Trying to stop hotlinking


My stats say I’ve got a lot of links to .jpg and I want to stop that. I’ve tried several different methods I found both in the DH wiki and a few other places but no matter what I try, I get a File 500 on my sites.

I would like to block all images except the requests coming from my own sites (including sub domains) and 2-3 other sites I regularly post images on.

The latest attempt is this:

[code]# BEGIN hotlink block
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+.)? [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://( [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://( [NC]
RewriteRule .*.(jpe?g|gif|bmp|png)$ [L]

END hotlink block[/code]

Does it matter where it goes in relation to other stuff in the .htaccess?
The list of places to block is huge so I’d rather allow a few than list all that I know I want to block.

I know the ! means allow
the NC means regardless of case
The replacing image is from one of the sites I got the code from. (

Any advice? I know the simplest way is to change the directory name where I keep my images then just change the URL where I have images. Except I would have to change it for all the images and for one site, that would be quite difficult. I am lazy.


No, it means NOT. But your usage is correct, because it’s a condition that says that the referring URL does not match the pattern you indicate.

The brackets before “(” and “(” are wrong, they don’t close in your example.

I could probably hotlink to your images by tagging to a url. You could make it stricter with something like this (done out of my head - not tested):

but then the problem is that it is so strict that you ban things like translation services from showing the images on your site - and why would you want to prevent someone who wants to read your site in their own language from seeing your images?

You could of course start whitelisting translation services, but then you need to update those when they change and can you really keep track of all of them? I wouldn’t go down this road.

Sometimes people have something else as a referrer than a URL or a blank referrer. At least this used to happen quite a lot, but I haven’t noticed it much recently (only a dozen cases of “blockedReferrer” in over a million pageviews last month). The condition that the referrer not be empty doesn’t cover this, what you want is that the referrer is a URL of a site before you block it. So instead what I’ve used is that the referrer needs to start with http or https for the rewrite to apply (this replaces the not empty referrer condition):

I would not use the image because it accuses the visitor of “stealing bandwidth”. The visitor however has nothing to do with that, he just happened to browse a site that hotlinked an image on yours, he has no control over that and it’s not even remotely his fault. It’s the site that hotlinked not the visitor. Place blame where blame is due.

Overall, unless you are really affected by tons of hotlinking, I don’t think hotlinking is something to worry about too much, but if you do it, tread carefully and don’t make it too strict, it’s better to allow too much than too little.


I didn’t test this but I did look at a few examples here and there. One thing yours was definitely missing was the OR connectors. I’m not sure why the case of blank referer doesn’t need an OR but the example here had it this way.

# BEGIN hotlink block
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?paulaoffutt\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?allowedsite1\.org/ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?allowedsite2\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ [L]
# END hotlink block

I also agree that you should find a different replacement image. Maybe a red circle with a line through it and host that yourself, rather than rely on the url to someone elses image to remain fresh.


Good advice.

The missing ) was missing from the original code. I thought it odd there wasn’t one. I found it during a search for allowing some sites while blocking others.

I’ll think this over. I will go ahead and try the code again to see if I get the error message. That way if I don’t, I can keep it on hand for later.[hr]
I saw the OR in the list of how to block sites but it wasn’t with the how to allow sites. But then that was also the one that had the missing ), too.

I thought I had asked about the OR but I see that I didn’t.

I have seen where I could cause a file 403 error but I’m not sure I want to do that. Like the other guy said, it is usually some user in a forum who hotlinks an image that is the idiot, not the forum owner.[hr]
Tried the code you suggested, LakeRat. I did not get the File 500 error like before and a test of it returned the substitute image so that is working.

However, the images were blocked from the two sites I want to allow.

Still doing some research. I am procrastinating working on something else so researching this makes me feel like the procrastination is justified. LOL


OR is wrong because it’s supposed to be a logical AND - each condition must be met for the rewrite to be done: the referrer does NOT match AND it does NOT match AND it does NOT match

With an OR it becomes: the referrer does NOT match OR it does NOT match OR it does NOT match

Since does NOT match the rewrite will apply to “hotlinks” from the site too (and from the other two sites), which is not what you want.


Hey! That worked! I removed the OR and now it is working.

Now I need to replace the image.

But, then, all the hotlinked images would still be hotlinked, just to a different image. So…maybe I can host that image elsewhere.

If it ain’t one darn thing, it’s another.


If you want to do anything, this is what I would start with if I were you, it doesn’t block everything but will prevent any casual hotlinking - that probably is enough to achieve what you want. It will allow translation services and such as long as these place your URL in their query string. (Of course use another image too as was already mentioned).

RewriteCond %{HTTP_REFERER} !(paulaoffut\.com|allowedsite1\.com|allowedsite2\.org) [NC] RewriteCond %{HTTP_REFERER} ^https?:// [NC] RewriteRule .*\.(jpe?g|gif|bmp|png)$ [L]

If for some reason this doesn’t wipe out 99% of hotlinkers you can always make it stricter.[hr]

The point is to make it a smaller image and that deterring hotlinking will prevent it in the first place. Maybe at first it will get a lot of hits on this image but that should diminish as less hotlinking will take place in the future. At least in theory, because people who browsed your site often have the image in cache and then don’t notice that their hotlinked image doesn’t actually work for others…