What is Hotlinking and How to Prevent it in Joomla - JoomShaper
Blog
Tutorials

What is Hotlinking and How to Prevent it in Joomla

18 October 2019
Hits 14,648
5 min read
What is Hotlinking and How to Prevent it in Joomla

A hotlinking takes place when someone embeds content (images, music, videos, and documents mostly) from your site in another site with the direct file URL. Effectively, the other site is stealing bandwidth and generating unnecessary traffic hits on your website consuming your hosting resources. Hotlink protection prevents this by blocking other websites from directly linking to files on your Joomla website.

Why Hotlinking is Bad

Hotlinking is a serious problem for many Joomla sites, especially those that contain a lot of images, also inside articles. It is a bad practice because:

  • It steals your hosting bandwidth (account resources) and costs site owner's money
  • It may also impact your site’s performance
  • It is unethical and in most cases illegal, unless explicit permission granted
  • It can be used as a common cyber-attack aimed at exhausting the bandwidth of the targeted website

Hopefully, you can use a few methods to prevent this issue. Blocking content from hotlinking won’t hurt your site SEO, but it does need to be set up correctly. 

How do I Know if Someone is Hotlinking to My Site?

The best place to check for hotlinking would be your web host's web stats page. Have you noticed there any weird huge bandwidth (not traffic) in the last days, weeks? If so, this should be an indication that someone is stealing your content.

The second method is based on the Google image search tool. All you have to do is type in url:domian.com -site:domain.com in the search area.

Replace domain.com with your real domain name. This will show you all images which are hosted on your site but also present on other ones. But to be 100% sure you have to make an investigation and check several image links because Google shows different results. 

What Is Hotlinking and How to Prevent It in Joomla

How to Prevent Hotlinking in Joomla

Whether any of your website media resources have been hotlinked or not, you can take preventive measures at any time. Hotlink protection can be a valuable way that may keep your content and hosting account safe. Unfortunately, but Joomla does not have built-in options that could protect against hotlinking, so use one of the options below.

cPanel - Hotlink Protection Option

If you use cPanel, you can find the Hotlink Protection feature in its Security section. Open and configure it to utilize the facility.

What Is Hotlinking and How to Prevent It in Joomla

To block direct access to files of specific types, add those file extensions to the Block direct access for the following extensions text box. For example, to block all .jpg images, add .jpg to the Block direct access for the following extensions text box.

What Is Hotlinking and How to Prevent It in Joomla

You can configure Hotlink Protection to give access to the URLs which you want. Those URLs can link to your files directly. Additionally, you may redirect all requests that will be blocked to a specific URL, for example, with a warning image.

Notice! When you disable hotlinks, make certain that you allow hotlinks for any necessary domains. For example, your website's subdomains and the URL that you use to access your cPanel account.

Enable Hotlink Protection on Apache

If your Joomla site is running on Apache server, all you need to do is open the .htaccess file in your site’s root directory (or rename it) and add the following lines after RewriteEngine On:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yoursite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg|mp4|mp3|pdf)$ - [NC,F,L]

A brief explanation of the used rules:

  • The 1st line allows blank referrers. You will most likely want to enable this as some visitors use a firewall or antivirus program that deletes the page referrer information sent by the web browser. If you don’t allow blank referrers, you could disable all of your images for those users.
  • The 2nd line defines the allowed referrer, the site that is allowed to link to the image directly, this should be your website (replace yoursite.com above with your real domain).
  • Lines 3-5 add search engines to the allowed list because you don’t want to block crawlers such as Google, Yahoo and Bing bots. This could prevent your images from showing and indexing in Google image search. You can add there your native search website like baidu.com etc.
  • And the last line defines the file extension you decided to protect.

The following code will produce a 403 Forbidden error instead of the requested image, pdf or video unless the file is requested from yoursite.com.

 If you want to you can serve alternate content when hotlinking is detected. To generate some more complex rules, take a look at this htaccess hotlink protection generator.

Prevent Image Hotlinking in NGINX Server

Copy the code snippet below and paste it on your NGINX config file.

 location ~ .(gif|png|jpeg|jpg|svg)$ {
      valid_referers none blocked ~.google. ~.bing. ~.yahoo. yoursite.com *.yoursite.com;
      if ($invalid_referer) {
         return   403;
     }
 }

*yoursite.com - must be replaced with your real domain name.

If you use any other webserver, please check their documentation.

Conclusion

Hotlinking is a harmful practice that might cause several problems such as bandwidth and asset theft. Preventing hotlinking is an easy task, and you don't need any Joomla plugin. So there is no reason to postpone this task. Please share your ideas with us in the comments section. And stay with us for more useful tips & tricks! 

Mo Ahmed
Mo Ahmed
4 years ago
That's pretty cool; you can also do it from within Cloudflare if you have it enabled via Scrape Shield:

[img]https://imgur.com/bfgHkCT[/img]
#9488
Paul Frankowski
Paul Frankowski
4 years ago
Thanks for the tip.
#9489
Dave Bishop
Dave Bishop
4 years ago
Admin Tools Pro does this. :)
#9490
Paul Frankowski
Paul Frankowski
4 years ago
Indeed, but PRO is a commercial version only.
#9491
MS
Mark Simon
4 years ago
But I have a question if I use the Facebook scraper to pull images from my website so that when I type my URL into a post it make the post image on Facebook a limk to my website. If I prevent Hotlinking won't that also block the Facebook scraper and sabotage my attempt to place linkable images into my FB posts?
#9492
Paul Frankowski
Paul Frankowski
4 years ago
You can add facebook to RewriteCond if htaccess is used, about cPanel settings ask hosting support.
Anyway, just make tests.
#9493
parviz Homayun
parviz Homayun
4 years ago
Hi All...
Hello Dear Paul, Thank you so much for Helpful Article and Great job!.
Hopefully you will learn more about Better security and protection Joomla!.
You and the team of Joomshaper are Number one and the best.
...
All the best...
#9494
Paul Frankowski
Paul Frankowski
4 years ago
Thanks, This kind of tips are for the global Joomla Community, not only our customers. I hope you use at least our Helix template.
#9495
parviz Homayun
parviz Homayun
4 years ago
However, your tips & tutorials are not unrelated to your creative frameworks,
yes of curse I'm newby in joomshaper and download Helix Ultimate template and very liked... I'm a Kurdish and life in vestern area in Iran... my languge is Kurdish and Persian (RTL Languges Group with fa-IR & ckb-IQ)...
Helix framwork is Very comfortable and flexible with RTL Languges Thanks To the JoomShaper Team for Great Idea & great Framwork...
I wish you and your Team more success...
#9496
Paul Frankowski
Paul Frankowski
4 years ago
Maybe create a blog in Kurdish and Persian language for your local webmaster's community. Good comes back.
#9498
parviz Homayun
parviz Homayun
4 years ago
I Liked and And I'm ready for any cooperation...Also for translating your templates and other extensions with Sample Data on Persian & Kurdish Languges, if you want...
#9501
FM
Frank Maurits
4 years ago
I've already shielded my /administrator url and disabled right-click, but this is a cool supplement to that, thanks for the tip! My site is completely my own work (except the Helix framework and Travelia template of course), so all images, videos and texts are my own. I really want to keep them my own :)

regards, Frank
#9499
Paul Frankowski
Paul Frankowski
4 years ago
Big Thanks. Consider using a watermark for selected photos, in most cases, it's a good padlock for photo thieves.
#9500
FM
Frank Maurits
4 years ago
Thanks for thinking along with me :) Yes I have considered that but have mixed feelings about it. But I do believe in making it as hard as possible to just have them copied.
#9502
J
John
4 years ago
This is great but how do you switch this on but still allow facebook, LinkedIn, twitter etc and google web crawler or MyBusiness to use images, with hotlink protection enabled you lose the ability for them to crawl your link and get the images from them
#9504
Paul Frankowski
Paul Frankowski
4 years ago
crawl =/= steal photo
read the comment above about FB.
#9505
MG
Michael Van Gulik
4 years ago
Hi now, As I was reading this article it started to directly correlate with what I was researching, just not in a good way, for example, I couldn't even find some information on why some hotlinks that I would obtain in Google wouldnt load in any other web browser like for example Both Bing and yahoo.

You see, when I build I learn, I don't just continue on building and not listen to anything that I see and learn, and this directly ties into what I have read on this blog (as I couldn't find any information for why my hot links from Google wouldnt work in Both Bing and Yahoo) because although there are 4.3 online they still dont understand affiliate marketing.

So my question here is who are we talking to, Prospect bloggers, website owners, or new comers who don't even know how to write an article, because whoever runs a blog I'm pretty sure isn't going to care about hotlinking just as I don't. The way you said it can ruin "Your Server" I mean if it could do that there would be problems with everyone's website and I'm sure they would be able to stop hotlinking altogether.

Peace be with you
#10359
Paul Frankowski
Paul Frankowski
4 years ago
Thanks, I think you should start your own blog.
#10361
Create a new account
Forgot your password or username?

Sign up for our newsletter

Don’t miss any updates of our new templates and extensions and all the astonishing offers we bring for you.