Recently I was asked to knock together an article on preventing hotlinking for the Aussie Bloggers Forum that has recently started up. Seeing as though it took me some time to do, and that a lot of people that visit here are non-Aussie bloggers, I thought I may as well post it here for the good of the global community. So what follows is a slightly edited version of that article...

I should mention up front that I'm no expert on any of this. I did a bit of research on the subject when I found out someone had ripped off a nice chunk of my content, words and pictures, and wouldn't remove it after I'd asked them too nicely. Let's get into it.

What is hotlinking?

Hotlinking is when some one links directly to an image or file on your website. For example, if I were to use the following image tag and place in on my site, I'd be hotlinking the image from http://www.aussiebloggers.com.au so in effect, aussiebloggers.com.au would be paying for the data transfer of that image even though it would be being displayed on http://www.swollenpickles.com

This is an example of some hotlinking code...

<img src=http://www.aussiebloggers.com.au/forum/tp-images/Image/absml.jpg />

Hotlinking and bandwidth theft are sometimes used interchangebly, but they are really two different things. Hotlinking is the process, and bandwidth theft is the result. Bandwidth theft is hard to describe.

One of the best ways I've heard it described is, imagine if you have electricity or gas connected to your home. You pay the bill for your usage monthly. Now imagine that your next door neighbour decides to start plugging his/her appliances into your electricity sockets. Now you'll be paying for your own usage plus your neighbours. Now imagine what would happen to your bill if everyone in your state started plugging stuff into your sockets? Get the picture?

To put it another way imagine that you had an image that was 100kb in size. Now imagine what would happen to your bandwidth if a high traffic site used hotlinking to display that image on their homepage. Depending on your hosting plan, it could potentially eat up your bandwidth very quickly.

How did I discover someone was hotlinking my images?

In my case I discovered that someone was hotlinking my images because I received a pingback from the offending blog. When I visited that blog I discovered the owner had been busy doing a lot of cut and pasting. In other cases though, it may be possible for you to detect via reviewing your stats. Google analytics is useful for this. If an image file is receiving a lot of views in comparison to your average pages, take a look to see where that traffic is coming from. Follow it back that way. If you know anything about server logs, that may be worth a look as well, unfortunately I know nothing! :D

How did I stop it?

In my case the first step was to request that the blog owner remove the image (as well as the rest of the content he/she had pinched). Obviously step one wasn't successful.

Step two. I decided to look at some alternatives, which is how I found it was possible to prevent hotlinking. Hotlinking can be prevented quite easily through modifying your .htaccess file. As with modifying anything, I'd highly recommend that you make a back up copy of your .htaccess file before you touch anything. .htaccess is a crucial file for your site, and amongst other things can be used for redirects, and rewrites, so stuffing it up is bad news.

When it comes to preventing hotlinking, there are a few ways to do it. I'll give examples of my two personal favourites.

The 403 Forbidden Error

Using this method, anyone attempting to hotlink your images will receive a 403 Forbidden Error instead. Here's the code (obviously replace 'yoursite' with your actual domain name.)

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

Basically, what that is doing is opening the Rewrite Rule, and then says display the 403 error if the image request comes from any where other than yoursite.com

The Swap Over method

This is my personal favourite, and the method I employed initially to get my message across to the bandwidth thief. This method can also be entertaining. Using this method, anyone attempting to hotlink to your images will be served a different image, of your choice, instead. Obviously what you serve up is only limited by your imagination, and perhaps, your sense of good taste.

Here's the code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/copthis.jpe [L]

Basically what this is doing is saying, if a site other than yoursite.com is attempting to access an image, the requested image will be replaced by copthis.jpe. Make sure you use the *.jpe extension and not *.jpeg because otherwise you'll block your replacement image as well. Another thing you need to be careful of is that if there are other sites you want to allow access to your images (eg. you might run three different blogs and want to hotlink between them or you might want the images to turn up in your feed) then you'll need to add these to the exception list. This is a mistake I made first up, before I found out I was serving a number of pictures of bull testicles to all my feed readers (at the time that was probably all 3 of them!).

Here's an example of how you add an additional site to exception list.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursecondsite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/copthis.jpe [L]

Basically here, all you do is add ",OR" after the "NC" on each side you want to exclude besides the last site in the list (which you only need to keep the "NC"). So essentially you're saying allow yoursite OR yourseconsite to access the images, but for anyone else, swap their request with copthis.jpe.

Like I said earlier, I had some fun replacing images of Audi's etc with... ahem... other things...

After a week or so, the content came down and I switched from the Swap Over method to the 403. I'd suggest that the Swap Over method is only useful if you want to have some fun with the thief, or make a point, and if you only intend to do it for a short period, as because you are still serving them an image, they are also still taking some bandwidth.

If you want to follow my three post bandwidth battle saga, here they are in chronological order:
Dealing with Bandwidth Theft
Turning up the heat on the bandwidth thief
How I stopped a bandwidth thief

The atlab website was an invaluable resource! I highly recommend checking it out if you want a more intelligent description of hotlinking, they also have a tool you can use to check if people are able to hotlink your images. You can find that here:
http://altlab.com/htaccess_tutorial.html#hotlinkcheck

Hope it helps someone.

PHP for the World Wide Web, Second Edition Ullman, Larry Paperback
PHP for the World Wide Web, Second Edition Ullman, Larry Paperback $3.89
Time Remaining: 1h 50m
Buy It Now for only: $3.89

Effortless e-Commerce with PHP and MySQL - Ullman, Larry
Effortless e-Commerce with PHP and MySQL - Ullman, Larry $28.30
Time Remaining: 2h 30m
Buy It Now for only: $28.30

Beginning PHP and Oracle: From Novice to Professional (Expert's Voice) Gilmore,
Beginning PHP and Oracle: From Novice to Professional (Expert's Voice) Gilmore, $4.36
Time Remaining: 2h 33m
Buy It Now for only: $4.36