Advanced Hotlink Protection
Many of you may be using cPanel hosting software for your
website, and may already have hotlink protection configured from
within that. However, if you are finding that the set-up is
limited, or indeed if you don't run cPanel or other software
which will do it for you automatically, this article is for you.
I intend to talk about how to enable hotlink protection through
the use of a .htaccess file, and in particular the special
tricks you can perform with it.
A brief introduction first. The file is not named htaccess,
instead the file extension IS .htaccess. So in order to create
the file you must create a blank text file, lets say new.txt,
and simply rename it .htaccess. As long as your server is
running apache (which most are) this neat little file will allow
you to set up custom error pages, block certain IP addresses and
sites, put 301 redirects in place and, most importantly, stop
hotlinking.
Hot linking is often used as a curse in web developer circles.
Also known as bandwidth theft, it means linking directly to
files and images on somebody else's server. The victim of
hotlinking loses the bandwidth that the files take up, possible
visitors to their site that now no longer need to visit to get
the resources that they need, and in turn loses money. Most
commonly images are hotlinked, to be shown in blog posts, on
forums and on unscrupulous webmaster's own pages.
The best way to stop this, in my experience, is to use the
redirects present in the .htaccess file. Take a look at this
code extract below:
RewriteEngine on RewriteCond %{HTTP_REFERER} . RewriteCond
%{HTTP_REFERER} !^http://([^.]+\.)?shock-therapy\. [NC]
RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?site1\. [NC]
RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?site2\. [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC] RewriteCond
%{HTTP_REFERER} !search\?q=cache [NC] RewriteCond %{REQUEST_URI}
!^/stophotlink\.gif$ RewriteRule \.(gif|jpg|png)$
/stophotlink.gif [NC,L]
Now, lets go through this in order. The first line indicates to
the server that you wish to rewrite certain file paths. As the
htaccess is consulted before any request that the server
processes, there is no way around this rewriting.
The line:
RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?shock-therapy\.
[NC]
Is important as it allows any of the images (in this case) to be
viewed from within the site. Obviously you don't want to set it
up so you can't see your own images! The !^ in this case acts as
a 'NOT', meaning that any site prefaced with that will be
allowed to link directly to any images. The ([^.]+\.)? in place
of the typical www acts as a wild card, so that any sub domain
can use this. This helps with canonical issues, as well as if
you wish to allow a certain forum (which may use
forum.site1.com, for example) access to the files. Of course,
the other HTTP_REFERER lines show which sites other than your
own are allowed direct links - in this case site1 and site2.
Ok then, time for the first of the more advanced features. These
two lines of code here:
RewriteCond %{HTTP_REFERER} !google\. [NC] RewriteCond
%{HTTP_REFERER} !search\?q=cache [NC]
These will allow Google image search direct access to your
images. After all, it'll annoy people who are looking for images
if all they get is either an error or a custom image (I'll get
onto that soon). Of course, some people don't like the idea of
Google allowing people to access their copyright images, in
which case these two lines should not be included.
Now we come to the most essential part of it all. The next two
lines specify which file type you want blocked and can even be
used to configure a custom image to be shown (with advantages
which will become apparent):
RewriteCond %{REQUEST_URI} !^/stophotlink\.gif$ RewriteRule
\.(gif|jpg|png)$ /stophotlink.gif [NC,L]
The last line disables direct links to gif, jpg and png file
types. Any other types that you wish to block can be added,
however it is dependent upon whether you wish to redirect the
hotlinkers or not. If you look at the second line again you will
see the phrase '$ /stophotlink.gif'. Now the great thing about
this is that it actually replaces the image your server will
show with a custom one! So you may be want to post a rude
picture, or maybe a brief injunction to stop nicking your
bandwidth. Either way the image will be shown on the site
linking to you, rather than the originally intended image.
Even better, as the original site owner often still has the
original image in their cache, they don't even realise there's
been a switch. So while visitors to his site look upon your free
advertising (or otherwise) he is blissfully un-aware that
anything is wrong. Until he refreshes the page at least.
The first line of that example is essential, by the way. It
specifically tells the server to exclude the image
'stophotlink.gif' from the hotlink protection. You wouldn't want
a nasty infinite loop, now, would you?
This same technique can be used to refer people to a specific
HTML page as well. Say in the case of files:
RewriteRule \.(avi|mpg|zip|exe)$ /forbidden.html [NC,L]
This will redirect any zip, exe, mpg or avi requests directly to
a page called 'forbidden.html'. If you are using custom error
pages, this might even be set up as the same page, giving them
what appears to be a 403 error. Just remember that with both of
those examples the rewriting will only work in the root folders.
It may be more sensible to use a direct link such as
'http://www.mysite.org/forbidden.html' that will then work for
all folders and sub domains.
Well, I hope that brief run down of hotlink protection was
useful to you. Using this method personally I am saving myself
approximately 400MB of bandwidth a month, however I have a
fairly small user base. A large website could save possibly
hundreds of gigabytes of bandwidth this way, especially if it
deals with large files. And if you can cut your bandwidth bill
without compromising the services you provide to your readers,
what could be better?