Preventing people viewing images directly

Forum Rules

Helios_Multi TPoxygen11final

[swollenpickles]

I'm using wordpress and I'm wondering how I can stop people accessing my uploads folder (and its contents) directly. I was looking at my analytics and noticed a large number of people viewing an image in my uploads folder directly (must have got stumbled). How can I block that and/or redirect people requesting files from my uploads folder to my homepage?

eg. Currently people can view images directly by typing in a url like this: http://www.url.com/uploads/08/image.jpg

When anyone does that, I want them to be redirected to http://www.url.com

[amyjoanna]

I have the same problem too - for some reason people keep googling for a certain nineteenth century painting of Queen Elizabeth I and an image I've used previously is the number one search result in google images. 

As far as stopping the initial problem of people linking to and visiting your image rather than your website, I have no idea - I'd be interested to see what advice everyone else has too!

[Lani]

They could be finding the images via an image search.  Perhaps it is possible to change the folder permissions so that doesn't happen?  But I don't really understand folder permissions.

[admin]

Hrm, this is something I should have done before but never occurred to actually find a way.

Well after a quick search I find a couple of possible answers..

From an apache tutorial I got an example using the good old .htaccess file:

Here’s how I do it. First, we slap that regex down on the incoming HTTP request to gauge whether it’s a hotlinked image.
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !underscorebleach\.net [NC]
RewriteCond %{HTTP_REFERER} !bloglines\.com [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteRule (.*) /view_image.shtml?/$1 [R,NC,L]

Lines 2 through 6 allow hotlinking from my site, Bloglines, Google, and cached items. I also allow requests with a null HTTP_REFERER value to obtain the image; this occurs in the case of bookmarks, some proxies, some browser settings, some third-party privacy plugins, etc. If you try to get tricky and force users to have a referrer from your own domain, you’re likely to get yourself in trouble. Trust me.

The last line redirects users to an SHTML page. Notice that I pass the value of the REQUEST_URI as a parameter in the URL to view_image.shtml. In the source, I then use a simple SSI directive to output the image. Here is the source of view_image.shtml. (file has .txt extension but put it on your website as .shtml) [updated 9/14/05 for clarity]

A quick note about this redirection technique: You do need to actually redirect, that is, use the “R” flag on the RewriteRule. If you don’t, you’re going to feed the browser an HTML page when it’s expecting an image, and it’s liable to get confuzzled.

And voila! Now, when users link to your images, they get the image, but they also get an unavoidable little advertising pitch from you, the webmaster and payer of bandwidth bills.

There's a note in there that out-right denial can cause issues with some clients esp in the case if they're using a proxy etc.

Also from a reference manual there's also this one, but it's more for people with direct access to Apache config files.

As far as a simpler "all files in this dir need a referrer" well it's on that track but I'll see if I (or anyone else?) can refine it better.

Edit: In case you missed the first tutorial reffered to in the first link I gave, read on it here, possibly more relevant to what we're looking for here.

Here’s my anti-hotlinking .htaccess instructions:

RewriteEngine    on
RewriteCond    %{HTTP_REFERER} !^$
RewriteCond    %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?dorkytutorial\.com [NC]
RewriteRule    \.(gif|jpe?g|png)$ - [F,NC,L]

Lines 2 and 3 establish the conditions for blocking an image from being rewritten. Line 2 says, to block client loading of the image, “the referrer must be not null.” Line 3 says, to block client loading of the image, “the referrer must not come from any domain of dorkytutorial.com”—and the “NC” part makes that check not case sensitive.

Line 4 checks that the filetype is a GIF, JPEG, JPG, or PNG, and if so, sends an HTTP 403 response of FORBIDDEN to the client (that’s the “F” part on the end). Also, the “L” flag means that this is the last rule to process, so that if an HTTP request matches this rule, don’t bother stepping through any further rewrite rules in the .htaccess. This one is mostly for effiency’s sake.

[kathiemt]

Can't you just upload a blank index.htm to the uploads folder or set up a redirection order in cpanel for that folder?

[swollenpickles]

Can't you just upload a blank index.htm to the uploads folder or set up a redirection order in cpanel for that folder?

I've tried the blank index.html and it didn't seem to work. Would you need to put it in each of the sub folders of the uploads folder? For example, wordpress creates a new folder under uploads each month.

[Snoskred]

That's optional, the monthly new folder thing. You can change it if you wanted to by ticking a box in the miscellaneous screen..

In fact none of the blogs I host should be using monthly folders because it causes issues with folder permissions.

[swollenpickles]

That's optional, the monthly new folder thing. You can change it if you wanted to by ticking a box in the miscellaneous screen..

In fact none of the blogs I host should be using monthly folders because it causes issues with folder permissions.

There you go, learn something new every day. If i ticked that box now would it screw things up?

[Snoskred]

No, not as long as you leave all the images where they currently are.

I think it will start putting images in the main folder area as soon as you untick it, might be best to try it and make sure.

[swollenpickles]

No, not as long as you leave all the images where they currently are.

I think it will start putting images in the main folder area as soon as you untick it, might be best to try it and make sure.

I might trial that on one of my old crappy wordpress blogs first.
So rather than a blank html index file, could I use that file to redirect to the homepage?

[Snoskred]

Possibly. Note I am no expert on this like the Admin is. 

[MarkSBurgunder]

If your blog is hosted on a server with cPanel, than have a look in the Security Section for "Hotlink Protection". That should let you set this type of redirection up without to many hassles.

Regards
Mark

[swollenpickles]

If your blog is hosted on a server with cPanel, than have a look in the Security Section for "Hotlink Protection". That should let you set this type of redirection up without to many hassles.

Regards
Mark

Ive handled hotlink protection by editing my htaccess file. When I use the cpanel i end up getting 403 errors for some reason.

[MarkSBurgunder]

When I use the cpanel i end up getting 403 errors for some reason.

Hmm.. I just tried it on one of my own sites using cPanel and it worked without any problem.
I suggest you let your hosting provider know as they may have a misconfiguration somewhere.

You never know this might also stop you form using other features of cPanel in the future when you need them.

[swollenpickles]

I've placed blank "index.htm" files in the relevant folders and its still possible to access the images directly. Here's what my htaccess file looks like. Any more ideas?

Code:

Options +FollowSymlinks
RewriteEngine On
RewriteBase /

#here the www rule
RewriteCond %{HTTP_HOST} !^www\.swollenpickles\.com$ [NC]
RewriteRule ^(.*)$ http://www.swollenpickles.com/$1 [R=301,L]

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?swollenpickles\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

[Lani]

No ideas from me.  touching the htaccess file freaks me out.

[Anonymum]

Just looking at that file makes me break out in a sweat, so I'm not much good either I'm afraid...

[MarkSBurgunder]

Following is what cPanel has put into the .htaccess file where I have set-up Hotlink Protection:

Code:

RewriteCond %{HTTP_REFERER} !^http://3blacketst.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://3blacketst.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.3blacketst.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.3blacketst.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|JPG|JPEG|GIF|PNG|BMP)$ http://3blacketst.com [R,NC]

This actually redirects a browser to the homepage is someone is going straight to an image file.

URL for an image to try if you want:
http://3blacketst.com/IMG_0903.JPG

PS: That house is actually for sale...

[swollenpickles]

Following is what cPanel has put into the .htaccess file where I have set-up Hotlink Protection:

Code:

RewriteCond %{HTTP_REFERER} !^http://3blacketst.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://3blacketst.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.3blacketst.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.3blacketst.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|JPG|JPEG|GIF|PNG|BMP)$ http://3blacketst.com [R,NC]

Thanks Mark. I've given that code a go, so in theory, clicking this image should redirect to my homepage;
http://www.swollenpickles.com/wp-content/uploads/2007/11/logono1.jpg

so this is what i have now:

Code:

Options +FollowSymlinks
RewriteEngine On
RewriteBase /

#here the www rule
RewriteCond %{HTTP_HOST} !^www\.swollenpickles\.com$ [NC]
RewriteRule ^(.*)$ http://www.swollenpickles.com/$1 [R=301,L]

RewriteCond %{HTTP_REFERER} !^http://swollenpickles.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://swollenpickles.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.swollenpickles.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.swollenpickles.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|JPG|JPEG|GIF|PNG|BMP)$ http://www.swollenpickles.com [R,NC]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

[MarkSBurgunder]

Hmm... That should work ...

Do you know what version of Apache is used by your web host?

[swollenpickles]

Hmm... That should work ...

Do you know what version of Apache is used by your web host?

Not sure to be honest. I'm with Hostgator right now.

So if you click this link what do you see?
http://www.swollenpickles.com/wp-content/uploads/2007/11/logono1.jpg

edit: this is bizarre, the image above no longer appears in the post. I'm buggered if I know what's happening. See if this logo displays.

http://www.swollenpickles.com/wp-content/uploads/2007/11/logono2.jpg

[swollenpickles]

Ok, had a disaster last night. Enabled hotlink protection via cpanel, and all my sites went to crap at the same time (they are hosted as "add on domains"). Not pretty. Long story short, I've gone back to what I had originally (thankfully I backed up everything on my server at the end of Jan).