Stopping Hotlinking
Hotlinking is a nasty thing to do to someone. Hotlinking is when you link directly to someone else’s file and display it on your site. Usually this gets done with images, though technically you could do it with any file (including html files). The effect is that whenever someone loads your page, it pulls up an image (or whatever) from someone else’s site, using their bandwidth. In effect, this is stealing their bandwidth.
On a small scale, it’s amounts to just being rude. On a large scale, not only is a rude, but costly (as the site being hotlinked pays extra for excessive bandwidth) and perhaps can bring a server to it’s knees as too many requests come in. The latter happened to Moonbatty earlier this week. That incident is what gave me the idea to write this. If you’re interested in not having something like this happen to you, then read on! It’s fairly easy to completely stop any kind hotlinking.
Of course, on top of being rude and a form of stealing, it’s also a privacy issue for the hotlinking site. This is because all of that site’s traffic will end up contacting the hotlinked site. This then allows the hotlinked site to compile a list of visitors to the hotlinking site if they choose to do so. This isn’t a huge deal really, but it’s not necessarily desirable either.
It can be noted as well that sometimes a site will purposefully allow people to hotlink. Frequently, this happens when they’re giving away banners or icons that link back to their site. A good example is the Firefox buttons page. If you look at the img tag that you’re supposed to copy and paste, you’ll see that the images are actually located on Mozilla’s servers. In this case, they’re saying it’s OK to hotlink these images.
Fortunately, it’s really easy to stop people from hotlinking your images or any other files. There are, I’m sure, lots of pages out there on stopping hotlinking. I’m sure many of them are better than what I’m about to write so I’d encourage you to search around and see what information you can find in addition to this, which is probably sound advice for most things. I’ll refer to hotlinking of images from here on out, though what I say about images can apply to any file type.
First of all, you might wonder how you can tell if you’ve been hotlinked. You’d have to look at your web server log stats to find out. There are all kinds of different programs that output stats based on your logs. I use AWStats, and I’ll tell you what to look for there and you’ll have to find an equivalent measure in your software. AWStats will list the entry pages, that is, what URL was accessed when someone first came to your site. You shouldn’t see any images high up on this list (or perhaps on it at all). Also, it will list file types and the number of loads for each. Obviously, if images are unusually high on this list that’s another indicator.
If you’re anything like me, then you’re paranoid about security and you won’t care if it’s happening or not, you’re going make sure it can’t happen. I’ll explain how to stop it using Apache’s mod_rewrite, a very powerful module that can replace urls. If your host isn’t running Apache (most of them do though… virtually all hosts running any form of unix or linux use it), then you might as well turn to google for help right now. I’m sure there are ways it can done, I just have no clue off the top of my head. 
If you’re not sure, then read on for a moment. You might also want to check out the mod_rewrite docs (you’ll want the links under “configuration directives”). They explain exactly how everything works and what all the flags do.
You’ll need to edit a file called “.htaccess” in order to do this. This is a “hidden” file, so you might need to reconfigure your ftp program to see hidden files in order to see it. It should be in your root (usually “public_html”) html directory. The file doesn’t need to exist in order for Apache to function, so it might not be there. On the other hand, if it’s not there it might also mean that you’re not running Apache! If you’re still not sure what server you’re running than contact your host. The .htaccess file is a configuration file for Apache. There’s all kinds of stuff you can put in there to make it do all kinds of fun things. Each directory can actually contain it’s own .htaccess to configure that individual folder, but the one in your root directory will set the behavior of everything.
Before doing anything, make a backup copy of .htaccess. It’s a very touchy file and if you so much as put a space in the wrong place you might just get an internal server error when you try to access any part of your site. Better safe than sorry.
You’ll want to add code something like this into your .htaccess file in your root dir:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*\.slaad.com/.*$ [NC]
RewriteRule .*\.(jpe?g|png|gif|bmp) - [NC,F,L]
The first line just turns on the rewrite enginge (big surprise?). You don’t have to do this if you don’t want to, but, well, have you ever tried mowing your law without pulling that cord (or turning the key if you’re the fancy type…) first? Yeah, that’s what it would be like if you skipped the first line…
The second two lines are conditions to match. In this case we’re actually negating what we’re matching, so the net effect is that these sites will be excluded from our stopping of hotlinking. Once again, this is purely optional as long as you’re willing to live with your own site not being able to load it’s own images… Obviously, I’ve copied this from my own .htacess and you would change my domain name to yours. That part that says %{HTTP_REFERER} tells it to look at the referrer variable. This should contain the URL of the site where the user came from. For those inclined to spell things correctly, yes, the variable is spelled wrong. Referer isn’t a word, but it is the correct name for the variable.
The text after the variable on the second line is !^$. One the third line it’s a bit longer. These are regular expressions, or regexes. Regular expressions are pretty simple, but confusing as hell if you don’t know the syntax. If you’re at all interested, I’d recommend this site for some good information on regexes. They’re actually very powerful and you can do some nifty things with them if you know what you’re doing. If you don’t care that much, then I’ll give a quick explanation right here. (Or you could just copy and paste the code and not care at all… ).
The ‘!’ is a negation operator. This means instead of matching this string, don’t match this string. In effect, we create a condition where ANY referer that isn’t equal to these two strings that we’re specifying gets the RewriteRule applied to it, which we’ll get to in a minute. The ‘^’ and ‘$’ basically denote the start and end of the string. They’re really a bit more complicated than that, but that’s the effect they have here. The second line matches the case when there is no referrer. This allows people to type in the URL of the image or bookmark it and still load it.
The third line is more complicated. Once again, it’s negated and we start the string with the ‘^’. After that it gets a bit odd. “.*\.” looks a bit odd. In a regex, some characters have special meaning while others just match themselves (typing an ‘a’ will always match an ‘a’). The ‘.’ character will match ANY character. The ‘*’ character means 0 or more of the previous character. Since the previous character is any character. “.*” means 0 or more of any character. This is where it is to match subdomains and protocols. Your site could use http or https or the subdomain of www, xxx, blog, illegalfirearms, or even nothing at all. Any letters will match. The “\.” will match just plain old ‘.’. The ‘\’ is called an escape and it’s used to tell the regex engine that the character following it should be interpreted literally and not using it’s special meaning. The “slaad.com/” obvious matches the domain name. Lastly we have another “.*” to tell it to match any file or subdirectory. We finish with the end character “$” again.
Enclosed in brackets is “NC”. This is called a flag and this particular one means no case. In other words, ignore the case and match everything using uppercase or lower case or whatever mix is needed. As I mentioned earlier, the docs explain all the different flags.
The last line the the RewriteRule. Any matches that were made on the conditions have this rule applied. There was no match, then the rule does nothing. Of course, once again, in this case, we negated our conditions so you can think of it as the rule being applied to everything that DOESN’T match the conditions that we listed. Once again we see that string “.*\.” And it means the same thing. After that there is ” (jpe?g|png|gif|bmp)” This is a grouping. Within the grouping, the ‘|’ character has the effect of an OR. What this is saying is to match any file with an extension of jpg (or jpeg), png, gif, or bmp: image files. When it finds something that matches this regex, it will rewrite the ENTIRE URL to whatever you put in the next regex. In this example, it is the character ‘-’. This isn’t actually a regex, but it is a special string that the rewrite engine will recognize as meaning “nothing”. So when it finds an image being requested from someone who didn’t come from your site, it doesn’t redirect them at all. This may seem kind of odd until you look at the flags. We already know what NC does. F will return a forbidden error (403). This is why I have the “-” back there: it just returns a 403 error. Finally, the flag L just tells it that it’s the last RewriteRule to apply.
Of course, if there are more domains you want to allow to hotlink, just add them in the same format before the RewriteRule.
You can be more fancy if you want to. You can supply a URL to redirect to for instance. That would look like this:
RewriteRule .*\.(jpe?g|png|gif|bmp) /thievingbastards.html [NC,L]
In this case a file is specified to redirect to and the F flag is now gone since we’re not going to throw a 403 error.
Of course, you can always replace the image with some other image. You’ll probably want it to be something small and humorous to save on bandwidth and simultaneously lift your spirit. Something like:
RewriteRule .*\.(jpe?g|png|gif|bmp) /images/virus.png [NC,L]
This is the course of action that Moonbatty took…
This is another good reason not to hotlink. The images could change to any old thing at any time…
There’s really a million and a half other things you can do with mod_rewrite, both in terms of hotlink protection and in terms of other things as well. There are other variables that you can match besides just the referrer. Want to cut all IE users off from your site (and probably 80% of your traffic…). You can! The world is your oyster… You can get a lot more specific and allow some directories to hold images to be hotlinked and do other things to make this shotgun approach into more of a scalpel.
But how do you know it’s working? The first thing you should try to do is go to your site. If you get an internal server error then you’ve typed something wrong and your entire site is down and totally inaccessible until you fix it. Fun, eh? After confirming that your site isn’t broken and will actually serve you the files you want to check, you have a couple of options at your disposal. You can always create a link from some other site, which would get the referrer to something other than what you want, but that would just be a pain in the butt, IMHO. Another option at your disposal to delete those ‘!’s for the time being. You can then test the configuration by blocking your own site. When you know your site can’t load everything, all you have to do is go back and put the ‘!’s back in and you should be good to go. Another option is to use a referrer spoofer. This way, you can set your referrer to whatever you want to test the configuration out. Be warned though, if you use this method (it may occur with some of the before mentioned methods as well) that you’ll need to clear out your browser’s cache. If it loads the image properly even once, it might just load it from cache even if the server tries to redirect or throw a 403. An easy option that’s an alternative to all of these is to go to a site that offers a link checker for hotlinking. I would recommend checking it too. I can’t overemphasize how dumb of an idea it is to create or fix something and then not bother to test it. That’s a sure path to failure.
Finally, you can protect other extensions for other types of images or any type of file (perhaps you’d like to protect movie or sound files as well). Of course, if you protect certain types of files, like html or php for instance, you might just stop anyone (including search engines..) from being able to link to you at all. Then again, if you’re creative, you can redirect all links to some splash screen or something that you want people to see that then automatically redirects them to the page they were looking for in the first place. The sky’s the limit!
apache
bandwidth hotlinking htaccess mod rewrite Technology Popularity: 25% [?]
it’s more fun to have the last line read this instead:
RewriteRule \.(jpe?g|gif|bmp|png)$ largeimageofgapinganuscompletewithpoo.jpg[L]
Naturally, this will only discourage people from hotlinking. If they already have, or if the problem is that they’re causing TONS of hits to your site, then the rewrite to a 404 (Lucas’ example) will only result in your bandwidth being eaten up like mad.
I’m guessing that you were thinking of gotse.cx (I won’t link to an actual mirror….) when you thought up your picture…
As I think about it more and more it seems like I should rewrite with some stupid picture. It must be much more confusing to try to link to something and get the wrong picture than it is to link and get nothing…
Come to think of it as well, another funny way to fight back, you could redirect back to an image hosted by the hotlinker.
But ultimately, yeah, you’re right, if you really want to get someone to stop, some wierd image that they don’t want is the best way to go. You’re better off throwing a 403 before you get someone hotlinking since they probably won’t bother with the hotlink if it doesn’t work in the first place.
For you guys that run a Windows IIS server, you have a much better tool.
ISAPI/Rewrite http://www.isapirewrite.com/
I own my own win2K server and really depend on it to protect my bandwidth from thieves, be it rouge sites hot linking or direct URL entry to a file into the browesers address line.
Picture hotlinks, sure, not cool, but pffff.
Try protecting tens of thousands of giant (average size 20MB, but many over 100MB) files you limit with a member based daily download count.
Years ago when most users were on dialup it wasnt’t an issue.
With most everyone on my sites now on broadband, cheating can do some really serious finicial damage to an already high bandwidth bill.
This program is free and pretty easy to set the “rules”.
I think my text based config file is only like 12 lines, but it sure does a lot.
Hot linked images are replaced with a tiny (2K I think) 2 color “image thief” pic.
The important thing for me of course is not letting people get the huge .zip files (which are free, but only so many a day) if they don’t jump through the hoops, and the main one being logged on and using my download pop-up page, and my check is via referer.
If their referer tag does not match the exact url for it plus a special tag, no file is sent, they get sent on a journey via a redirect at the server level via isapi/rewrite that… well…
lets just say the harder they try to rob me, the nastier the road gets until it ends up they get totally IP banned from the server via global.asp code, which redirects on it’s own to nice little nastygram page ;-}
What concerns me is what I’m seeing about “referer spoofing” ability mods for Firefox.
I have no concern with a guy masking his users referrer, he won’t get the file legit or not, what concerns me is the posibility that it might now be possible for firefox guys to actually fake the required referer tag for my site to send him the file and bypass everything if he has the file name and path right from the browser address line.
I’ll explore that, I just thought I’d give you Win2K server guys a good tip.
KC
I am a newbie webmaster, and the first thing I learned while making website was about hotlinking. I found out that a lot of people are linking directly to other people files NOT knowning that it is wrong.
So I thought that it could be a good idea to explain people why not to do it and how to do it. It is actualy important that we educate people about it, as 100% protection against hotlinking does not exsist yet.
I have just learned how to use basic HTML and tutorials/advices like the one above is a russian village for me - I do not understand how to do that although I am pretty sure that it is a good advice. BTW, english is not my primary language so…
So, what to do? A beginer as I am can only rename images from time to time (it takes 100 years to do it!) so hotlinkers get crosses and broken links in stead of each stolen image.
Or I can continue explaining people why it is wrong to do it. Actualy about 75% hotlinkers do not know that they are doing anything wrong. When they rightclick on an image, they can normaly choose “copy” and “paste” - so why not?!
I have seen websites where hotlinkers have been called some very bad names and put on some “Black lists” etc. That is wrong. Sometimes people are called hotlinkers because they host their images on Photobucket/Imageshac and “prof” webmasters who do not know these services think that they are hotlinking without permition - stealing.
It is a great idea to share advices how to protect files from hotlinking - although not everybody can understand these procedures and finaly they are not 100% secure.
It could also be very useful to explain people, whenever it is possible, what hotlinking is, why to avoid it and how to host images and other files. As told, a lot of hotlinkers are stealing other peoples bandwidth without knowing that they are doing something very bad.
Therefore, every webmaster should have a little explanation about hotlinking on his/her site.
Cheers!
Thank you for this tutorial, it’s very educational. And I really need to kick hot linkers of my sites
I run a site on my own server using WinXP Pro/SP2 and Apache Server 2.2 and I also have had trouble with hotlinking of images to various forums that do not allow the poster to delete or change his/her post once it is made.
I have tried various substitute images (using mod-rewrite in htaccess) but the one I find most satisfying to me is one that rapidly alternates black-white and says NO HOTLINKS in red-blue. This could induce a seizure if viewed for a time. Check out this forum (message with the hotlink to an image at my site is down a ways). If you are prone to seizures, please ignore this link.
http://www.freerepublic.com/focus/f-news/1936364/posts?q=1&;page=251
Depending on the topic of the message, substituting hard porn can be a real comic relief for the webmaster whose image is being linked.