How to enable and configure hotlink protection

Call Us 0800 107 7979

Service Status

Back to knowledgebase

10 November 2021

Hotlinking is embedding content from one website on another website. For instance, someone might see a lovely photo on your website and decide to embed it on their website, using the original image URL. In the same way other websites can include videos, fonts or even JavaScript files.

The practice is bad for both your website and the website on which the resource is embedded. If someone embeds an image that is hosted on your server then you are paying for the bandwidth every time the image is downloaded. And the website on which the photo is embedded can’t be sure that the image will continue to be available. If you remove the image then it is also no longer shown on the website that is doing the hotlinking.

You can stop websites hotlinking to your website by adding a rule to your .htaccess file. On cPanel servers you can also enable and configure hotlink protection via the control panel.

Hotlinking example

To illustrate how hotlink protection works, let’s imagine that I own example.com and that another website, penguins-unite.io, has embedded an image on its website that is hosted on my server:

<!DOCTYPE html>
<html lang="en-gb">
  <head>
    <meta charset="utf-8" />
    <title>Penguins Unite!</title>
  </head>

  <body>
    <h1>The online meeting place for all penguins</h1>
    <img src="http://example.com/wp-content/uploads/2021/11/king-penguins.jpg" width="640" height="427" alt="Penguin Unite!" />
  </body>
</html>

As the owner of example.com I can prevent the image is downloaded from my server. In cPanel, you can do so via Security » Hotlink Protection. On the page you can simply click the Enable button to enable hotlink protection. The only other thing to check are the URLs and extensions that should be protected.

Image: blocking image hotlinking in cPanel.

By default, cPanel’s hotlink protection blocks jpg, jpeg, gif, png and bmp files. You might want to tweak the list. For instance, if you host your own video files then you can add extensions such as mp4, ogv and webm to the list. Or, if you use custom fonts then you can add the font extensions as well. It all depends on the content on your website.

When you enable hotlink protection cPanel adds a rule to the .htaccess file for the domains you specified. The default rule looks like this:

# Block hotlinking requests
RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://example.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

The hotlinked image is now no longer showing on the penguins-unite.io website. Instead, it is blocked with an error 403 (“forbidden”).

Image: the hotlink protection in action.

Redirecting URLs

You can also redirect rather than block hotlinking requests. If you do so via cPanel, do not click the “Allow direct requests” checkbox. It will break your hotlinking rule. Just enter the URL (or the path to) the destination.

You can have lots of fun with this feature. For instance, here I redirect hotlinking requests to an image named do-not-hotlink.jpg.

Image: redirecting hotlinking requests.

The rule in the .htaccess file is similar to the previous one. The only difference is that the rewrite rule now redirects to the replacement image.

# Redirect hotlinking requests
RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://example.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ /wp-content/uploads/2021/11/do-not-hotlink.jpg [R,NC]

The replacement image do-not-hotlink.jpg is a photo of a My Little Pony character. So, the penguins-unite.io website now shows an image of a cute little pony rather than a penguin-related image.

Image: redirecting a hotlinking request. Credit: furbymama on pixabay.com.

If you look at the requests for the page you see that the king-penguins.jpg file now has the status code 302, which is a redirect. The redirect goes to the image of the pony.

Hanlon’s razor

Although hotlinking is a nuisance, it is usually done out of ignorance rather than malice. Someone probably used a WYSIWYG editor and simply copied and pasted the URL of an image on your website, without realising that the image will be downloaded from your server. Blocking the requests is easy and should be sufficient. Please don’t use the redirect feature to display offensive content on the website that is hotlinking.

Featured Blogs

Finding the Best Server Solution for a High-Traffic Website

18th April 2023

By catalyst2 Team

High-traffic websites are websites that attract a large volume of visitors. These websites often have large user bases, provide a wide range of services and generate significant revenue. Examples of common high-traffic websites include online retail stores, news websites, social media channels and video-streaming services. When you have a high-traffic website, it’s incredibly important to …

Read Article

What to Look For in a Dedicated Server Hosting Provider

6th April 2023

By catalyst2 Team

Dedicated website servers are the ultimate solution for businesses looking for the highest level of performance and reliability. When compared to shared hosting solutions, they offer more control, flexibility and scalability, and they can be tailored to meet the needs of any website. They provide dedicated resources to ensure that websites run efficiently and securely, …

Read Article

Understanding the Basics of VPS Hosting

29th March 2023

By catalyst2 Team

When you first start designing a website for your business, there is so much to consider. From choosing the right domain name to making colour decisions, designing a website that perfectly reflects your brand and helps you to attract new customers isn’t always easy. Whilst focusing on bringing a new website to life, lots of …

Read Article

Why Businesses Should Use Managed Servers for Their Websites

15th March 2023

By catalyst2 Team

Website servers are the backbone of the internet and they play an essential role in allowing businesses to operate online. Simply put, servers store and process all of the data that is required to keep a website running, and they play an integral role in today’s digital world. Website servers are responsible for hosting websites, …

Read Article

Managed VPS Hosting; A Practical Solution to Keep your Website Online

28th February 2023

By catalyst2 Team

There are many different web servers available; shared, dedicated and cloud hosting, all of which come with their own benefits and drawbacks. But one useful form of hosting which is often overlooked is the managed VPS. VPS stands for virtual private server and it is a versatile system that suits online businesses in several Industries. …

Read Article

Choosing the Right Dedicated Server for Your Business

21st February 2023

By catalyst2 Team

In today’s ever-evolving world of technology, dedicated servers are becoming increasingly popular and they’re now considered to be an essential tool for businesses. Commonly, dedicated servers are used by businesses that need to host a website, however, they can also be used for applications like streaming services and corporate intranets. This advanced solution enables you …

Read Article

Seven Ways we Avoid Server Downtime

5th January 2023

By catalyst2 Team

As a business owner, there’s a lot that you have to think about. And one of the major factors to consider is your online presence. These days most of your customers will find you through the internet rather than more traditional forms of marketing. This means that your business needs to have a high quality …

Read Article

How to Choose the Right Server for Your Website

29th December 2022

By catalyst2 Team

Finding the right server for your business’ website is vitally important. Your server will facilitate your website, allowing your potential customers to access your webpages; they’re a very important part of your online presence. However, there are so many different server options and packages available that it can be difficult to know which would be …

Read Article

Web Servers; An Introduction to Online Hosting

23rd December 2022

By catalyst2 Team

Getting your business online is simultaneously an incredibly simple yet incredibly complicated process. Build-your-own-website services make it super easy for you to build a website specifically for your business, so you can get started quickly and on your own terms. But once you look below the surface of your website, things become a little more …

Read Article

How to Prepare for High Traffic Volume to your Website

13th December 2022

By catalyst2 Team

Website traffic typically means the number of people who visit your website and engage with your online services at any one particular time. The higher your traffic, the better your website is performing, the more chances you have of making sales and generating a profit. When it comes to choosing the right server, the key …

Read Article

What our clients say

catalyst2 support people know their environment and how to manipulate it to the customers advantage.

Mark Hamilton, Filter Solutions

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_5562310_11	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
_ashkii	session	No description available.
_wicasa	3 months	No description available.
AnalyticsSyncHistory	1 month	No description
cookid	3 months	No description available.
cookietest	session	No description
crisp-client/domain-detect/1644827320973	session	No description
crisp-client/domain-detect/1644827348275	session	No description
crisp-client/domain-detect/1644827428415	session	No description
crisp-client/domain-detect/1644827479357	session	No description
crisp-client/domain-detect/1644827596454	session	No description
crisp-client/domain-detect/1644827724838	session	No description
crisp-client/domain-detect/1644827824383	session	No description
crisp-client/domain-detect/1644827878659	session	No description
crisp-client/domain-detect/1644828716243	session	No description
crisp-client/domain-detect/1644828846246	session	No description
crisp-client/domain-detect/1644829369013	session	No description
crisp-clientsession30cc6953-ebcf-4bc6-b649-c44eb446409e	6 months	No description
dbmFP	3 months	No description available.
dbmPK	3 months	No description available.
li_gc	2 years	No description