Preventing hotlinking

What is hotlinking?
Hotlinking occurs when a website directly accesses, rather than links to, a resource (such as an image, or a video) on a remote site. Unless the remote site has some form of restriction in place, the browser visiting the site will render the remote resource as if it were part of the original site. If this is done without authorization, the action is considered a form of bandwidth theft. Unless cached, the remote resource is retrieved from the remote site every time the linking web page is accessed, costing the remote site bandwidth. This article presents possible methods of preventing this kind of activity; however, hotlinking has advantages as well as disadvantages, and both are addressed in a sister article.

Preventing image hotlinking via the panel
You can prevent image hotlinking from the DreamHost panel, under the Goodies section, from the htaccess/webdav tab.

https://panel.dreamhost.com/index.cgi?tree=goodies.webdav

Click the domain in question, then add a directory matching the directory you want to protect. Check the link protection section and add any extra allowed domains, if necessary, and submit the form. This will destroy any existing .htaccess file and you will not be able to make your own .htaccess file in this directory. This can disrupt CMS programs like WordPress or Joomla if they are installed to the same directory. In this case, you'll need to use the method below, instead.

Preventing bandwidth theft via .htaccess
The other way you can prevent hotlinking is by adding lines to your .htaccess file manually. If you do not already have an .htaccess file, you can create one in a text editor - note the strange filename ".htaccess". In the code below, your domain is assumed to be www.example.com. You will need to change the code to reflect your own domain name. Note also that UNIX is case-sensitive, so if you have uppercase file extensions you will need to specify them in your rewrite rules (see first example below). Also, no changes to the below examples are necessary regarding whether or not your website is configured to use www or no www.

Note: According to a divaHTML article, the HTTP_REFERER value may not always end with a slash, depending upon the browser. For instance, a browser may specify the value  as the HTTP_REFERER. The regexp pattern   will match the exact values   and   and will match strings that start with the   prefix. At the same time, this regexp pattern will not match strings in which a character other than a slash comes after the  prefix (i.e. the   string.)

Preventing bandwidth theft
This method will deny the remote domain access to specified resources, and stop your bandwidth from being stolen.

Blocking specific domains
The following code will return a 403 Forbidden error instead of the requested image, but only when the image has been requested by badsite.net or badsite.com: RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com(/.*)*$ [NC] RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F]

Note that in the above example, only images (that have lower-case file extensions) are being protected. To protect other resources, such as video and audio files, add additional extensions to the  parentheses block.

Blocking most domains
The following code will return a 403 Forbidden error instead of the requested resource, unless requested from example.com or livejournal.com (note that one of the allowed sites should be the domain where the resource is actually used): RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/.*)*$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?livejournal\.com(/.*)*$ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule \.(jpeg|gif|png)$ - [F]

In addition, since a user agent may not always specify an HTTP_REFERER value, the  line allows the request to go through if the HTTP_REFERER value consists of a blank string.

Blocking all domains
The following code will return a 403 Forbidden error instead of the requested resource, unless the referrer is example.com, which should be changed to the domain of the site where the image is used: RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/.*)*$ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule \.(jpe?g|gif|png)$ - [F]

As with the previous example, the  line allows the request to go through if the HTTP_REFERER value consists of a blank string.

Replacing images
This method will still result in bandwidth theft, but it will protect your images. Bandwidth theft may reduce eventually as people learn linking your images will not work.

Please note that some programs (phpBB, for example) seem to recognize the 302 status caused by the following methods as an error condition, and start repeatedly retrying until the user browses to another page.

Replacing the image
The following code will cause the remote server to display no_hotlink.jpg instead of the requested image: RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/.*)*$ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]

Allow certain hotlinking
The following code will cause the remote server to display no_hotlink.jpg instead of the requested image, unless the image has been requested from a specified directory ("dir"): RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/dir/ [NC] RewriteCond %{HTTP_REFERER} !^$ RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]

Block specific domains
The following code will cause the remote server to display no_hotlink.jpg instead of the requested image, but only when the image has been requested by badsite.net or badsite.com: RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.net(/.*)*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com(/.*)*$ [NC] RewriteRule \.(jpe?g|gif|png)$ images/no_hotlink.jpg [L]