Start learning with our library of video tutorials taught by experts. Get started

WordPress 3: Developing Secure Sites
Illustration by
Watching:

Stopping file hotlinking


From:

WordPress 3: Developing Secure Sites

with Jeff Starr

Video: Stopping file hotlinking

You see this image here? It's hotlinked from another web site. That means that this site, bluefeed.net, is linking directly to the image on another server, essentially stealing the file and benefitting at our expense. This happens all the time on the web, but there is a well-known htaccess technique for stopping it. In this screencast, we'll show you how to stop other sites from stealing your images.

Watch this entire course now—plus get access to every course in the library. Each course includes high-quality videos taught by expert instructors.

Become a member
please wait ...
WordPress 3: Developing Secure Sites
2h 36m Intermediate Jun 27, 2011

Viewers: in countries Watching now:

This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.

Topics include:
  • Backing up and restoring your site
  • Setting up strong passwords
  • Choosing trusted plugins and themes
  • Protecting the configuration file and the admin directory
  • Securing the login page
  • Fighting comment spam
  • Blocking access and detecting hacks
  • Finding and reporting vulnerabilities
Subjects:
Developer Web CMS Web Development
Software:
WordPress
Author:
Jeff Starr

Stopping file hotlinking

You see this image here? It's hotlinked from another web site. That means that this site, bluefeed.net, is linking directly to the image on another server, essentially stealing the file and benefitting at our expense. This happens all the time on the web, but there is a well-known htaccess technique for stopping it. In this screencast, we'll show you how to stop other sites from stealing your images.

Here in our FTP/file editor, let's open the root htaccess file for this WordPress installation. What we want to do is add a slice of htaccess code beneath these existing rules. The code is located in the exercise files for this screencast. Select everything for Method 1 from here to here and copy it, return to your htaccess file, and paste it into place.

This code looks more complicated than it is. In plain language, the code does the following. If there's a referrer and the requested file exists, if the requested file ends with any of these extensions and--this is important--if the referring site is not our own, then return a 403 Forbidden error instead of the requested image. It takes a bit of customization to work properly, so before uploading the modified file to our server, we need to change example to match our own domain name. For example, here the domain I am working with is perishablepress.com, so I edit 'example' to say 'perishablepress'.

We leave off the .com, .net or .whatever you may have. Next, look at the files that we're blocking with this code. We're blocking GIF files, any type of JPEG files, and PNG files, but we don't have to stop there. We can actually protect any file type: videos, music, Flash files, Word documents, whatever. You just need to add the appropriate file extension to the list. For example, let's say we also want to protect zip files.

We simply add another vertical bar after PNG and then type 'zip' and this may be repeated for as many file types as needed. Let's add one for Word document, or docx. Once everything is customized, we are ready to upload the file and check the results. We click Save and upload the file to our server. Returning to our online demo page, which is the one that is stealing, or hotlinking the image from our demo site, we refresh the page. Voila! No more hotlinked image.

This htaccess technique is very effective at protecting your files from thieves, and it only takes a minute to set up, as we've just seen. Bur now let's return to the FTP/file editor and look at how to do a little bit more. Instead of merely blocking the image, we can send a message to the hotlinking site. All we need is a simple image file containing whatever special message we want to send, and then we replace our previous block of code here with the second block of code included in the exercise files, method 2. Copy that, return to the htaccess file, and paste it into place. Before uploading to the server, we need to make a few changes. In this line, we change 'example' to whatever our domain name is leaving off the .net, .com or whatever.

Then we want to replace this path with the path to our special message image that we want to send to the hotlinkers. I have placed my special file at this location. Finally, save and upload the file to your server. Now let's return to the browser and refresh the page, to see what the hotlinking site will now receive when trying to hotlink our images.

There we go, problem solved. We could send any message we want here, with any size file. So be creative and have some fun. The simple htaccess technique used here will protect your site's images and other files from leechers and bandwidth thieves. Let's take another look at another special message. Using a different image, we change the path and refresh the page.

It couldn't be funner. There is at least one plug-in that will do the same functionality for WordPress, but it too also uses htaccess to make it happen. There's no need to add the extra complexity and maintenance of a plug-in to stop hotlinking. It's faster and more elegant to simply add the code directly, as described in this screencast.

There are currently no FAQs about WordPress 3: Developing Secure Sites.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.
Upgrade now


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

join now Upgrade now

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed WordPress 3: Developing Secure Sites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Notes cannot be added for locked videos.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.