Preventing hotlinking & stealing code


#1

Recently a website has decided to copy my content, and to use the images stored on my server.

I followed Dreamhost’s recommendation: http://wiki.dreamhost.com/Preventing_hotlinking and added to .htaccess following code:

[quote]RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www.)?badsite.net(/.)$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www.)?badsite.com(/.)$ [NC]
RewriteRule .(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG)$ - [F][/quote]

The problem is now that I receive loads of 404 error messages reffering to the images which are now blocked on this copycat site.

This means that server load has not really been decreased?

What can be done?

Another issue is that these guys have copied absolutely everything, meaning also the scripts in the header which call javascript and css files. Of course, they also copied site verification codes, Analytics codes, etc.

No sense to contact anybody, but I would like to get rid of these 404 errors, and block js and css files too.

Do I need to replace all the verification codes with new codes?

What do I need to do if they keep copying?

Thanks for your advice.


#2

I would just block their IP address:

Order deny,allow
SetEnvIf Request_URI ^/(404\.html|robots\.txt)$ allowall
deny from 1.2.3.4
allow from env=allowall

Note:

  1. Replace the “1.2.3.4” with their actual IP address
  2. As shown in example, you’ll need to allow your 404 page and robots.txt to everyone, including these guys so replace with the actual name you use for 404.
  3. As needed, you can add other IP addresses on the same line by just putting a space between them.

#3

In addition to technical measures like keyplyr is describing, if another site is reusing content that you’ve created without your permission, you should file a DMCA copyright complaint with their web host. As maligned as the law is, this is one of the things it gets right, and does well: it establishes a clear procedure that you can use to require that a hosting provider remove content that you own the copyright to.

A tutorial explaining how to file a DMCA complaint is available at:


#4

[quote]… I receive loads of 404 error messages reffering to the images which are now blocked on this copycat site.
This means that server load has not really been decreased?[/quote]

Well first of all, it does not take much “server load” to serve a 404 message. Even if you had thousands per day, it would hardly be noticeable.

But if you wish to stop the 404s, you could create a small image and serve that to hotlinkers instead of the one they are linking to. You can also take a bit of revenge and be creative with what the image displays :slight_smile:

Put this in your image directory .htaccess instead:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?your-domain\.com 
RewriteRule \.(jpg|gif)$ /directory/stop-thief\.png [NC,L]

Note:

  1. Change the “your-domain” to your actual domain name.
  2. Create a png image file about 400x400 pixels, low color (for reduced bandwidth) and put a message on it, example: “Stop Thief… this site is attempting to steal images from your-domain.com.” Upload to the specified directory.
  3. The stop-theif.png will be served instead of the image file they are hotlinking to. The “NC” (no case) will take care of upper or lower case spellings, so no need to list both.
  4. The first condition allows requests that do not give a referrer. This is a must since many mobile appliances do not say where they came from. Also, almost all the browsers now have a feature to browse without sending referrer.

#5

[quote=“Andrew_F, post:3, topic:60720”]
In addition to technical measures like keyplyr is describing, if another site is reusing content that you’ve created without your permission, you should file a DMCA copyright complaint with their web host.[/quote]

Thanks Andrew for your recommendation. We will look into this, and try to work out how it works.

The hosting site is Spanish, and funnily enough the home page of a criminal psychologist. The copied content is well hidden in the site, and in Indonesian. So it makes the impression that the site may have been hacked.

Therefore the host may actually really appreciate a complaint.

Hi keyplyr, many thanks for your detailed instructions.

However, unfortuantely I am not a programer, and need a little more clarification please.

  1. I set up a new .htaccess in my image directory?
  2. Do I remove the code from my .htaccess in the root folder which I published in my first post?
  3. We run 2 different domains (languages) from the same WordPress installation, and I also do not want to prevent hotlinking, say from YouTube, or other honest sharing sites. I only want to deny this one malicious site.

Could you please kindly give me an amended code?

Thanks again for all your help so far :slight_smile:


#6

Yes, you could leave the code in your first post in addition to this code… but that would defeat the purpose. The badsite would just get blocked and not see your stop-theif.png image.

So I would remove that code and only use this in your image directories:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?your-domain\.com
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?youtube\.com
RewriteRule \.(jpg|gif)$ /directory/stop-thief\.png [NC,L]

Notice I added youtube.com. For each remote domain you wish to allow hot-linking, you would add another RewriteCond. However, this does not stop other sites from just linking to your site, only from hot-linking to your image files.


#7

So I’m a fan of http://perishablepress.com/creating-the-ultimate-htaccess-anti-hotlinking-strategy/'s method.


# ultimate hotlink protection
<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP_REFERER}     !^$
 RewriteCond %{REQUEST_FILENAME} -f
 RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$           [NC]
 RewriteCond %{HTTP_REFERER}     !^https?://([^.]+\.)?(domainone|domaintwo|domainthree)\. [NC]
 RewriteRule \.(gif|jpe?g?|png)$                             - [F,NC,L]
</ifModule>

I love it because of the b[/b] part, where I can just add in more and more domains, separated by the pipe | and off I go :slight_smile:

Also I don’t generally use a ‘show them a stop-thief!’ image because that ended up sucking a LOT of bandwidth when some random people in China hotlinked me. In the CSS of their site’s theme.


#8

I would just block their host IP address then.

Some things you control one way, others with another method.

For a while I was blocking all IPs in China; quite a list.


#9

I only use IP blocks when people are attempting to log in via SSH/SFTP to my accounts. For brandwidth/hotlinking it’s really so trivial.