Muschamp Rd

WordPress Anti-hotlinking Solution

December 5th, 2010
WordPress Logo

So I’ve had some problems with file leechers. I made fun of them, renamed the most popular images, and implemented the supposed ultimate .htaccess anti-hotlinking solution. Alas it didn’t work for my blog as I use a subdomain and I think my webhost uses some symbolic links to make this ‘magic’ happen. My webhost uses DirectAdmin, there are some anti-hotlinking solutions out there specific to certain webhosts and website control panels.

UPDATE At some point the pictures posted to my blog became vulnerable to hotlinkers on stupid forums again. I didn’t change a thing in my .htaccess so either it never worked or more likely one of my WordPress upgrades busted my hotlinking defence.  I’m not the only person who uses WordPress who has had a problem with hotlinkers.  If you want to test your anti-hotlinking solution someone built a website for that.

What is below was still working, although I’ve stopped testing it and haven’t since I upgraded to WordPress 5. However, when upgrading your WordPress install it may replace your carefully written .htaccess file with one that doesn’t prevent hotlinking.  I’ve honestly come to think that not updating WordPress is a valid option as so much can break when you do upgrade. Apparently running the latest greatest WordPress is safer but a lot of things can and do break when you upgrade.

Some question the wisdom of preventing hotlinking, they obviously haven’t had half of their bandwidth taken by thieves. I’m still investigating how to allow the various search engines and feed readers to access the images. I had a more elaborate solution, but like I said it didn’t work with my blog subdomain. It did work on my other subdomains.

The third feature/plan/requirement was to allow me to personally post links to certain images on forums. These images were only used on these forums and I put them in their own subdirectory. This was actually fairly easy to make work.

So what do you need to do to replicated my solution? Well first it takes three .htaccess files. One goes in your root directory where your index file is. On my webhost that directory is called public_html. You also need another .htaccess file to go in the directory you want to allow hotlinking to. Finally I needed to modify the existing .htaccess file in my blog subdomain directory.

All three of these files are called .htaccess and rely on mod_rewrite and probably only work on the apache webserver. So check with your webhost to make sure this solution will work and change the domain from to whatever. I never could get the alternate image replacement stuff to work. I may keep working on it, or I may spend my efforts verifying that feed readers and search engines can get through as I get a lot of traffic from Google Image Search.

Main .htaccess file

# ultimate hotlink protection
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?muschamp\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]

Allowing hotlinking to images in a specific directory .htaccess file

# disable hotlink protection
RewriteEngine off

blog WordPress subdomain subdirectory .htaccess file

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Options +FollowSymlinks
# Protect Hotlinking
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?muschamp\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]

Perhaps there should be an if statement around the second batch of rules but it works like this so I decided to document it.

.htaccess and WordPress

I’ve read that the WordPress rules have to go at the bottom. I’ve used WordPress a long time (since 2005) and I keep my images in a non-standard location, but that shouldn’t affect my .htaccess rule. What definitely happened was after a recent WordPress upgrade the file on my server was changed.  Manually uploading my .htaccess file fixed things.

WordPress Image Uploader

While trying to add featured images ie thumbnail support to my WordPress theme I discovered the image loader didn’t work. All these years using WordPress and I got by without the image loader so I try to fix it which involves suggestions of changes to directory permissions, changes to .htaccess and the end result was an Internal Server Error number 500. I had backups of my .htaccess but I needed these settings to be changed to get it to work on my webhost.  And by work I mean to get the 500 error to go away and my blog backup, my enthusiasm for using WordPress’s built in image uploader, I’ll go back to doing things the non-standard way and using my FTP client.


  • Muskie says:

    Google Image search has a way around this and now it appears a forum, is able to take an image from my blog and post it inline.

  • Joe says:

    Thank you for very much for sharing this.  It was the only subdomain-allowing code I cound anywhere.

    • Muskie says:

      No worries.  I’m no .htaccess genius so you must have not Googled as much as me, as I had to get the original idea from somewhere, but I ended up doing a multilevel approach to keep old images I posted to forums still live, while stopping the laziest of bandwidth thieves.  People can still steal your images, they just upload them directly to Facebook or a forum, or photobucket, course you then can go and complain to the owner.  People tend to steal more MS Word and Excel documents from me, they are more valuable intellectual property.

  • Jbvannier says:

    Really nice, it’s the only one it works for me , thks a lot

    • Muskie says:

      I’m glad it helped.  I still get plenty of referrals from Google Image Search, plus Yahoo and Bing image search, but the anti-hotlinking might mess with them a bit.  Feed readers get images, at least mine does, and it seems to confuse people.  It stops Facebook hotlinking too, but if people just link to the story instead of the photo they can get the little preview image in Facebook and most social media.  I have no problems posting my stuff to Facebook and others have posted my stuff too with working preview images.


  • Muskie says:

    This possibly is interfering with Google Image search and some of it’s friends. I’ll have to do more research, but it definitely works and allows Feed Readers to see the images…

    • Jbvannier says:

       It seems my image search in GG desappears too, but it’s not so important for me. May be exist a solution…read you later if there is some. Best regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Posts on Muskblog © Andrew "Muskie" McKay.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Muskblog. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.