Tutorial: How to prevent hotlinking and bandwidth theft

Forum Rules

Helios_Multi TPoxygen11final

[swollenpickles]

I've been asked to knock together a post on hotlinking, and how you can prevent it from happening, and potentially even have a little fun with it along the way. I should mention up front, that I'm no expert on any of this. I did a bit of research on the subject when I found out someone had ripped off a nice chunk of my content, words and pictures, and wouldn't remove it after I'd asked them too nicely. Let's get into it.

What is hotlinking?

Hotlinking is when some one links directly to an image or file on your website. For example, if I were to use the following image tag and place in on my site, I'd be hotlinking the image from http://www.aussiebloggers.com.au so in effect, aussiebloggers.com.au would be paying for the data transfer of that image even though it would be being displayed on http://www.swollenpickles.com

Code:

<img src="http://www.aussiebloggers.com.au/forum/tp-images/Image/absml.jpg" />

Hotlinking and bandwidth theft are sometimes used interchangebly, but they are really two different things. Hotlinking is the process, and bandwidth theft is the result. Bandwidth theft is hard to describe.

One of the best ways I've heard it described is, imagine if you have electricity or gas connected to your home. You pay the bill for your usage monthly. Now imagine that your next door neighbour decides to start plugging his appliances into your electricity sockets. Now you'll be paying for your own usage plus your neighbours. Now imagine what would happen to your bill if everyone in your state started plugging stuff into your sockets? Get the picture?

To put it another way imagine that you had an image that was 100kb in size. Now imagine what would happen to your bandwidth if a high traffic site used hotlinked that image on their homepage. Depending on your hosting plan, it could potentially eat up your bandwidth very quickly.

How did I discover someone was hotlinking my images?

In my case I discovered that someone was hotlinking my images because I received a pingback from the offending blog. When I visited that blog I discovered the owner had been busy doing a lot of cut and pasting. In other cases though, it may be possible for you to detect via reviewing your stats. Google analytics is useful for this. If an image file is receiving a lot of views in comparison to your average pages, take a look to see where that traffic is coming from. Follow it back that way. If you know anything about server logs, that may be worth a look as well, unfortunately I know nothing!

How did I stop it?

In my case the first step was to request that the blog owner remove the image (as well as the rest of the content he/she had pinched). Obviously step one wasn't successful.

Step two. I decided to look at some alternatives, which is how I found it was possible to prevent hotlinking. Hotlinking can be prevented quite easily through modifying your .htaccess file. As with modifying anything, I'd highly recommend that you make a back up copy of your .htaccess file before you touch anything. .htaccess is a crucial file for your site, and amongst other things can be used for redirects, and rewrites, so stuffing it up is bad news.

When it comes to preventing hotlinking, there are a few ways to do it. I'll give examples of my two personal favourites.

The 403 Forbidden Error

Using this method, anyone attempting to hotlink your images will receive a 403 Forbidden Error instead. Here's the code (obviously replace 'yoursite' with your actual domain name.)

Code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

Basically, what that is doing is opening the Rewrite Rule, and then says display the 403 error if the image request comes from any where other than yoursite.com

The Swap Over method

This is my personal favourite, and the method I employed initially to get my message across to the bandwidth thief. This method can also be entertaining. Using this method, anyone attempting to hotlink to your images will be served a different image, of your choice, instead. Obviously what you serve up is only limited by your imagination, and perhaps, your sense of good taste.

Here's the code:

Code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/copthis.jpe [L]

Basically what this is doing is saying, if a site other than yoursite.com is attempting to access an image, the requested image will be replaced by copthis.jpe. Make sure you use the *.jpe extension and not *.jpeg because otherwise you'll block your replacement image as well. Another thing you need to be careful of is that if there are other sites you want to allow access to your images (eg. you might run three different blogs and want to hotlink between them or you might want the images to turn up in your feed) then you'll need to add these to the exception list. This is a mistake I made first up, before I found out I was serving a number of pictures of bull testicles to all my feed readers (all 3 of them).

Here's an example of how you add an additional site to exception list.

Code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursite\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yoursecondsite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/copthis.jpe [L]

Basically here, all you do is add ",OR" after the "NC" on each side you want to exclude besides the last site in the list (which you only need to keep the "NC"). So essentially you're saying allow yoursite OR yourseconsite to access the images, but for anyone else, swap their request with copthis.jpe.

Like I said earlier, I had some fun replacing images of Audi's etc with things like this:


After a week or so, the content came down and I switched from the Swap Over method to the 403. I'd suggest that the Swap Over method is only useful if you want to have some fun with the thief, or make a point, and if you only intend to do it for a short period, as because you are still serving them an image, they are also still taking some bandwidth.

If you want to follow my three post bandwidth battle saga, here they are in chronological order:
Dealing with Bandwidth Theft
Turning up the heat on the bandwidth thief
How I stopped a bandwidth thief

The atlab website http://altlab.com/hotlinking.html was an invaluable resource! I highly recommend checking it out if you want a more intelligent description of hotlinking, they also have a tool you can use to check if people are able to hotlink your images. You can find that here:
http://altlab.com/htaccess_tutorial.html#hotlinkcheck

I apologise if there are any mistakes here. If you pick up a mistake please post it here so someone can fix it. Hope it helps someone.
Cheers

[macgirvin]

This is a great technique, but you may wish to read the following caveats:

Be advised that preventing hotlinking as described here will also block images in your RSS/Atom feeds from showing correctly in a feedreader. Some blog platforms allow the option of providing only text excerpts or summaries in the feeds and/or turning them off entirely - so you should probably check these settings. Besides the standard feedreaders, many social sites these days import your latest entries from feeds and you may find that it isn't just the bandwidth thieves who see your replacement image.

You also may shock or offend privacy-minded individuals and millions of Symantec users who visit your site where HTTP_REFERER is blocked for personal/privacy reasons.

[Snoskred]

Thanks for putting that together, Swollen Pickles. That is some great info for people.  love your work!

Of course the other thing you can do (and the slightly simpler version for those of us scared of editing htaccess files) is simply rename the image they are hotlinking to on your space to something else, update the link on your blog to point to the new location of the image and then replace the image that they are hotlinking to an "I'm a dirty bandwidth thief" type image. Then, when you're sick of showing the world that they are a Loser with a Capital L, you can simply delete the image from your server so they can't access it anymore.

Hotlinking is really frowned on in terms of netiquette so *never* **EVER** do it.

[swollenpickles]

Thanks for putting that together, Swollen Pickles. That is some great info for people.  love your work!

No worries.

ic=430.msg3119#msg3119 date=1199425408]
Hotlinking is really frowned on in terms of netiquette so *never* **EVER** do it.
[/quote]

A lot of people use hotlinking in forums to display images etc. which can be a problem. I've heard of people that have found out forum users had decided to use a hotlinked image as there avatar! Cheeky!

[macgirvin]

I recalled yet another anti-hotlinking tip I came up with a few years back but never implemented - It's a guerrilla technique more for amusement than practicality. Basically, use mod_rewrite to dynamically change the URLs of all your images from something.JPG to something-NewVirus8.0.7.EXE

While this does nothing at all to automatically stop hotlinking, no fool in his right mind is going to link to an arbitrary EXE file with the word 'virus' in the title, especially one with such a high version number.