Enter

WordPress Security / 6 min de lectura

WordPress hotlinking: what it is and 5 ways to avoid it.

WordPress hotlinking, and hotlinking in general, is almost universally despised for various reasons. It is probably one of the few things all website owners hate, even if they’re not aware of it yet.

This article will explore what hotlinking is in the WordPress environment, why people detest it, its unintended consequences, how to tell if one of your files is being hotlinked, and how to protect your site.

What is WordPress hotlinking?

Illustration of a network of people

Hotlinking, inline linking, or piggybacking is when a webpage from one site embeds a resource, generally an image, from another location by directly linking to it. A “hotlink” is a link embedded in one site that leads to media resources in the site it’s linking to.

It means that instead of downloading the image (assuming they have permission or the image is copyright-free) and hosting it on their own server, the hotlinker shows an image on their site that is actually provided by an external server.

To load and watch the image, website visitors will consume bandwidth and computing resources from the external server instead of the server hosting the website they’re currently using.

What are the consequences of WordPress hotlinking?

Hotlinking is very convenient for hotlinkers. It allows them to display media files (which tend to be much heavier than text) without using their server’s resources.

However, the original server hosting the image will do all the heavy lifting, often without the hotlinker providing a source for the image. That’s just lazy and bad etiquette all around.

These are the common consequences of hotlinking.

Hotlinkings costs money and website resources.

A man working on his computer with a server on the backgrownd

WordPress.org requires website owners to self-host their sites, meaning they must pay for a web hosting service to keep it online. A sudden surge in traffic to a specific resource on the web server can lead to the web host charging more to the website owner.

If the traffic is high enough to match or exceed the server’s bandwidth limit, the site may suffer a denial-of-service attack, slowing it down until the spike subsides. Hotlinking may cost money and server resources to the original website owner without even driving traffic to their site.

Hotlinking is sometimes illegal.

Depending on the image’s licensing specifications, hotlinkers may inadvertently break copyright laws. If the image is copyrighted and you have no license to display it, the owner may technically be able to send you a cease and desist and potentially sue you if you ignore it.

Other consequences of hotlinking

  • It makes the hotlinker seem lazy, ethically questionable, and unprofessional.
  • If the original owner changes the contents of the embedded link, it will reflect in the hotlinker’s webpage, potentially leading to out-of-context images.
  • Malicious actors may use hotlinks to a trusted site during cross-site scripting (XSS) and phishing attacks.
  • When web visitors load a hotlinked image, they request the original server provide it. Often, these requests contain HTTP referrer information, which unintendedly leaks information about the browsed pages to the original server.
  • If the hotlinker embeds a JavaScript file instead of a media file, the owner of the file can modify it to include malware such as keyloggers.

How to know if images from your WordPress site are being hotlinked?

You can use a Google Images search to understand who might be hotlinking images from your site. First, navigate through Google Images and paste the following, filling in your domain name:

inurl:yourwebsite.com -site:yourwebsite.com

Example:

inurl:wcanvas.com -site:wcanvas.com

The “inurl” command filters for images found in your domain, while the “-site:” filters out your domain from the results. You are looking for images on your website that are also present in other domains.

If you don’t get any results, none of your images are being hotlinked. But if you do get results, it doesn’t immediately mean the images are being hotlinked. Inspect the source code for every image before drawing conclusions.

How to prevent others from hotlinking images from your WordPress site? 5 ways to do it.

Add instructions to your Nginx server

If your site is hosted on an Apache server, open your configuration file and add the following snippet:

location ~ .(gif|png|jpeg|jpg|svg)$ {
     valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;
     if ($invalid_referer) {
        return 403;
    }
}

Where it says “yourdomain.com”, substitute it with your domain name.

This command essentially tells your server the following: “if you are serving a .gif, .png, .jpeg, .jpg, or .svg file, only serve it for these domains: Google, Bing, Yahoo, and my own website’s domain. If the domain requesting the file is not one of these, return a 403 error.”

You’re allowing popular search engines because traffic from search engines is good since they’re directing traffic to you rather than leeching off your server’s bandwidth.

Add instructions to your Apache server

If your site is hosted on an Apache server, you need to edit or create the .htaccess file to include the following snippet:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|svg)$ - [F]

Where it says “yourdomain.com”, substitute it with your domain name. This command does the same as the one for Nginx servers.

Use a plugin

You’ll find a few hotlink blockers if you search “hotlink” in WordPress.org’s plugin library. However, most are not very popular or updated frequently. You can use one of them, but it may be better to use a security plugin with hotlinking-blocking features.

One popular plugin with this feature is All-In-One Security (AIOS) – Security and Firewall. Go to WP Security > Firewall > Prevent Hotlinks to prevent image hotlinking. Then check, “Check this if you want to prevent hotlinking to images on your site.”

We still recommend directly inputting commands to your server since it allows you to filter out search engines and other domains.

Disable right-clicking on your WordPress site

A cursor on a black background

Disabling right-clicking on your website prevents other copy-pasting text, viewing source code, and saving images.

The easiest way to do this is using a plugin like Disable Right Click For WP. Install it, then go to Disable Right Click for WP from your dashboard. Simply check “Yes” on Show messages on Disable Events and click on Save Settings.

Change the name of your images

If you don’t have other protections against hotlinking and find that one of your images suddenly gets high traffic, you can simply rename the image and change its location. That way, the image will no longer display on the hotlinkers website, interrupting the traffic stream.

It works best for specific images in small sites that don’t get much traffic. Larger websites with more visitors should use the solutions mentioned above.

Conclusion

Hotlinking is considered bad etiquette because it can increase hosting costs for the original file’s owner and even temporarily bring down their site if the spike traffic is high enough.

Sometimes, it may even be a security risk for the hotlinker website’s visitors if the embedded file can run code, like when embedding JavaScript scripts.

Now you know what hotlinking is and how to protect your site from it moving forward.

If you found this article helpful, read our blog for more WordPress guides, tips, and tricks.