It never feels good that finding my own created images, videos or other media are serving on someone else’s website draining my own bandwidth without offering any recognition.
It’s frustrating—and for a site running on WordPress, where images are often the visual foundation of your content. So I have looked for some ways to fight back with a few clever .htaccess rules that lock down assets and prevent hotlinking.
Before staring, I always make a quick backup of my .htaccess file. It’s a simple step but one that can save a lot of headaches down the road if something goes off-script. After that, it’s time to put on our rewrite-engineering hats.
The idea is to use Apache’s mod_rewrite to check where requests for your media files are coming from. If they’re requested from your own domain, great—serve them up with a smile. But if someone else tries to embed them, they get turned away, or better yet, served a placeholder image that makes it clear their sneaky approach won’t fly.
Here’s the snippet I’ve used on my own sites:
apache
<IfModule mod_rewrite.c>
RewriteEngine On
# Replace 'yoursite.com' with your actual domain
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yoursite\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpg|jpeg|png|gif)$ - [F,L]
</IfModule>Let’s break it down:
- RewriteEngine On powers up the mod_rewrite module, making it ready to handle conditions and rules.
- The first RewriteCond ensures that the visitor did not come from your own domain. We replace yoursite.com with the actual URL of your site. If the HTTP_REFERER doesn’t match your domain, we proceed.
- The second RewriteCond ensures the REFERER field isn’t empty (some browsers or privacy-focused users might not send a referer at all).
- Finally, RewriteRule looks for file requests that end in .jpg, .jpeg, .png, or .gif, and if the conditions above are met, returns a 403 Forbidden response. In other words, no free ride for hotlinkers.
If you want to be extra fancy, you could swap the forbidden response with a redirect to a decoy image that says, “Stop Stealing My Images!” Just change the last line to something like:
apache
RewriteRule \.(jpg|jpeg|png|gif)$ /images/nohotlink.jpg [R=302,L]Now anyone who attempts hotlinking will serve your custom image instead. It’s a slightly snarky, yet effective way to let them (and their visitors) know what’s up.
Once you’ve added these lines, save your .htaccess file, and test it out. Try loading one of your images directly from another domain if you have one, or use a tool like cURL. With a bit of luck, you’ll see a “Forbidden” response or your custom image served instead of the original.
Preventing hotlinking may not be the first thing on every WordPress developer’s to-do list, but it’s one of those housekeeping tasks that pays off in the long run. You’ll protect your server’s bandwidth, maintain control of your brand, and keep your carefully curated image library available only where you want it—on your own website. Trust me, once you set this up, you’ll appreciate the peace of mind and the bandwidth savings it brings.
