How to prevent hotlinking and bandwidth theft

Recently I was asked to knock together an article on preventing hotlinking for the Aussie Bloggers Forum that has recently started up. Seeing as though it took me some time to do, and that a lot of people that visit here are non-Aussie bloggers, I thought I may as well post it here for the good of the global community. So what follows is a slightly edited version of that article...

I should mention up front that I'm no expert on any of this. I did a bit of research on the subject when I found out someone had ripped off a nice chunk of my content, words and pictures, and wouldn't remove it after I'd asked them too nicely. Let's get into it.

What is hotlinking?

Hotlinking is when some one links directly to an image or file on your website. For example, if I were to use the following image tag and place in on my site, I'd be hotlinking the image from http://www.aussiebloggers.com.au so in effect, aussiebloggers.com.au would be paying for the data transfer of that image even though it would be being displayed on http://www.swollenpickles.com

This is an example of some hotlinking code...

<img src=http://www.aussiebloggers.com.au/forum/tp-images/Image/absml.jpg />

Hotlinking and bandwidth theft are sometimes used interchangebly, but they are really two different things. Hotlinking is the process, and bandwidth theft is the result. Bandwidth theft is hard to describe.

One of the best ways I've heard it described is, imagine if you have electricity or gas connected to your home. You pay the bill for your usage monthly. Now imagine that your next door neighbour decides to start plugging his/her appliances into your electricity sockets. Now you'll be paying for your own usage plus your neighbours. Now imagine what would happen to your bill if everyone in your state started plugging stuff into your sockets? Get the picture?

To put it another way imagine that you had an image that was 100kb in size. Now imagine what would happen to your bandwidth if a high traffic site used hotlinking to display that image on their homepage. Depending on your hosting plan, it could potentially eat up your bandwidth very quickly.

How did I discover someone was hotlinking my images?

In my case I discovered that someone was hotlinking my images because I received a pingback from the offending blog. When I visited that blog I discovered the owner had been busy doing a lot of cut and pasting. In other cases though, it may be possible for you to detect via reviewing your stats. Google analytics is useful for this. If an image file is receiving a lot of views in comparison to your average pages, take a look to see where that traffic is coming from. Follow it back that way. If you know anything about server logs, that may be worth a look as well, unfortunately I know nothing! :D

How did I stop it?

In my case the first step was to request that the blog owner remove the image (as well as the rest of the content he/she had pinched). Obviously step one wasn't successful.

Step two. I decided to look at some alternatives, which is how I found it was possible to prevent hotlinking. Hotlinking can be prevented quite easily through modifying your .htaccess file. As with modifying anything, I'd highly recommend that you make a back up copy of your .htaccess file before you touch anything. .htaccess is a crucial file for your site, and amongst other things can be used for redirects, and rewrites, so stuffing it up is bad news.

When it comes to preventing hotlinking, there are a few ways to do it. I'll give examples of my two personal favourites.

The 403 Forbidden Error

Using this method, anyone attempting to hotlink your images will receive a 403 Forbidden Error instead. Here's the code (obviously replace 'yoursite' with your actual domain name.)

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

Basically, what that is doing is opening the Rewrite Rule, and then says display the 403 error if the image request comes from any where other than yoursite.com

The Swap Over method

This is my personal favourite, and the method I employed initially to get my message across to the bandwidth thief. This method can also be entertaining. Using this method, anyone attempting to hotlink to your images will be served a different image, of your choice, instead. Obviously what you serve up is only limited by your imagination, and perhaps, your sense of good taste.

Here's the code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/copthis.jpe [L]

Basically what this is doing is saying, if a site other than yoursite.com is attempting to access an image, the requested image will be replaced by copthis.jpe. Make sure you use the *.jpe extension and not *.jpeg because otherwise you'll block your replacement image as well. Another thing you need to be careful of is that if there are other sites you want to allow access to your images (eg. you might run three different blogs and want to hotlink between them or you might want the images to turn up in your feed) then you'll need to add these to the exception list. This is a mistake I made first up, before I found out I was serving a number of pictures of bull testicles to all my feed readers (at the time that was probably all 3 of them!).

Here's an example of how you add an additional site to exception list.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursecondsite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/copthis.jpe [L]

Basically here, all you do is add ",OR" after the "NC" on each side you want to exclude besides the last site in the list (which you only need to keep the "NC"). So essentially you're saying allow yoursite OR yourseconsite to access the images, but for anyone else, swap their request with copthis.jpe.

Like I said earlier, I had some fun replacing images of Audi's etc with... ahem... other things...

After a week or so, the content came down and I switched from the Swap Over method to the 403. I'd suggest that the Swap Over method is only useful if you want to have some fun with the thief, or make a point, and if you only intend to do it for a short period, as because you are still serving them an image, they are also still taking some bandwidth.

If you want to follow my three post bandwidth battle saga, here they are in chronological order:
Dealing with Bandwidth Theft
Turning up the heat on the bandwidth thief
How I stopped a bandwidth thief

The atlab website was an invaluable resource! I highly recommend checking it out if you want a more intelligent description of hotlinking, they also have a tool you can use to check if people are able to hotlink your images. You can find that here:
http://altlab.com/htaccess_tutorial.html#hotlinkcheck

Hope it helps someone.

PHP Programming with MySQL by Don Gosselin
PHP Programming with MySQL by Don Gosselin $8.99
Time Remaining: 2h 12m

Php Solutions by David Powers
Php Solutions by David Powers $19.99
Time Remaining: 4h 10m
Buy It Now for only: $19.99

Flash and PHP Bible
Flash and PHP Bible $3.97
Time Remaining: 4h 14m
Buy It Now for only: $3.97

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading ... Loading ...
Tweet This!
Bookmark and Share

19 Responses to “How to prevent hotlinking and bandwidth theft”

  1. blankshooting says:

    man, you really have nerded up since i’ve been gone. aie yo!

  2. man, you really have nerded up since i’ve been gone. aie yo!

    I try buddy. I still don’t speak fluent nerd, but it is starting to get better.

  3. […] My last post was replicated in full on another blog (stirtheblood.blogspot.com/2008/01/when-blogging-becomes-addiction.html) without my permission, image and all. Using an image like this is called hotlinking. […]

  4. Beth says:

    I have never had anyone hotlink to an image until today- and this worked perfectly. Thank goodness I came across it!

  5. […] a very informative article “How to prevent hotlinking and bandwidth theft” over at the Swollen Pickle. She explained this in such a manner that, even I, understood what was going on and what to do to […]

  6. Karen says:

    Thank you so much for the great article. I have written about it on my blog with a link back to this so I will have it if ever I need it.

  7. Orangeinks says:

    Darn I forgot the spam protection when I submitted my comment. Anyway, I found this post through afrogtokiss.net and I was just wondering what happens if I put an href to my images directing it to my homepage? Will the person who hotlinked my images also give me a link to my site? I was thinking that it will annoy the hell out of my readers. lol. Everytime they clicked my images, they will be redirected to my home page. It’s just a question that popped out of my head after reading your article. Just curious. Thanks for the tip. :)

  8. Laura says:

    If you host your own images for other sites that code won’t help you. You will be causing your own site to lose images as well as any hotlinkers. It is easier to just move your images. Every now and then change your image location from domain.com/images to domain.com/image and then back again in another few months. Just keep track of where you have put your images on other sites so you can change them there too. Of course, if it is a site you no longer use it doesn’t really matter.

  9. swollenpickles says:

    If you host your own images for other sites that code won’t help you. You will be causing your own site to lose images as well as any hotlinkers.

    If you host images for other sites then you just need to add them to the exception list. I covered that off above, but here’s the code again:
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC,OR]
    RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursecondsite\.com/ [NC]
    RewriteCond %{HTTP_REFERER} !^$
    RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/copthis.jpe [L]

  10. […] going on and for being so freakin’ awesome! Also thanks to Swollen Pickles’ post ‘How to Prevent Hotlinking and Bandwidth Theft‘ for the code I needed to stop this […]

  11. want to be nerd like u says:

    i am having so much trouble with my site..i really appreciate the help you guys post for people like me..my site is constantly under ddos attack and my site is down all the time bc if its not ddos attack than its bandwith is gone…when i look in the logs i see ip addresses using 500mb, google 300mb…kindly guide me where i can start and learn how to do proper mod rewrite so i can stop these useless punks from destroying my site :(

    sincerly
    a friend who needs advice

  12. i am having so much trouble with my site..i really appreciate the help you guys post for people like me..my site is constantly under ddos attack and my site is down all the time bc if its not ddos attack than its bandwith is gone…when i look in the logs i see ip addresses using 500mb, google 300mb…kindly guide me where i can start and learn how to do proper mod rewrite so i can stop these useless punks from destroying my site
    sincerly
    a friend who needs advice

    If you’re site is constantly under DDOS attack then I’d suggest referring the problem on to your host provider. They should be able to help with that.

    In terms of bandwidth, is it due to images on your site appearing in the google image search? Can you tell if images are being hotlinked to from forums etc?

  13. George says:

    At the same time of preventing Hotlinking, how do I also allow Google Images to index my pictures?

  14. […] can find more information on preventing hotlinking here. Related […]

  15. fiona says:

    Hi, thanks for this article, it’s just what I need.

    I just had an image hotlinked; thankfully the situation has been resolved, but I’d like to prevent it happening again, so I’ll be trying your method.

  16. Muskie says:

    I usually just make fun of them and rename the image, but hotlinkers and other crap managed to take down my website and email this month, so I think it is time to go with a blanket solution. My problems with most tuturials is have subdomains such as blog. and others. These actually use up most of my bandwidth. I also post images to forums that I have hosted, my website has been online a long time. I’m smart enought to put them in a directory called /OffSite/ so if one starts using too much bandwidth it is easy to fix.

    So I’d like to use these htaccess or mod_rewrite solutions but I’d like to allow subdomains and of cours the odd forum.

    Any suggestions on how best to do this?

  17. […] blog above linked to Swollen Pickle writing about ideas for blocking hotlinkers, people who take your image by linking to it from your […]

Leave a Reply

Most commented posts

Highest rated posts of all time

The Swollen Pickles Network