CentrioHost Blog

Stories and News from IT Industry, Reviews & Tips | Technology Blog

How to Prevent Hotlinking in WordPress (7 Easy Methods)

  • Category : Website Security
  • Posted on : Aug 23, 2018
  • Views : 1,813
  • By : Kapueo I.

Nothing is worse than someone stealing your images or bandwidth, but this happens fairly regularly as everything is out in the open on the internet for people to easily link to. This can cost you money and is even illegal if the person is linking to stock photos in which you had to acquire a license to use. Today we’ll explain what hotlinking is, why it is bad, and how you can prevent hotlinking on your WordPress website.

  • What is Hotlinking?
  • Why Hotlinking is Bad
  • Does Blocking Hotlinking Hurt Your SEO?
  • How To Prevent Hotlinking
  • How to File a DMCA Takedown Notice

What is Hotlinking?

The concept of hotlinking is very simple. You find an image on the internet somewhere and use the URL of the image directly on your site. This image will be displayed on your website but it will be served from the original location. This is very convenient for the hotlinker but it’s actually theft as it is using the hotlinked site’s resources. It’s like if we were to get in our car and drive away with gas we siphoned off from our neighbor’s car.

Why Hotlinking is Bad

Below are a couple things to be aware of when it comes to hotlinking:

1. Hotlinking Costs the Original Website Owner Money

Someone linking to your images from their website might not seem like a big deal, but it could generate a lot of extra costs for you. The Oatmeal is a great example. The Huffington Post hotlinked a cartoon of his which consisted of multiple images. Since we’re talking about a major publication with a lot of traffic, this incurred a lot of extra costs for The Oatmeal, as thousands of people were being delivered the images. In a classic Oatmeal move Matthew Inman, creator of The Oatmeal, replaced all of the hotlinked files with the following:

He also took care to replace the last image with a drawing of a behind and a pee-pee. Awesome! But as you can see, the costs can add up quite rapidly, especially if a high-traffic site is the one hotlinking your content. Do you want to trust that all writers and bloggers know how to properly use images? Probably not. And that is why hotlink protection exists.

Related article: Content Scraping – Fight Back or Ignore?

2. Hotlinking in Most Cases is Illegal

Hotlinking in a lot of cases is actually illegal. Why? Because many of the photos you see around the web have licensing restrictions attached to them. Here are a couple of common image restrictions on licensing from popular stock photo sites:

  • No commercial use is permitted under any circumstance.”
  • “Publication on a website or blog you own (in articles or news for illustrative purposes only).”

Both of the above restrictions could easily be broken if someone links to your image and uses it on their website. They most likely don’t have permission to do so, as they did not pay for the license. This also goes hand in hand with not linking to it correctly on their site, but also proper attribution to the original creator.

3. Drain of Server Resources

Hotlinking can be a huge drain on resources for the target server. Imagine if you are on a shared WordPress host and Huffington Post suddenly links to your images. You could go from a couple hundred queries an hour on your site to a couple hundred thousand. This could even result in a suspension of your hosting account. This is definitely a reason to not only use a high-performance host (which can handle hiccups like this), but also to enable hotlink protection so this doesn’t happen.

4. Hotlinking is Just Plain Lazy

Do people hotlink simply because they are lazy? Well, a lot of times, people don’t intentionally hotlink to your images and are not aware that this is even an issue. They are usually just busy writing and are simply copy-pasting URLs and files. They might not even know how to properly link to an image. However, this is still not a good excuse. If you write content on the web, it is important to understand best practices for linking to other people’s images, along with proper attribution.

Does Blocking Hotlinking Hurt Your SEO?

Blocking people from hotlinking won’t hurt your SEO, but it does need to be set up correctly. There are crawlers from Google, Bing, Yahoo, etc. that require access to your images to be able to index and properly display them. For example, when you see an image on Google image search, the thumbnail is served up from Google’s image cache. But the original version (if you click on it) is actually serving from your server.

And you want your images in Google image search. As WordStream put it, Google image search traffic is an “easy win” and in fact can drive conversions and leads for your business that you might not have gotten otherwise.

How To Prevent Hotlinking

There a few easy ways to protect your images against hotlinking, let’s take a look at the options we have.

  • CDN
  • Apache
  • WordPress plugins
  • Disable right click in WordPress
  • Rename files
  • cPanel

Utilize a CDN with Hotlink Protection

Most of you serve content around the globe from your websites and in turn use a CDN provider to speed up the delivery of your assets. CDN providers such as KeyCDN and Cloudflare have great hotlink protection already built in for free that you can enable. This is the recommended method as they have very fine-tuned rules for bots and other referrers that actually shouldn’t be blocked. Another benefit from doing it on your CDN is that you don’t have to change anything with your WordPress installation.

If you are using KeyCDN, simply click into Zonereferrers and add the rules. Crawlers will still be able to access and index your images.

They even have a one-click option to allow empty referrers per zone.

This would enable hotlink protection for assets on your CDN, but not your origin server. So if you are very worried about someone hotlinking to your images directly on your server you could also enable hotlink protection on your origin server (see Apache and NGINX rules further below). This is very unlikely though as someone would have to manually remove the CDN URL. But it could happen.

If you are using Cloudflare, you can easily enable hotlink protection under Scrape Shield in your account. Hotlink protection has no impact on crawling, but it will prevent the images from being displayed on sites such as Google images, Pinterest, etc. Since Cloudflare is a fully proxy service you don’t need to worry about enabling hotlink protection on your origin server.

If you are using Amazon S3, you can enable hotlink protection with bucket policies, which is located under “Permissions” on your bucket.

Simply add the following code below:

  "Version": "2008-10-17",
  "Id": "preventHotLinking",
  "Statement": [
      "Sid": "1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-brand-new-bucket/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [

Enable Hotlink Protection on Apache

If your WordPress site is running on Apache, all you need to do is open the .htaccess file in your site’s root directory (or create it) and add the following:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yahoo.com [NC]
RewriteRule .(jpg|jpeg|png|gif|svg)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]

The second line allows blank referrers. You will most likely want to enable this as some visitors use a personal firewall or antivirus program that deletes the page referrer information sent by the web browser. If you don’t allow blank referrers, you could inadvertently disable all of your images for those users.

The third line defines the allowed referrer, the site that is allowed to link to the image directly, this should be your website (update yourdomain.com above with your domain). The fourth, fifth, and sixth lines add search engines to the allowed list, because you don’t want to block crawlers such as Google bot or Bing bot. This could prevent your images from showing and indexing in Google image search.

And the seventh line defines the image you want the visitor to see in place of the hotlink protected image. This not required, but you could give them a friendly warning. If you want to allow multiple sites you can duplicate this row and replace the referrer. If you want to generate some more complex rules, take a look at this htaccess hotlink protection generator.

If you are using the above rules along with a CDN, you might also need to whitelist your CDN subdomain.

Enable Hotlink Protection on NGINX

If you are running on NGINX, all you need to do is open your config file and add the following:

location ~ .(gif|png|jpeg|jpg|svg)$ {
     valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
     if ($invalid_referer) {
        return   403;

WordPress Plugins

There are a few WordPress plugins related to hotlinking but many of single-use ones aren’t very well maintained or have bad reviews. We don’t recommend using them. We suggest taking a look at the All In One WP Security And Firewall plugin which is an excellent all-around security plugin with the ability to prevent hotlinking built-in. However, it is generally better to enable hotlink protection at the server or CDN level.

All In One WP Security & Firewall currently has over 500,000 active installs with an impressive 5 out of 5-star rating. You can download it from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.


Disable right click in WordPress

Another option you have to prevent hotlinking in WordPress is to disable the right-click functionality. This by no means is a bulletproof approach but can be a good way to ensure typical users aren’t stealing your images or copying them into other applications and it linking to your source domain.
There is a great free little plugin called Prevent Content Theft which will help stop that. You can download it from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.  There are no settings, simply install and you’re good to go.

This plugin not only disables right clicking on your images but also the entire page, therefore protecting your content as well. We installed and tested this on our development site and you can see an example below of what happens when a user tries to right click on an image. They are met with a notification box that let’s them know that this function is disabled.

Rename Files

If you suddenly discover a high traffic site or multiple sources hotlinking to a single image a simple method you have at your disposal is to simply rename the file. Change the link on your own site and let the hotlinkers stew in anger as their images become 404 errors. While handy, this method is more of a quick-fix, it’s a bit unwieldy to use against large-scale hotlinking.

cPanel Settings

If you have cPanel or WHM installed for your domain you can use the built-in hotlink protection tool. Take a look at the cPanel documentation for more information, it’s as easy as enabling a setting.

How to File a DMCA Takedown Notice

Another solution is that since they don’t own the image and are using it without your permission, you can always file a DMCA takedown notice. This can be a quick way to ensure that it gets taken down. You would be surprised what a quick “abuse” letter will do. Many website owners will handle the issue right away, as they fear legal action.


If you’re a content aggregator and avid sharer make sure to play nice and link to websites, don’t display images directly. If you’re truly a fan of what you’re showing you’ll be supporting the original author a lot more! If you’re a content creator make sure to protect yourself against theft, hotlinking is one area which is not too difficult to prevent. Any of the methods mentioned above will ensure you save money, time, and bandwidth.


Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar


Over 20000 Satisfied Customers!

  • web hosting reviewer
    Valerie Quinn
    CTO, Acteon Group

    Centriohost staff were fantastic, I had a concern with a domain and they got back to me very quickly and they helped me to resolve the issue! ~ . . . Read more

  • Joomla hosting reviewer
    Collin Bryan
    Photographer, Allister Freeman

    I'm using centrio for my portfolio since 2006. The transition was seamless, the support was immediate, and everything works perfectly. ~ . . . Read more

  • dedicated server reviewer
    Harry Collett
    Actor, A&J Artists

    Very easy to understand & use even though I am not very technologically minded. No complications whatsoever & I wouldn't hesitate to recommend it to all. ~ . . . Read more

  • vps web hosting reviewer
    Porfirio Santos
    Technician, Diageo PLC

    Centrio support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Centriohost have been amazingly responsive and helpful to any of my queries 👍👍👍 ~ . . . Read more

  • wordpress hosting plans reviewer
    Catherine Auer
    Doctor, SmartClinics

    Anytime I've had a problem I can't solve, I've found Centriohost to be diligent and persistent. They simply won't let an issue go until the client is happy. ~ . . . Read more

  • reseller hosting reviewer
    Effectivo Social
    Freelancer, Fiverr

    Recommend their shared hosting for all my SME web design clients. Their cloud or VME offerings are too great to deal with. Pricing is perfect and suitable for all users (͠≖ ͜ʖ͠≖) 👌 ~ . . . Read more