How to prevent Hotlink bandwidth theft

How to Prevent Hotlinking and Stop Bandwidth Theft? Hotlink protection prevents other websites from embedding or directly linking to images, videos, or media files hosted on your site. When another site hotlinks your files, every visitor to that page causes your server to deliver those assets. That costs you bandwidth, processing power, and sometimes money.

prevent hotlinking bandwidth theft
Hotlink protection warning on screen

This practice is often called bandwidth theft. The remote site looks fast and complete, while your server quietly does the work.
Hotlinking can:

  • Increase server load
  • Slow down your own site
  • Inflate bandwidth usage
  • Cause unexpected hosting costs
  • Let other sites profit from your work

Fortunately, it is easy to stop.

What is Hotlinking?

Hotlinking, also known as inline linking or direct linking, occurs when a website embeds media from another site by pointing directly to the original file URL. Instead of downloading and hosting the image themselves, they use your server as their content delivery system. Their visitors never visit your site, yet your server pays the price.

Hotlink protection blocks this behavior by checking the referring domain. If the request does not originate from your site, the file is denied or replaced.

no hotlink protection

Preventing Hotlinking on Apache (.htaccess)

This method works on Apache based servers and most shared hosting plans.

  1. Download nohotlink.zip.
  2. Extract the files .htaccess and nolink.webp.
  3. Open .htaccess in a text editor and replace YOURWEBSITE.com with your domain.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YOURWEBSITE.com/.*$ [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp|zip|rar)$ /nolink.webp [R,L]

For example:

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?lancelhoff.com/.*$ [NC]
  1. Save the file.
  2. Upload .htaccess to the directory containing the files you want to protect.
  3. Upload nolink.webp to your site root.

Now, when another site attempts to hotlink your images, their visitors will see the replacement image instead.

Preventing Hotlinking on Nginx

Nginx does not use .htaccess. Hotlink protection is configured directly in the server block.

Add the following inside your server block:

location ~* \.(jpg|jpeg|png|gif|webp|zip|rar)$ {
    valid_referers none blocked lancelhoff.com *.lancelhoff.com;
    if ($invalid_referer) {
        return 302 /nolink.webp;
    }
}

Replace lancelhoff.com with your domain.

Then place nolink.webp in your site root and reload Nginx:

sudo nginx -s reload

This accomplishes the same thing as the Apache rule, blocking requests that originate from other domains.

What About CDNs and Caching?

If you use Cloudflare or another CDN, you can often enable hotlink protection from their dashboard. Server side rules still work, but CDN level protection may reduce load even further. Many CDNs also allow you to whitelist domains and return a custom image or error page.

Final Thoughts

Hotlinking is one of those problems you do not notice until it becomes expensive. A single viral image can drain gigabytes of bandwidth overnight.

With one small rule, you can:

  • Protect your resources
  • Preserve performance
  • Control how your media is used
  • Educate others through a replacement image

Whether you run Apache or Nginx, hotlink protection is a simple, smart safeguard that every site owner should consider.

By Lance, Simple Solutions Provider | 3 min read
Similar Windows Help