The internet can resemble the wild west out there sometimes and, let’s be honest, that’s part of the reason we love it. The freedom that people have online gives us all kinds of neat things from videos of cats that are terrified of cucumbers to Amazon delivering my son’s birthday presents inside of 48 hours. There’s a lot of cool to be found all over the place.
The same freedom that fosters a lot of the things we really love also brings some not-so-ok stuff in the balance, though. Bandwidth is one of the precious commodities of any website, and also a resource that some will try to leech off of you if you’re not wary. A common form that this leaching takes is hotlinking. Let’s take a look at how we can prevent hotlinking in WordPress.
What is Hotlinking?
Hotlinking, also referred to as inline or direct linking, is linking directly from one site to to the file(s) of another site. The files linked to most commonly are image files. Say someone is looking for an image for their blog. They find an image they like on your website. Instead of saving the image and uploading it to their site for display, they instead just link directly to the image on your website from their blog.
An image linked properly from your site should look something like this:
An image that is hotlinked would look something like so:
Why is Hotlinking Bad?
Hotlinking amounts to theft of bandwidth. Bandwidth is the amount of data transferred from a website to an individual’s computer. The vast majority of people have a limited amount of bandwidth on their hosting plan. Go over this allotment and you’re looking at extra fees.
Devin hotlinks to an image on Kenny’s website. Now anytime someone visits Devin’s website, it takes bandwidth from Kenny to serve the hotlinked file. Devin is a jerk. Don’t be Devin. (Devin is actually one of our support ninjas, and he does not hotlink things. Sorry Devin, you’re cool but it made a great example).
How Can I Prevent Hotlinking in WordPress?
You’re going to have to do some light editing to the .htaccess file in your WordPress installation, but don’t let that turn you away. It’s really simple and we’ll walk you through it. You just need an FTP solution like Filezilla or Cyberduck to log into your server to see the files.
1) Navigate to and open your .htaccess file. It’s in the main WordPress directory folder (the following screenshot was taken from my local machine, so it will look different than when you log into your server via FTP. You can use the screenshot as reference for what other files you’ll see when you’re in the correct spot though).
2) In your .htaccess, paste the following lines of code to prevent hotlinking. Be absolutely certain that you at least read “Line 4” in the text below and adjust accordingly after you do this!
Let’s break down what each of these lines mean:
- Line 1: Non-functional (commented out) text letting us know what this block of code is for.
- Line 2: Enables the hotlink prevention or redirection process
- Line 3: Some visitors will not have an HTTP referrer for a variety of legitimate reasons. This allows those users to still view your images.
- Line 4: Allows people from your site to view the images. You need to replace the text yourwebsite.com here with your actual domain name.
- Line 5: Allows Google to still be able to display your images when needed
- Line 6: This line is optional. You’ll see it’s written the same way as lines 4 and 5. If another website has your permission to hotlink to your images, you can grant them permission by replacing otherapprovedwebsite.com with their domain name here. Likewise, you can keep inserting copies of this line in succession to grant permission to additional sites.
- Line 7: This line creates a failed request or broken image any time a hotlink to your site is attempted.
Alternately, you could replace the image that they are targeting to one of your own choosing if you wanted to pull a switcharoo and shame the would-be hotlinkers. Be aware that this will still eat your bandwidth, but it’s much more fun! Just replace line 7 with the following code. You need to change it to use your own domain and image file name, of course:
That’s all there is to it. With these edits in place, you will now prevent hotlinking in WordPress. Congratulations! If you decided to go the shaming route, give them a bunny with a pancake on its head for me. Have fun, rest secure, and happy blogging!