Most people know that stealing is wrong. But when it comes to stealing your web server’s resources and bandwidth, a lot of people either don’t care or simply don’t realize that their actions can have an adverse effect.
Of course, I’m talking about image hotlinking, not breaking into your host’s data center.
Hotlinking is where another site embeds the images hosted on your server. For example, randomblog.com might use images that are hosted on ShoutMeLoud.com.
There are a few negatives from this approach, which is why you might want to disable image hotlinking in WordPress.
In this post, I will share three different methods that you can use to turn off hotlinking on your WordPress site. While these methods will help you turn it off in general, you’ll still be able to let specific sites hotlink your images if desired.
Why You Should Consider Disabling Image Hotlinking In WordPress
When other sites hotlink your images, they drain your server’s resources and might even cost you money (if you have to pay for bandwidth). Especially if you are using a managed WordPress hosting, chances are high that you have limited bandwidth.
Even though the image is appearing on someone else’s site, your web server still needs to process that request and deliver the image to that site. If that site gets a lot of traffic, that’s going to be a lot of requests for your server to process, which might slow down your site.
Beyond that, many hosts charge based on the amount of bandwidth that you use. Hotlinking images use your bandwidth as well, so you might end up paying more so that someone else can use your images!
Some sites don’t mind – for example, some webcomics actually encourage people to hotlink images.
But unless you get some benefit from letting people hotlink your images, you’ll probably want to disable hotlinking on your WordPress site.
How To Tell If People Are Already Hotlinking Your Images
Want to see if people are already hotlinking your images? All you need to do is search for this in Google Images:
Make sure to replace “yoursite.com” with your actual domain name:
You’ll get some false positives – but it will also find locations where people have hotlinked your images.
How To Disable Image Hotlinking In WordPress With .htaccess
If you feel comfortable editing your WordPress site’s .htaccess file, it’s rather simple to disable hotlinking without the need for a plugin. This is the method that I recommend for most bloggers, though I will also cover some other ways in the forthcoming sections.
To follow this method, you’ll need to be able to either:
- Connect to your site via FTP
- Access cPanel File Manager
I will show you how it works using FTP and the free FileZilla FTP program, but the same principles apply no matter how you access your server.
Step 1: Connect To Your Server Via FTP
When you’re connected, browse to the folder for your WordPress site:
Step 2: Generate .htaccess Code Snippet
Next, use the free hotlink protection tool to generate the code snippet that you will need for the next step.
This tool lets you exclude specific sites from being blocked. You should definitely add your domain there. Beyond that, I recommend adding the popular search engines and social networks to ensure they’ll have no issues working with your images.
You can leave the rest of the fields as the defaults:
Once you’re done, click the Generate .htaccess file button at the bottom to generate the relevant code snippet. It should look something like this:
Keep this window open because you will need this code snippet in the next step.
Step 3: Edit .htaccess File And Add Code Snippet
Once you’ve successfully connected to your site, right-click on the .htaccess file in your site’s root folder and edit it. Your root folder is the same folder that contains the wp-admin folder and wp-config.php file:
Add the code snippet from the previous step to your site’s .htaccess file:
Then, make sure to save your .htaccess file and, if necessary, re-upload it to your server.
And that’s it! People will no longer be able to hotlink your images.
If desired, you can use the tool from Step 2 to automatically display a placeholder image whenever someone tries to hotlink your images. If you want to do this, I would recommend hosting that image on Dropbox or Google Drive so that you don’t waste your own server’s resources:
How To Disable Image Hotlinking In WordPress With Plugins
If you don’t want to use the .htaccess method above, some WordPress security plugins include built-in functionality to help you block hotlinking.
Again, I think the .htaccess method above is your best option, but the free All In One WP Security & Firewall plugin can also help you do it.
Once you install and activate the plugin, go to WP Security → Firewall. Then, choose the Prevent Hotlinks tab and check the box to Prevent Image Hotlinking:
How To Disable Image Hotlinking using Cloudflare
If you’re using the popular Cloudflare service as a content delivery network, it includes a built-in dashboard setting that lets you disable hotlinking. It’s called Hotlink Protection.
To enable hotlink protection in Cloudflare, go to your Cloudflare dashboard and navigate to the ScrapeShield tab:
Then, scroll down to the Hotlink Protection setting and turn it on:
If you want to allow hotlinking for certain images, you can create a separate “hotlink-ok” folder and add images that can be hotlinked there (this help article explains it). One common use of this functionality would be to let people hotlink your logo or other marketing assets.
Consider Disabling Image Hotlinking In WordPress Today
While there are some situations where you might want to let people hotlink your images, most blogs don’t get any benefit, and there are real negatives because you’re wasting your server resources powering the images for someone else’s site.
Thankfully, it’s easy to disable image hotlinking in WordPress.
For most WordPress sites, I recommend using the .htaccess method because it’s simple and it lets you allow hotlinking for certain sites (like search engines and social networks).
Otherwise, you can use a WordPress plugin, or take advantage of the built-in hotlink protection from services like Cloudflare.