Join Jeff Starr for an in-depth discussion in this video Stop file hotlinking, part of WordPress: Developing Secure Sites .
- [Narrator] You see this image? It's posted here at our demo site. Unfortunately, this other site is stealing the image using a technique known as hotlinking. We can see this by inspecting the source code. As you can see, the image is hosted at our demo site perishablepress.net. But notice the URL of this site. This is not perishablepress.net. So we see that the image is being hotlinked. In general, hotlinking is what you call it when some website, without permission, links directly to a resource that is hosted on a different server.
So when a site hotlinks your images, they essentially are stealing your bandwidth and benefiting at your expense. This happens all the time on the web, but there is a sure fire _htaccess technique for stopping it. To stop other sites from hotlinking your resources copy the Method 1 code snippet from the Exercise Files for this tutorial. Then open your sites route _htaccess file and paste the snippet before any WordPress specific rules. In plain language, this code does the following: It checks to see if the refer is not empty.
Then it checks to see if the refer is not from your domain. Then it checks to see if the request is for any of these image types: Gifs, any type of J-Peg, or PNGs. If there is a match for these criteria, then the server will return a 403 Forbidden response instead of the requested image. In order to work properly, this snippet needs a quick edit. Before uploading the _htaccess file to your server, change the example to your domain name, and the "com" to your top level domain.
So for example, our demo site's domain is perishablepress and it's top level domain is "net". So we edit and then save our changes and then going further we can customize the types of files that are protected. Currently we are protecting gif images, j-pegs, and PNGs, but we don't have to stop there. We can actually protect any type of file. Videos, music, flash files, word documents, whatever.
You just need to add the appropriate file extension to the list. For example, let's say we also want to protect zip files. We simple add another vertical bar, and then type "zip". This may be repeated for as many file types as is needed. Once everything is customized, we're ready to save our changes, upload the file, and check the results. So now let's return to the site that is hotlinking, or stealing the image from our demo site. With our _htaccess anti-hotlink code in place, we refresh the page and no more hotlinked image.
The request is blocked. This _htaccess technique is very effective at protecting your images and other files from thieves and content scrapers. And it only takes a minute to setup. As a bonus, instead of merely blocking the request, we can display our own custom image on the hotlinking site. To do so, replace the previous _htaccess snippet with Method 2 from our Exercise Files. Copy the snippet and replace the previous code like so.
Before uploading to the server, remember to make the following changes: Change example to match your domain and "com" to match your top level domain. Then replace "hotlink.gif" with a file name that you would like to use and also make sure to include the path to the image on the server. And the image can be anything you want. In fact, it doesn't even have to be an image. So be creative and have some fun. To give you an idea, here are some examples from my own anti-hotlink adventures around the web.
These are some of my own anti-hotlink images. These are tame in comparison to some of the others I've seen. In this video, we've explored an excellent technique for stopping hotlinking of your site's images and other media. A few minutes and a simple code snippet is all that it takes to protect your content from bandwidth thieves and content scrapers.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security