Hotlinking: What is it & How to Protect Yourself.

SecurityCategory
10 min read
Adem Asha

You have worked so hard to build a beautiful website and a recognizable brand name with a unique domain name. You also spent time and effort to create eye catching graphics and designs for your website and social media accounts. But something strange has been happening, that beautiful website of yours has become slow, why? This could be hotlinking and you need a hotlinking protection.

Related: Top website security threats and how to protect yourself against attacks

What is Hotlinking & Why is it Bad?

Hotlinking refers to the practice of displaying an image or other media file on a website by linking directly to that file on another server, rather than hosting the file on the website's own server. This can be done using the HTML img tag or by linking to the file in the website's CSS (cascading style sheets).

There are a few reasons why hotlinking is generally considered to be bad practice:

  1. It can lead to bandwidth theft: When someone hotlinks to a file on a web server, they are effectively using the origin server's resources to serve the file to their own website's visitors. This can put a strain on your server and use up your bandwidth because of high traffic, potentially leading to additional costs for you.
  2. It can cause slow loading times: If the server hosting the hotlinked file is slow or overloaded, it can cause the website that hotlinked to the file to load slowly as well. This can be frustrating for visitors to the website and may lead to a negative user experience.
  3. It can result in broken links: If the image hosting service provider changes the file's location or removes it entirely, the hotlinked image file will no longer be accessible, and the file type (image or other media) will not be displayed on the website that hotlinked to it. This can make the website appear broken or incomplete.

Hotlinking itself is not necessarily illegal, but it can potentially be a violation of copyright law if the website owner does not have permission to use the hotlinked file. In general, it is considered good practice to obtain permission from the owner of the file before using it on your website, whether you are hosting the file on your own server or hotlinking to it.

In the United States, copyright law allows for the use of a copyrighted work without permission under certain circumstances, such as for the purpose of criticism, commentary, news reporting, teaching, scholarship, or research. However, these exceptions to copyright law are narrow and do not apply to all situations. In general, it is always a good idea to obtain permission from the copyright owner before using someone else's work, even if you believe you are covered by one of the exceptions to copyright law.

In other countries, copyright law and the rules surrounding hotlinking may vary. It is always a good idea to familiarize yourself with the specific laws and regulations in your own country before using someone else's work on your website.

Why Should you Avoid Hotlinking?

There are several reasons why you may want to avoid hotlinking:

A bear carrying a sign that says STOP in protest of hotlinking
  1. Bandwidth theft: Hotlinking can lead to bandwidth theft, where someone else is using your server's resources to serve the hotlinked file to their own website's visitors. This can put a strain on your server and use up your bandwidth, potentially leading to additional costs for you.
  2. Slow loading times: If the server hosting account which the hotlinked file comes from is slow or overloaded, it can cause your website to load slowly as well. This can be frustrating for your website's visitors and may lead to a negative user experience.
  3. Broken links: If the server hosting the hotlinked file changes the file's location or removes it entirely, the hotlinked file will no longer be accessible, and the image or other media will not be displayed on your website. This can make your website appear broken or incomplete.
  4. Potential copyright violations: If you do not have permission to use the hotlinked file, or if you do not properly credit the original source, you may be in violation of copyright law. This could lead to legal issues and potential fines.
  5. Lack of control: When you hotlink to a file, you are relying on another server to serve the file to your website's visitors. If that server goes down or has technical issues, it can affect the display of the hotlinked file on your website. By hosting the file on your own server, you have more control over its availability.

Note: Broken links and slow loading time on your web pages can affect your Search Engine (SEO) score because Google images would consider your website a hazard to users and not recommend it.

What is Hotlinking Protection & How to Protect yourself From Hotlinking?

man in black crew neck t-shirt using black laptop computer

Hotlinking protection is a measure that website owners can take to prevent other websites from hotlinking to their files. There are several ways to protect yourself from hotlinking:

(1) Use a content delivery network (CDN):

A CDN is a network of servers that are distributed around the world and are used to deliver content to users based on their geographic location. By using a CDN, you can reduce the load on your own server and protect yourself from hotlinking.

(2) Block Hotlinking Through your .htaaccess File

Use .htaccess: If your website is hosted on an Apache server, you can use the .htaccess file to block hotlinking. You can do this by adding the following code to your .htaccess file:

RewriteEngine on

RewriteCond % !^$

RewriteCond % !^http://(www.)?example.com/.*$ [NC]

RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]

This code will block hotlinking to files with certain file extensions (such as .jpg, .png, and .gif). You can customize the list of file extensions to suit your needs.

(3) Rename/Remove Hotlinked Files

There are a few different ways to rename or remove hotlinked files:

  1. Rename the file: If you want to keep the file but prevent others from hotlinking to it, you can rename the file on your server. This will break the link that other websites are using to hotlink to the file, and the file will no longer be displayed on those websites.
  2. Remove the file: If you no longer want the file to be available on your server, you can delete it from your server. This will prevent others from hotlinking to the file and will also remove the file from your own website if you are using it.

Renaming or removing hotlinked files can help to protect your website's resources and prevent unauthorized use of your files.

(4) Add Watermarks to your Media Assets

Use watermarks: If you do not want to prevent hotlinking altogether, you can use watermarks to protect your images and other media files. A watermark is a visible mark or logo that is added to an image or other media file to identify the copyright owner. This can help to deter others from using your images without permission.

(5) Disable Right-Click Functionality on WordPress

Disabling right-click functionality does not necessarily protect you against hotlinking but it helps users access to some features on your website like copying a text, saving an image, and most importantly, just copying the image and pasting it on their website. This is a great asset for network security.

(6) Use a WordPress Plugin

There are several WordPress security plugins available for WordPress that can help to protect your website from hotlinking. These plugins can make it easy to block hotlinking and customize the settings to suit your needs.

Most of those plugins have tutorials on how to protect yourself and your web hosting against hotlinking.

Getting an all in one wp security plugin can go a long way in protecting you from hotlinking.

Hotlinking Frequently Asked Questions

Answers to your frequently asked questions:

Should I disable hotlinking?

Whether or not you should disable hotlinking on your website depends on your specific needs and circumstances. Here are a few things to consider when deciding whether to disable hotlinking:

  1. Bandwidth usage: If you are concerned about conserving bandwidth on your server, you may want to disable hotlinking to prevent others from using your server's resources to serve files to their own website's visitors.
  2. Cost: If you are paying for bandwidth or other server resources, hotlinking may result in additional costs for you if others are using your resources to serve their own files. In this case, you may want to disable hotlinking to reduce these costs.
  3. User experience: If you are concerned about the loading times on your website, you may want to disable hotlinking to prevent slow loading times caused by servers that are hosting the hotlinked files.
  4. Control: By disabling hotlinking, you have more control over which files are displayed on your website and how they are served to your visitors.

Ultimately, the decision to disable hotlinking is up to you and should be based on your specific needs and goals for your website. There are several methods you can use to disable hotlinking, such as .htaccess, a content delivery network (CDN), the "Referrer" header, watermarks, or a plugin. These methods can help to prevent unauthorized hotlinking and protect your website's resources.

To disable hotlink protection on a Windows 10 server, you can follow these steps:

  1. Open the Internet Information Services (IIS) Manager: To open the IIS Manager, click the Start button, type "inetmgr" into the search bar, and press Enter.
  2. Select the website that you want to disable hotlink protection for: In the left pane of the IIS Manager, expand the tree view and navigate to the website that you want to modify.
  3. Click on the "URL Rewrite" icon: In the middle pane, under the "IIS" heading, click on the "URL Rewrite" icon.
  4. Click the "Add Rule(s)" button: In the right pane, click the "Add Rule(s)" button in the "Actions" panel.
  5. Select the "Blank rule" template: In the "Add Rule" dialog box, select the "Blank rule" template and click the "OK" button.
  6. Specify the rule name: In the "Name" field, enter a name for the rule.
  7. Specify the matching pattern: In the "Match URL" section, click the "Add" button under the "Conditions" heading. In the "Add Condition" dialog box, select the "HTTP_REFERER" variable in the "Input" dropdown, and enter a pattern in the "Pattern" field that matches the websites that you want to allow to hotlink to your files.
  8. Set the action type: In the "Action" section, select the "Abort request" action type.
  9. Click the "Apply" button: Click the "Apply" button in the "Actions" panel to save the changes.

This will disable hotlink protection for the selected website on your Windows 10 server. You can customize the matching pattern and action type to suit your specific needs.

If you would like to enable hotlinking protection in windows you can learn the details here.

To turn off hotlink protection in WordPress, you can use a plugin or modify the .htaccess file on your server. Here's how to turn off hotlink protection using a plugin:

  1. Install and activate the "WP Fastest Cache" plugin: In your WordPress dashboard, go to "Plugins > Add New" and search for "WP Fastest Cache." Install and activate the plugin.
  2. Go to the plugin's settings: In the left menu of your WordPress dashboard, go to "WP Fastest Cache > Settings."
  3. Navigate to the "Prevent Hotlinking" tab: In the plugin's settings, click on the "Prevent Hotlinking" tab.
  4. Select the "Disabled" option: In the "Hotlink Protection" section, select the "Disabled" option.
  5. Click the "Submit" button: Click the "Submit" button to save the changes.

This will turn off hotlink protection for your WordPress website.