Advanced Hotlink Protection

Many of you may be using cPanel hosting software for your website, and may already have hotlink protection configured from within that. However, if you are finding that the set-up is limited, or indeed if you don't run cPanel or other software which will do it for you automatically, this article is for you. I intend to talk about how to enable hotlink protection through the use of a .htaccess file, and in particular the special tricks you can perform with it.

A brief introduction first. The file is not named htaccess, instead the file extension IS .htaccess. So in order to create the file you must create a blank text file, lets say new.txt, and simply rename it .htaccess. As long as your server is running apache (which most are) this neat little file will allow you to set up custom error pages, block certain IP addresses and sites, put 301 redirects in place and, most importantly, stop hotlinking.

Hot linking is often used as a curse in web developer circles. Also known as bandwidth theft, it means linking directly to files and images on somebody else's server. The victim of hotlinking loses the bandwidth that the files take up, possible visitors to their site that now no longer need to visit to get the resources that they need, and in turn loses money. Most commonly images are hotlinked, to be shown in blog posts, on forums and on unscrupulous webmaster's own pages.

The best way to stop this, in my experience, is to use the redirects present in the .htaccess file. Take a look at this code extract below:

RewriteEngine on
RewriteCond% {HTTP_REFERER}.
RewriteCond% {HTTP_REFERER}! ^ Http: // ([^.] + .)? Shock-therapy . [NC]
RewriteCond% {HTTP_REFERER}! ^ Http: // ([^.] + .)? Site1 . [NC]
RewriteCond% {HTTP_REFERER}! ^ Http: // ([^.] + .)? Site2 . [NC]
RewriteCond% {HTTP_REFERER}! Google . [NC]
RewriteCond% {HTTP_REFERER}! Search ? Q = cache [NC]
RewriteCond% {REQUEST_URI}! ^ / Stophotlink .gif $
RewriteRule . (Gif | jpg | png) $ /stophotlink.gif [NC, L]

Now, lets go through this in order. The first line indicates to the server that you wish to rewrite certain file paths. As the htaccess is consulted before any request that the server processes, there is no way around this rewriting.

The line:

RewriteCond% {HTTP_REFERER}! ^ Http: // ([^.] + .)? Shock-therapy . [NC]

Is important as it allows any of the images (in this case) to be viewed from within the site. Obviously you don't want to set it up so you can't see your own images! The! ^ In this case acts as a 'NOT', meaning that any site prefaced with that will be allowed to link directly to any images. The ([^.] + .)? in place of the typical www acts as a wild card, so that any sub domain can use this. This helps with canonical issues, as well as if you wish to allow a certain forum (which may use, for example) access to the files. Of course, the other HTTP_REFERER lines show which sites other than your own are allowed direct links – in this case site1 and site2.

OK then, time for the first of the more advanced features. These two lines of code here:

RewriteCond% {HTTP_REFERER}! Google . [NC]
RewriteCond% {HTTP_REFERER}! Search ? Q = cache [NC]

These will allow Google image search direct access to your images. After all, it'll annoy people who are looking for images if all they get is either an error or a custom image (I'll get onto that soon). Of course, some people don't like the idea of ​​Google allowing people to access their copyright images, in which case these two lines should not be included.

Related your content:  Psychology Private Practice Marketing: Choosing a Niche Market

Now we come to the most essential part of it all. The next two lines specify which file type you want blocked and can even be used to configure a custom image to be shown (with advantages which will become apparent):

RewriteCond% {REQUEST_URI}! ^ / Stophotlink .gif $
RewriteRule . (Gif | jpg | png) $ /stophotlink.gif [NC, L]

The last line disables direct links to gif, jpg and png file types. Any other types that you wish to block can be added, however it is dependent upon whether you wish to redirect the hotlinkers or not. If you look at the second line again you will see the phrase '$ /stophotlink.gif'. Now the great thing about this is that it actually replaces the image your server will show with a custom one! So you may be want to post a rude picture, or maybe a brief injunction to stop nicking your bandwidth. Either way the image will be shown on the site linking to you, rather than the originally intended image.

Even better, as the original site owner often still has the original image in their cache, they don't even realize there's been a switch. So while visitors to his site look upon your free advertising (or otherwise) he is blissfully un-aware that anything is wrong. Until he refreshes the page at least.

The first line of that example is essential, by the way. It specifically tells the server to exclude the image 'stophotlink.gif' from the hotlink protection. You wouldn't want a nasty infinite loop, now, would you?

This same technique can be used to refer people to a specific HTML page as well. Say in the case of files:

RewriteRule . (Avi | mpg | zip | exe) $ /forbidden.html [NC, L]

This will redirect any zip, exe, mpg or avi requests directly to a page called 'forbidden.html'. If you are using custom error pages, this might even be set up as the same page, giving them what appears to be a 403 error. Just remember that with both of those examples the rewriting will only work in the root folders. It may be more sensible to use a direct link such as '[]' that will then work for all folders and sub domains.

Well, I hope that brief run down of hotlink protection was useful to you. Using this method personally I am saving myself approximately 400MB of bandwidth a month, however I have a fairly small user base. A large website could save possibly hundreds of gigabytes of bandwidth this way, especially if it deals with large files. And if you can cut your bandwidth bill without compromising the services you provide to your readers, what could be better?

Source by Daniel Robson

Share This Post

Post Comment