.htaccess - Blocking hotlinking from a single domain/referrer

Recently we had a problem with someone 'hotlinking'¹ to a single 66kb image from the site, as he was using the image for his 'logo' on a forum every post he added caused more hits. Then we had an adult site link to an image of a house and cause a HUGE bandwidth hit.

The forum was pulling around 100 impressions per day from the forum and was being, irritatingly, squashed in a 50px square - annoying bandwidth leeching from us and probably extremely annoying for anyone trying to read the forum on a slow connection. A mail we sent him asking that he stop using the image was ignored and so we had to find another solution. A little searching pointed to the htaccess file available in apache servers holding the solution: one of the many things you can do with htaccess is redirect or block file requests. All of the examples that I found on how to stop bandwidth leeching and hotlinking provided example code to block all externally referred images and explicitly allow permitted sites. This doesn't quite suit our needs - images are fairly frequently linked to from forum postings or included in emails etc. We didn't want to block those for a few reasons: it's great to see people enjoying the images, the postings cause a spike in requests but taper to almost nothing 3-4 days after the posting, sometimes we learn things from the postings. Hotlinking is in many ways a useful feature of the web, it would be a shame to kill it entirely. To help anyone else in the same situation with the same opinion the below will allow blocking from a single domain.

Paste the below code into your .htaccess file in either your root directory or the directory with the hotlinking problem:

	RewriteEngine on
	RewriteCond %{HTTP_REFERER} ^http://www.evil-hotlinking-domain.com/ [NC]
	RewriteRule .*\.jpg$ - [F]

and then change www.evil-hotlinking-domain.com to whatever the problem referrer is.

Brief explanation - The second line checks if the referrer contains the string 'http://www.evil-hotlinking-domain.com/' (the [NC] makes the comparison case insensitive). The final line points any jpg request from the above referrer to 403 Forbidden.

This code will send a '403 Forbidden' code back to the requesting client, it is possible to redirect the request to a different image instead but is not something we have done yet. However, 3 weeks after putting the block in place the requests from the forum are still coming in and being sent away with a 403. It's a pain to see them all in the log files and sending the 403 still uses bandwidth - though not nearly so much. I just hope that some day soon the offender clears his cache and notices the black square with the red cross in it on all of his posts... Here is the redirecting code:

	RewriteEngine on
	RewriteCond %{HTTP_REFERER} ^http://www.evil-hotlinking-domain.com/ [NC]
	RewriteRule \.jpg$ http://www.your-domain-name.com/goaway.jpg [R,L]

In this case you need to substitute www.evil-hotlinking-domain.com for the offending referrer and www.your-domain-name.com/goaway.jpg for your website address and the path to the replacement image. This solution will use bandwidth at a higher rate than returning the 403, no matter how small you make the image you redirect to ( unless you have a huge custom 403 ). Could be a lot more fun though }-)

NOTE: you need to check with your own hosting provider to see what level of .htaccess support they provide - sometimes it is limited to only ErrorDocuments or is disallowed entirely.

¹Hotlinking