A Tale of Hotlinking

hotlinkjediFor the uninitiated, “hotlinking” (also known as inline linking) is where you embed an image in a web page, but instead of that image being on the same server, the page links to an image elsewhere on the web and downloads it from there each time. Great you might think, I don’t have to worry about storing the image on my server, and I’m not going to have lots of bandwidth problems since it’s not being retrieved from there either! Unfortunately, it doesn’t quite work like that since it means that the person who is hosting the image is having to pay for the bandwidth each time that image is downloaded from your page (i.e. each time that web page is accessed). There is also the risk that the person you’re ripping off can have some fun…

Preventing hotlinking is quite straightforward, for hosting accounts using Cpanel it’s as easy as a few clicks. Or a simple addition to a directory’s .htaccess file does it (replacing the yourdomain.com):

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

In fact there’s a nice little web page that will generate the code for you at htaccesstools.com.

The problem begins when you start messing around with custom access in different directories so that you can share pictures across domains you own, and then forget you’ve done it. Imagine my surprise when my bandwidth had suddenly leapt by an extra gigabyte over what it usually was in the space of a couple of weeks… either I had suddenly become more popular (unlikely) or someone was stealing my bandwidth. A quick check through the access logs and I discover a page full of high resolution antique maps of the world, 60 odd images, each of them embedded by hotlinking to their owners, so that anyone accessing the page would be downloading all of them automatically (they didn’t even use thumbnails with a link). My “contribution” to this was a one and half megabyte map which had been downloaded an individual 890 times!

So, I could just add the missing code above to the .htaccess file of the directory it lived in and leave at that, right? Well I could, but I was annoyed. No, I was angry. What a cheek! Fortunately there is the opportunity for a bit of fun, since the page hotlinking is linking to an image address, and who has control over which image resides there? In effect, they have given me complete control over the image that appears on their website (until they notice). A quick Google search reveals some rather unsavoury images that people have substituted, and while tempted, I didn’t fancy having my own website closed down for hosting inappropriate content, so decided to be a bit more subtle.

So this is the custom image I decided to substitute:

Nice and visible, with my sentiments clearly stated. ACtually, I haven’t changed the image stored at that URL since I still wanted to use the original one on my own site, so the .htaccess files substitutes it when accessed from outside the domain. This is done by replacing the relevant line above with:

RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ yourdomain.com/hotlink.jpg [L]

A week later, it’s still on their page, so decided on a change to something a bit more classy:

I feel a bit bad that I’m probably using a copyrighted image in there, but hey ho. If it’s still being linked to next week, I may have another rethink!

Feel free to copy and upload the images above to your own servers, but please do not hotlink to them… in any case, you know what might happen if you do!


Mathematician at the University of Warwick in the UK with research interests in equivariant bifurcation theory and applications, especially in modelling of insect locomotion. Teaching interests include online learning and innovative teaching methods. Also in a past life has been involved in summer school courses, and online material, for Gifted and Talented. He has been active on the Internet since 1995, initially though his UFO and Michael Schenker website, but now through a multitude of projects.

Leave a Reply

Your email address will not be published. Required fields are marked *