- Blogs
- WordPress Security
- WordPress hotlinking: what it is and 5 ways to avoid it.
WordPress Security / 6 min read
WordPress hotlinking: what it is and 5 ways to avoid it.
WordPress hotlinking, and hotlinking in general, is almost universally despised for various reasons. It is probably one of the few things all website owners hate, even if they’re not aware of it yet.
This article will explore what hotlinking is in the WordPress environment, why people detest it, its unintended consequences, how to tell if one of your files is being hotlinked, and how to protect your site.
What is WordPress hotlinking?
Hotlinking, inline linking, or piggybacking is when a webpage from one site embeds a resource, generally an image, from another location by directly linking to it. A “hotlink” is a link embedded in one site that leads to media resources in the site it’s linking to.
It means that instead of downloading the image (assuming they have permission or the image is copyright-free) and hosting it on their own server, the hotlinker shows an image on their site that is actually provided by an external server.
To load and watch the image, website visitors will consume bandwidth and computing resources from the external server instead of the server hosting the website they’re currently using.
What are the consequences of WordPress hotlinking?
Hotlinking is very convenient for hotlinkers. It allows them to display media files (which tend to be much heavier than text) without using their server’s resources.
However, the original server hosting the image will do all the heavy lifting, often without the hotlinker providing a source for the image. That’s just lazy and bad etiquette all around.
These are the common consequences of hotlinking.
Hotlinkings costs money and website resources.
WordPress.org requires website owners to self-host their sites, meaning they must pay for a web hosting service to keep it online. A sudden surge in traffic to a specific resource on the web server can lead to the web host charging more to the website owner.
If the traffic is high enough to match or exceed the server’s bandwidth limit, the site may suffer a denial-of-service attack, slowing it down until the spike subsides. Hotlinking may cost money and server resources to the original website owner without even driving traffic to their site.
Hotlinking is sometimes illegal.
Depending on the image’s licensing specifications, hotlinkers may inadvertently break copyright laws. If the image is copyrighted and you have no license to display it, the owner may technically be able to send you a cease and desist and potentially sue you if you ignore it.
Other consequences of hotlinking
- It makes the hotlinker seem lazy, ethically questionable, and unprofessional.
- If the original owner changes the contents of the embedded link, it will reflect in the hotlinker’s webpage, potentially leading to out-of-context images.
- Malicious actors may use hotlinks to a trusted site during cross-site scripting (XSS) and phishing attacks.
- When web visitors load a hotlinked image, they request the original server provide it. Often, these requests contain HTTP referrer information, which unintendedly leaks information about the browsed pages to the original server.
- If the hotlinker embeds a JavaScript file instead of a media file, the owner of the file can modify it to include malware such as keyloggers.
How to know if images from your WordPress site are being hotlinked?
You can use a Google Images search to understand who might be hotlinking images from your site. First, navigate through Google Images and paste the following, filling in your domain name:
inurl:yourwebsite.com -site:yourwebsite.com
Example:
inurl:wcanvas.com -site:wcanvas.com
The “inurl” command filters for images found in your domain, while the “-site:” filters out your domain from the results. You are looking for images on your website that are also present in other domains.
If you don’t get any results, none of your images are being hotlinked. But if you do get results, it doesn’t immediately mean the images are being hotlinked. Inspect the source code for every image before drawing conclusions.
How to prevent others from hotlinking images from your WordPress site? 5 ways to do it.
Add instructions to your Nginx server
If your site is hosted on an Apache server, open your configuration file and add the following snippet:
location ~ .(gif|png|jpeg|jpg|svg)$ {
valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}
Where it says “yourdomain.com”, substitute it with your domain name.
This command essentially tells your server the following: “if you are serving a .gif, .png, .jpeg, .jpg, or .svg file, only serve it for these domains: Google, Bing, Yahoo, and my own website’s domain. If the domain requesting the file is not one of these, return a 403 error.”
You’re allowing popular search engines because traffic from search engines is good since they’re directing traffic to you rather than leeching off your server’s bandwidth.
Add instructions to your Apache server
If your site is hosted on an Apache server, you need to edit or create the .htaccess file to include the following snippet:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg)$ - [F]
Where it says “yourdomain.com”, substitute it with your domain name. This command does the same as the one for Nginx servers.
Use a plugin
You’ll find a few hotlink blockers if you search “hotlink” in WordPress.org’s plugin library. However, most are not very popular or updated frequently. You can use one of them, but it may be better to use a security plugin with hotlinking-blocking features.
One popular plugin with this feature is All-In-One Security (AIOS) – Security and Firewall. Go to WP Security > Firewall > Prevent Hotlinks to prevent image hotlinking. Then check, “Check this if you want to prevent hotlinking to images on your site.”
We still recommend directly inputting commands to your server since it allows you to filter out search engines and other domains.
Disable right-clicking on your WordPress site
Disabling right-clicking on your website prevents other copy-pasting text, viewing source code, and saving images.
The easiest way to do this is using a plugin like Disable Right Click For WP. Install it, then go to Disable Right Click for WP from your dashboard. Simply check “Yes” on Show messages on Disable Events and click on Save Settings.
Change the name of your images
If you don’t have other protections against hotlinking and find that one of your images suddenly gets high traffic, you can simply rename the image and change its location. That way, the image will no longer display on the hotlinkers website, interrupting the traffic stream.
It works best for specific images in small sites that don’t get much traffic. Larger websites with more visitors should use the solutions mentioned above.
Conclusion
Hotlinking is considered bad etiquette because it can increase hosting costs for the original file’s owner and even temporarily bring down their site if the spike traffic is high enough.
Sometimes, it may even be a security risk for the hotlinker website’s visitors if the embedded file can run code, like when embedding JavaScript scripts.
Now you know what hotlinking is and how to protect your site from it moving forward.
If you found this article helpful, read our blog for more WordPress guides, tips, and tricks.
Related Articles
WordPress 101 / 8 min read
WordPress 101 / 8 min read
How to audit a WordPress website’s security?
WordPress, being the most popular content management system, attracts a fair amount of malicious attention. To prevent yours from falling victim to a cyberattack, you should periodically audit your WordPress…
Read MoreWordPress Security / 10 min read
WordPress Security / 10 min read
Why Is Your WordPress Site “Not Secure”? What You Need to Know
In July 2018, Google Chrome started flagging sites without an SSL certificate as “not secure.” Any website still using HTTP instead of HTTPS to exchange information with users has been…
Read MoreHow to... / 7 min read
How to... / 7 min read
WordPress CSRF attacks: what they are and how to prevent them?
WordPress CSRF (cross-site request forgery) attacks are one of the most common security vulnerabilities plugin, theme, and website developers have to account for. A dedicated hacker can take over admin…
Read MoreHow to... / 8 min read
How to... / 8 min read
WordPress SEO spam: what is it and how to prevent it?
WordPress SEO spam is one of the most common security threats for websites using this CMS. It can get your website labeled deceptive, cause your users to suffer scams, and…
Read MoreWordPress Security / 7 min read
WordPress Security / 7 min read
WordPress supply chain attacks: what are they and how to prevent them?
WordPress is the most popular content management system, attracting many hackers wanting to exploit such a rich ecosystem for their benefit. WordPress supply chain attacks are one of the methods…
Read More