Muschamp Rd

WordPress Anti-hotlinking Solution

December 5th, 2010
WordPress Logo

So I’ve had some problems with file leechers. I made fun of them, renamed the most popular images, and implemented the supposed ultimate .htaccess anti-hotlinking solution. Alas it didn’t work for my blog as I use a subdomain and I think my webhost uses some symbolic links to make this ‘magic’ happen. My webhost uses DirectAdmin, there are some anti-hotlinking solutions out there specific to certain webhosts and website control panels…

UPDATE At some point the pictures posted to my blog became vulnerable to hotlinkers on stupid forums again. I didn’t change a thing in my .htaccess so either it never worked or more likely one of my WordPress upgrades busted my hotlinking defence.  I’m not the only person who uses WordPress who has had a problem with hotlinkers.  If you want to test your anti-hotlinking solution someone built a website for that. Now to research a fix…

What is below should still work, but when upgrading your WordPress install it may replace your carefully written .htaccess file with one that doesn’t prevent hotlinking.  I’ve honestly come to think that not updating WordPress is a valid option as so much can break when you do upgrade.  My WordPress install is old and slightly non-standard, of course there wasn’t a standard when I created my blog.

Some question the wisdom of preventing hotlinking, they obviously haven’t had half of their bandwidth taken by thieves. I’m still investigating how to allow the various search engines and feed readers to access the images. I had a more elaborate solution, but like I said it didn’t work with my blog subdomain. It did work on my other subdomains.

The third feature/plan/requirement was to allow me to personally post links to certain images on forums. These images were only used on these forums and I put them in their own subdirectory. This was actually fairly easy to make work.

So what do you need to do to replicated my solution? Well first it takes three .htaccess files. One goes in your root directory where your index file is. On my webhost that directory is called public_html. You also need another .htaccess file to go in the directory you want to allow hotlinking to. Finally I needed to modify the existing .htaccess file in my blog subdomain directory.

All three of these files are called .htaccess and rely on mod_rewrite and probably only work on the apache webserver. So check with your webhost to make sure this solution will work and change the domain from to whatever. I never could get the alternate image replacement stuff to work. I may keep working on it, or I may spend my efforts verifying that feed readers and search engines can get through as I get a lot of traffic from Google Image Search.

Main .htaccess file

# ultimate hotlink protection
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?muschamp\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]

Allowing hotlinking to images in a specific directory .htaccess file

# disable hotlink protection
RewriteEngine off

blog WordPress subdomain subdirectory .htaccess file

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Options +FollowSymlinks
# Protect Hotlinking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?muschamp\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]

Perhaps there should be an if statement around the second batch of rules but it works like this so I decided to document it.


I’ve read that the WordPress rules have to go at the bottom. I’ve used WordPress a long time (since 2005) and I keep my images in a non-standard location, but that shouldn’t affect my .htaccess rule. What definitely happened was after a recent WordPress upgrade the file on my server was changed.  Manually uploading my .htaccess file fixed things.

Update August 2013

While trying to add featured-image ie thumbnail support to my WordPress theme install I discovered the image loader didn’t work. All these years using WordPress and I got by without the image loader so I try to fix it which involves suggestions of changes to directory permissions, changes to .htaccess and the end result was an Internal Server Error number 500. I had backups of my .htaccess but I needed these settings to be changed to get it to work on my webhost.  And by work I mean to get the 500 error to go away and my blog backup, my enthusiasm for using WordPress’s built in image uploader, I’ll go back to doing things the non-standard way and using my FTP client.



  • This possibly is interfering with Google Image search and some of it’s friends. I’ll have to do more research, but it definitely works and allows Feed Readers to see the images…

  • Jbvannier

    Really nice, it’s the only one it works for me , thks a lot

  • I’m glad it helped.  I still get plenty of referrals from Google Image Search, plus Yahoo and Bing image search, but the anti-hotlinking might mess with them a bit.  Feed readers get images, at least mine does, and it seems to confuse people.  It stops Facebook hotlinking too, but if people just link to the story instead of the photo they can get the little preview image in Facebook and most social media.  I have no problems posting my stuff to Facebook and others have posted my stuff too with working preview images.


  • Jbvannier

     It seems my image search in GG desappears too, but it’s not so important for me. May be exist a solution…read you later if there is some. Best regards

  • Joe

    Thank you for very much for sharing this.  It was the only subdomain-allowing code I cound anywhere.

  • No worries.  I’m no .htaccess genius so you must have not Googled as much as me, as I had to get the original idea from somewhere, but I ended up doing a multilevel approach to keep old images I posted to forums still live, while stopping the laziest of bandwidth thieves.  People can still steal your images, they just upload them directly to Facebook or a forum, or photobucket, course you then can go and complain to the owner.  People tend to steal more MS Word and Excel documents from me, they are more valuable intellectual property.

  • Pingback: Calf Crazy – Muskblog()

  • Pingback: Installed the Facebook for WordPress plugin – Muskblog()

  • Pingback: You have gotta see this photo! – Muskblog()

  • Pingback: My ten most useful blog postings – Muskblog()

  • Pingback: Spammers, Scammers, and other Internet Assholes – Muskblog()

  • Google Image search has a way around this and now it appears a forum, is able to take an image from my blog and post it inline.

  • After you upgrade your WordPress install be sure to make sure your anti-hotlinking rules in your .htaccess file haven’t been blown away by WordPress’s installer.

  • Pingback: SEO is not a 4 letter word – Muskblog()

  • Pingback: Images in WordPress posts – Muskblog()

Posts on Muskblog © Andrew "Muskie" McKay comments not necessarily so...
CFA Institute does not endorse, promote or warrant the accuracy or quality of Muskblog. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.