How to Prevent Image Hotlinking with .htaccess Rules

Carrie SmahaCarrie Smaha 5 Minute Read

Hotlinking drains your server bandwidth when other websites embed your images directly. This guide shows you how to block hotlinked images using Apache .htaccess rewrite rules, protecting your hosting resources without affecting legitimate visitors.

What is Hotlinking?

Hotlinking happens when someone embeds your image on their website by pointing directly to your server URL rather than hosting the file themselves.

For example, if another site uses this code:

<img src="https://yoursite.com/images/photo.jpg" />

Your server delivers the image every time their page loads. Multiply that across dozens of sites and high-traffic pages, and you’ll see CPU spikes, bandwidth overages, and slower performance for your actual visitors.

Hotlinking creates two problems:

Resource theft. Every hotlinked request consumes your server’s CPU, memory, and bandwidth allocation. On Shared Hosting plans, excessive hotlinking can trigger resource limit warnings or account throttling.

Content misuse. Your images appear on other websites without attribution or permission, often in contexts you didn’t authorize.

Blocking hotlinks stops both issues while still allowing your images to load normally for your own site visitors.

Block Hotlinking with .htaccess

The most reliable method for preventing hotlinking is adding Apache mod_rewrite rules to your .htaccess file. These rules run at the server level before PHP or WordPress even loads, making them efficient and universally compatible.

This code blocks direct access to common image formats from external domains:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yoursite\.com/.*$ [NC]
RewriteRule \.(jpg|jpeg|gif|png|bmp|webp)$ - [F]

Replace yoursite.com with your actual domain.

How it works:

  • RewriteEngine on enables Apache’s rewrite module
  • RewriteCond %{HTTP_REFERER} !^$ allows requests with no referrer (direct browser access)
  • RewriteCond %{HTTP_REFERER} !^https://(www\.)?yoursite\.com/.*$ [NC] allows requests from your own domain
  • RewriteRule \.(jpg|jpeg|gif|png|bmp|webp)$ - [F] returns a 403 Forbidden error for blocked image requests

The [NC] flag makes the domain match case-insensitive. The [F] flag sends an HTTP 403 status code.

Allow Multiple Domains

If you manage multiple sites or want to allow specific partner domains:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yoursite\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?partnerdomain\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?anotherdomain\.net/.*$ [NC]
RewriteRule \.(jpg|jpeg|gif|png|bmp|webp)$ - [F]

Add one RewriteCond line for each domain you want to whitelist.

Redirect to a Warning Image

Instead of showing a broken image, redirect hotlinkers to a replacement image explaining the policy:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yoursite\.com/.*$ [NC]
RewriteRule \.(jpg|jpeg|gif|png|bmp|webp)$ https://yoursite.com/images/hotlink-warning.png [R,L]

Create a simple hotlink-warning.png image with text like “This image is hosted at yoursite.com” and upload it to your /images/ directory. The [R,L] flags trigger a redirect and stop processing further rules.

This approach maintains visual consistency on the offending site while making it clear the image belongs to you.

Redirect to a Custom Error Page

For non-image hotlinking attempts (like direct video or PDF access), send users to an HTML page:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yoursite\.com/.*$ [NC]
RewriteRule \.(jpg|jpeg|gif|png|bmp|webp|mp4|pdf)$ https://yoursite.com/restricted.html [R,L]

Where to Add .htaccess Rules

Your .htaccess file lives in your website’s root directory, typically public_html or www.

To edit via cPanel File Manager:

  1. Log into cPanel.
  2. Open File Manager under the Files section
  3. Navigate to your site’s root directory
  4. Right-click .htaccess and select Edit
  5. Add the rewrite rules at the top of the file, before any existing WordPress or application rules
  6. Save changes

To edit via SSH:

nano /home/username/public_html/.htaccess

Add the rules, then save with Ctrl+O and exit with Ctrl+X.

Directory-Specific Protection

To protect only certain directories (like /wp-content/uploads/ for WordPress sites), create or edit the .htaccess file in that specific folder:

nano /home/username/public_html/wp-content/uploads/.htaccess

This narrows protection to uploaded media files without affecting theme images or other assets.

Testing Your Configuration

After adding rules, verify they work:

  1. Test from your own site. Images should load normally when viewing your pages
  2. Test direct browser access. Navigate to an image URL directly (like https://yoursite.com/images/photo.jpg). This should still work because the referrer is empty
  3. Test external embedding. Create a test HTML file on another domain with an <img> tag pointing to your image. The image should either break (with 403 rules) or show your replacement image (with redirect rules)

Check your Apache error logs for any issues. Blocked requests appear with 403 status codes.

Performance Impact

Hotlink protection rules execute before PHP, so they add minimal overhead. On WordPress Hosting or VPS plans with thousands of images, you’ll actually improve performance by reducing unauthorized bandwidth consumption.

If you notice any slowdown, confirm mod_rewrite is enabled. On InMotion VPS and Dedicated Servers, this module loads by default. On other hosting environments, contact Support if rewrites aren’t processing.

Implement these rules if:

  • Your bandwidth usage suddenly spikes without traffic increases
  • Server monitoring shows high I/O for the /images/ or /uploads/ directory
  • You discover your images embedded on scraper sites or content farms
  • You’re approaching bandwidth limits on Shared Hosting

Skip hotlink protection if:

  • Your images are meant to be shared (infographics, charts, public resources)
  • You use a CDN that handles delivery separately (the CDN manages this at the edge)
  • Your site receives minimal traffic and bandwidth isn’t a concern

For high-traffic sites or ecommerce stores where image delivery affects performance, hotlink protection is a straightforward way to reclaim server resources without impacting your actual customers.

Share this Article
Carrie Smaha
Carrie Smaha Senior Manager Marketing Operations

Carrie Smaha is a Senior Marketing Operations leader with over 20 years of experience in digital strategy, web development, and IT project management. She specializes in go-to-market programs and SaaS solutions for WordPress and VPS Hosting, working closely with technical teams and customers to deliver high-performance, scalable platforms. At InMotion Hosting, she drives product marketing initiatives that blend strategic insight with technical depth.

More Articles by Carrie
Related Articles

Need More Help?

Current Customers

Get Support: Login to AMP
Call: 757-416-6575 x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 757-416-6575 x1

Get web hosting that grows with your business. Our all-in-one hosting platform gives you everything your website needs to scale - so you can focus on the next big thing for you and your business.