Hotlinking & Hotlink Protection for Webmasters

Summary: In this guide, I offer an in-depth outline of hotlinking and hotlink protection strategies, emphasizing the use of .htaccess on Apache servers to protect your images, documents, and scripts. We’ll discuss the rationale and show how to implement them to better fortify your website.

An in-depth outline of hotlinking and hotlink protection strategies, emphasizing the use of .htaccess on Apache servers to protect your images, documents, and scripts.

Just Give Me the Answer

Add this rule to your .htaccess file. Don’t forget to change “” to your actual domain.


What Is Hotlinking?

Another website can use your files without your permission. In some cases, this is good. In many cases, this is bad, such as spammy, low-authority, or low-value websites using your files such as pictures, videos, PDF, Excel, or any other file type you’re using around your site.

Hotlinking involves embedding a file from one website directly into another website by linking to the file’s URL on the original server. This means that every time the external website is loaded, it uses bandwidth from the server of your website. Essentially, hotlinking allows a website to display content that is hosted on another server without having to host the file on its server.

The Essence of Hotlink Protection

Hotlinking is a prevalent issue where external sites link directly to your server’s files (like images or scripts), sapping your bandwidth and potentially impairing your site’s performance. The primary goal of hotlink protection is to curb this unauthorized resource usage.

Why Guard Your Content?

  • Conserving Bandwidth: Control linking helps prevent others from using your server’s bandwidth, helping to reduce hosting costs and speeding up your site.
  • Safeguarding Intellectual Property: It’s vital to protect unique or copyrighted content from being used without consent.
  • Security: Especially with JavaScript files, external linking can pose significant security risks.
  • Maintaining Control: Guaranteeing that changes to your site don’t affect other sites using your resources.

How Do I Find Hotlinking?

SEMRush‘s Backlink Audit Tool is a powerful tool for webmasters. It allows us to analyze the quality of backlinks and to identify external sites/pages that are directly hotlinking your content. By using the Backlink Audit Tool, we’re able to spot these hotlinks and adjust server settings accordingly.

Methods to Reduce or Prevent Hotlinking

Now that you’ve found these instances of websites backlinking or hotlinking your assets, you could do a few things to help prevent it.

  1. Futile: Contact the site owners to have the links removed. Since most of those sites are spam, reaching someone who will remove the links is a futile endeavor, so we work on this situation from different angles.
  2. Less Impressive: Finding a standalone plugin to handle hotlinking. Typically, it’s better craftsmanship to avoid jamming more plugins into the engine than necessary. Adding bloat to reduce bloat isn’t always net positive. We can handle this strategy directly in the host.
  3. Disavow: Use Google’s Disavow Tool, which allows us to explicitly tell Google which sites not to trust. While I believe it’s still a good strategy (in 2024) to audit and perform once or twice a year, Google continues to get better at discerning quality and spam referral sources.
  4. Write Rules: into your .htaccess files on your server.

If you’re using SiteGround or another host that uses Apache servers, you’ll find the .htaccess file in the File Manager in the public_html folder.

Utilizing .htaccess for Hotlink Protection

The .htaccess file is an Apache server’s cornerstone for implementing various rules, including hotlink protection. Here’s how to leverage it:

Basic Configuration

Start by activating the rewrite engine:


No, you do not need to include RewriteEngine On multiple times in your .htaccess file if it’s already present for another rule. This keeps your .htaccess file clean and efficient, avoiding redundant declarations.

Allowing Specific Domains

It’s crucial to whitelist domains like your own domain and search engines to ensure your content is indexed while blocking unwanted traffic. Search engines like Google, Bing, and Yahoo require access to your content for proper indexing and search visibility. This allows these search engines to crawl and index your site, which is vital for SEO and maintaining your online presence.

For instance:


[NC] stands for “No Case”, or case-insensitive.

Customizing Hotlink Protection for Different File Types

Adapting your protection strategy to different file types ensures good coverage, but it’s wise to consider keeping your list to the file types in use.

Common Media Files

Typically, sites need to protect image formats and documents:


[F] stands for “Forbidden”. When you apply this flag to a RewriteRule, it instructs the server to respond with a 403 Forbidden HTTP status code if the rule’s pattern is matched.

Protecting these file types is crucial as they are often the most hotlinked resources. Images, for instance, can be easily embedded on other sites, consuming your bandwidth. Similarly, documents like PDFs or Word files might contain proprietary information or content you wish to control access to.

Advanced File Types

Expanding protection to formats like 3D models and scripts is also essential:


3D models (GLB files) can be large and bandwidth-intensive. Protecting these ensures that your server resources are reserved for legitimate site visitors. Video and audio files (like MP4 and MP3) are often hotlinked for media content, which can significantly drain bandwidth. CSS and JavaScript files, while seemingly innocuous, are critical for the look and functionality of your site. Unauthorized use can lead to security vulnerabilities, intellectual property theft, and potential website performance issues.

Finetuning Your .htaccess File

The placement of rules in .htaccess is crucial for effectiveness. Ideally, these should be after RewriteEngine On and before specific rewrite rules for site functionality.

Key Practices

  • Regular Backups: Always back up your .htaccess file before modifications.
  • Rigorous Testing: Ensure your site functions correctly post-implementation.
  • Ongoing Updates: Regularly revise your .htaccess file to align with new requirements or challenges.

Deep Dive: Including CSS and JavaScript

Including CSS and JavaScript in hotlink protection isn’t immediately apparent but is significant for several reasons:

  • Security: Protects against potential exploitations and vulnerabilities.
  • Bandwidth Management: Prevents unnecessary server load and resource usage.
  • Intellectual Property Protection: Shields unique designs and functionalities.

Challenges to Anticipate

  • Legitimate Usage: Ensure APIs or widgets you provide aren’t inadvertently blocked.
  • Subdomains and CDNs: Be cautious to not block your content served through these channels.

Hotlink protection is an indispensable part of website management. By using .htaccess rules on Apache servers, you can effectively control access to your content, customizing protection as per your needs. This not only ensures a smooth and secure website operation but also safeguards your intellectual property and conserves server resources. Regular backups, thorough testing, and ongoing maintenance of your .htaccess file are crucial to adapt to evolving web technologies and maintain robust hotlink protection.

Your Final Hotlink Rules To Add Into .htaccess Might Look Something Like This