How to Detect and Stop Image Hotlinking on Your Website

While looking at the traffic statistics for my website recently I noticed that my bandwidth usage had increased quite a bit this month.  A further review of the logs indicated that I was getting quite a bit of visitors from

My first thought was that someone had linked to one of my posts but after visiting the site I quickly found out this was not the case.  The site had hotlinked to one my images which explained why my bandwidth usage had jumped up so suddenly. From what I can tell the site was entirely built upon stolen content from other sites.

If your not familiar with hotlinking has a great writeup about it, but basically when someone hotlinks to one of your images they are stealing bandwidth from your site to display images on their own website

How can you tell if someone is hotlinking to your images?

The access logs for your website will contain many clues if someone is hotlinking to an image on your website but going through them manually would be a time consuming task.

I have found AWStats to be a very useful program for analyzing access logs.  AWStats analayzes the log files of your website and compiles some very nice charts, graphs, and statistics about your website.  Best of all its completely free!  You may want to check out the online demo of AWStats to see what it offers.

You can use the statistics it generates to see how much bandwidth is going towards image file types such has jpg and png.  Another useful feature is the ability to see where traffic to your site is coming from which can be found in the ‘Connect to site from’ section.

How can you stop people from stealing your images?

If no one is hotlinking to your images today it could easily happen in the near future unless you take steps to prevent it which is actually pretty easy to do.

You will need to add the lines below to your .htaccess file.  You should find this file located in the root directory of your website.  Of course you’ll need to replace ‘yoursitehere’ in the second line with the domain name for your own site.

Hostgator’s control panel has a nice feature called File Manager that contains a built in editor for manually editing files on your website.  But as long as you have FTP or some other sort of direct file access to your website you can make the necessary additions.

Add this to the end of your .htaccess file

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursitehere\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ – [F]

Lets look at this line by line

Line #1 – Enables the URL rewrite module which is necessary for this to work

Line #2 – Matches any requests that come from your own site. [NC] is the flag for ‘no case’ making it case-insensitive.

Line #3 – Allows empty refererals, in case the browser doesn’t send the referer.

Line #4 – The [F] flag displays an error 403 Forbidden instead of the hotlinked image

If you want to display your own custom image instead of the error 403 you can change the last line to something like the one below.  Then upload your own custom image and modify the link to it accordingly, note that you’ll need to change the extension on the image to .jpe so it doesn’t get blocked.

RewriteRule .*\.(jpe?g|gif|bmp|png|jpg)$ /images/nohotlink.jpe [L]

I decided to go with this approach since it never hurts to get your name out there.  Below is the custom image I decided to use, so when someone hotlinks to my images they will see this image instead.

The fact that you can change the image people see when hotlinking is exactly why you should never hotlink to images.

I could have uploaded some malicious image instead but there is always the possibility that someone might hotlink to you on accident without knowing the consequences.

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

3 thoughts to “How to Detect and Stop Image Hotlinking on Your Website”

  1. Great article. My website host provides the AWstats already which is what alerted me to an increase in bandwidth usage. As it happens it all appears to be legitimate, but your article helped me determine that this was the case.

    Thanks again for the guidance.

  2. I’ve tried this, add the lines you mention to my .htaccess.

    Restart apache and varnish, then from another website I have, try to load one image and still can load the image from this another domain.

Leave a Reply

Your email address will not be published. Required fields are marked *