That is not a mandatory line, but it can be useful and even fun. As you can see, this rule is very flexible since you can add any website to this rule to allow them to hotlink your images.
This one is very straightforward: if you notice that you are suddenly getting a lot of traffic on your images, change their names and the links on your website. This way, when someone tries to hotlink your image, they will get the dreaded “404 Not Found” error instead. However, this is not a permanent fix since the images will likely resurface on the Internet with the new names, so it is more of a band-aid than anything else.
Content Delivery Networks are excellent for delivering content, as the name suggests, but they also have some outstanding features. Some of them even have Hotlink protection. CloudFlare, for example, is one such CDN with Hotlink protection. It is a feature that comes with their free plans and is very easy to implement. It is located under the Scrape Shield page in your CloudFlare account, and they actually explain very well how to enable and use it.
Since we are talking about WordPress, there are many excellent plugins for preventing Hotlinking. For instance, there is a whole category of plugins just for Hotlinking. Of course, we strongly recommend you do a good bit of research before committing to a plugin. Some are no longer maintained, for instance, or are not good at what they should do. We recommend the All-In-One-Security plugin, which has hotlink protection and other useful security features.
There is one more type of WordPress plugins that can help with Hotlinking as well: plugins that disable right-clicking on your pages. There are three plugins we can recommend here:
They will disable the right-click functionality, preventing users from copying images off your website or their URLs. We don’t recommend this as a permanent solution, but it is a good starting point.
Conclusion
As you can see, Hotlinking is not only a lazy approach to adding images to your website, but it can also have real consequences for the source of those images. If you have a lot of content on your website in the form of images, please ensure the proper defenses are set up to prevent your images and bandwidth from being stolen. As you can see, it is a genuine issue, but there are several simple and reliable ways to deal with it.