Find Hotlinks with Google and Block them with .htaccess
Tue, 05/24/2011 - 16:16 — Sean CarneyNext up on bandwidth reduction week / stupid .htaccess tricks week - how to identify and block hotlinked images.
How to Find Hotlinked Images
Using Google, you can find hotlinked images on your server using the following Google Image search:
inurl:seancarney.ca -site:seancarney.ca
This will bring up all the images which have your website in their URL, but appear in pages not hosted on your domain. This trick isn't guaranteed to find all the images, but it will find some of them. Searching using my domain, I have a handful of hotlinked images most of which are appearing on various spam websites.
How to Block Hotlinking with .htaccess
This isn't anything new, but it flows with the topic so I think it's worthwhile discussing.
Blocking hotlinks is simple at a high level. Each request for an image is checked to ensure that the referring domain is in a list of allowed sites, and if not an 'error' image is shown.
The trick to blocking hotlinks is to distinguish between the 'good' and the 'bad' referrers. Image search engines tend to use hotlinks which I want to allow, while I want to block any spam and attack sites. To ensure search engines can link to images, the rule is written so that all sites are blocked with the exception of:
- My website
- Search engines
- Unknown sites which are requesting my 'no hotlinking image'
Below is the finished rule I added to my .htaccess file:
# Prevent hotlinking
RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !seancarney\.ca [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn\. [NC]
RewriteCond %{HTTP_REFERER} !yahoo\. [NC]
RewriteCond %{REQUEST_URI} !/sites/default/files/2011/05/22/hotlink.jpg$
RewriteRule (.*) /sites/default/files/2011/05/22/hotlink.jpg [R=302,L]
...and voila! Now any sites which link directly to my images will sport a lovely image informing them that I frown upon hotlinking.
- 724 reads
Comments
Hi Sean, thanks for this
Hi Sean, thanks for this amazing and very informative article. What I wanna ask you, is : Is there any chances to block just one or few sites from hotlinking my images, because I recently found one guy who is just copy/pasting all my articles, and after that just to add another sites who start to hotlink my images or do I have to go through this procedure, to block all sites, and than to aloud some sites to use my images.
Thanks in advance, Dalibor
Blocking Only One Domain
It's easy to block only one domain using an .htaccess file.
Above, the example blocks all domains with a few exceptions but that is because we used an exclamation mark (!) in front of the allowed sites. An exclamation mark is interpreted to be a logical 'not', so I blocked all sites except the listed ones. If you want to block only one domain, just use that domain as the only HTTP_REFERER rule and don't put an exclamation mark in front of it. Here is an example:
# Prevent hotlinking from one domainRewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]
RewriteCond %{HTTP_REFERER} baddomain\.com [NC]
RewriteCond %{REQUEST_URI} !/sites/default/files/2011/05/22/hotlink.jpg$
RewriteRule (.*) /sites/default/files/2011/05/22/hotlink.jpg [R=302,L]
Hope this helps.
basic question
I have what is a very basic question. I have other things in my .htaccess besides this, like a Wordpress module and some deny IP allows.
Should the "RewriteEngine On" text only be in the file once or before the different rewrite blocks. (This and the ifmodule from WordPress)
Thanks in advance!
Basic Answer
Hi Lori;
You only need to have "RewriteEngine On" once in your .htaccess file, before any of your rule blocks.
Post new comment