How to Stop Hotlinking on a WordPress website step-by-step

By Guest Contributor on September 15, 2018

What is hotlinking?

Pirates have long since stopped looking like Johnny Depp on an old fashioned ship.  The internet houses thieves everywhere.  Internet image piracy is known as “hotlinking” and it happens when a site unrelated to your own, links to an image or other resources, without permission, while still letting you host it on the world wide web.  Why is this bad?  When sites don’t host their own images, your bandwidth is drained by visitors who are not coming to your site.

You can check for hotlinking by looking at the source code in the developer tools on your internet browser.

Blocking the Pirates

Like most WordPress security solutions, all you need is a simple bit of .htaccess code to block outside sources from stealing your images, videos, pdfs, and other files.

First, using an FTP client navigate to your root folder and open your .htaccess file. (create one if you do not see an .htaccess file in your root directory.)

Second, copy and paste the below code into the .htaccess file. Make sure it goes above any existing rules or coding.



RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?example\.com [NC]

RewriteRule\.(gif|jpe?g?|png)$ – [NC,F,L]


After pasting the coding, you need to tailor the code to your specific site.

To do that, just replace the with your domain. If your TLD is not .com but something else, make sure to change that. See an example below.


So, what does this code do?

It checks to see if the refer is not empty and then it determines if the refer is from your domain or not.

Finally, it checks to see if there is a request for the file types listed in the code.  In our base code, it checks for gifs, jpegs, and pngs.  This portion of the code can be altered to include any file type you want to protect from outside users. If there is a match for any of the mentioned criteria, the site stealing your resource displays a 403 Forbidden response.

Tailoring to Your Site

There are a few tweaks you need to make to the code we provided to make it work for your site.  As mentioned above, the most important change you need to make is changing the example domain to your domain name and the “top level” of your domain.  The top level is your .com, .net, .biz, etc.

This is the time you also want to add any file extensions to your coding.  For example, if you want to protect Zip files as well, you go to line five and add a forward slash followed by “.zip” into the appropriate section code.  After you have added all of your preferred extensions, save and upload the file to the server.

Checking to see if your new security measures work is easy.  All you have to do is refresh the page of the thieving website, and your browser should display a hotlink protection message.

Further customization

If you want to customize your security even further, there is a snippet of code that allows you to customize the response the pirate’s website provides when you block their hotlink.

To use this code, replace the above provided code you pasted into your .htaccess file with the code below.



RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?example\.com [NC]

RewriteCond %{REQUEST_FILENAME} !hotlink.gif [NC]

RewriteRule\.(gif|jpe?g?|png)$ /hotlink.gif [NC,R,L]


NOTE: do not paste under first code, but completely delete and replace it!

You still need to make the same customizations with the first code as you did with second one.  Change your domain name and top-level domain.  Change or add to the file extensions to include all types of resources you want to protect.  Finally, replace the part of the code that says “hotlink.gif” with the file name you want to use in response to your pirates.  Be sure to also include the link path to this file or image on the server.

You can use any image you want; it is a perfect opportunity to get creative, and maybe even redirect those visitors to your site instead!

That is all there is to it.  Choose your preferred code snippet and protect your resources from internet pirates.


Emin is a Los Angeles-based web designer at Amberd Web Design Studio, on his free time he enjoys writing web design related tutorials, reading books and drawing.

Contact Us for Free Consultation

Are You Planning to outsource Digital Tansformation services? Feel free for work-related inquiries, our experts will revert you ASAP,