Stop Hotlinking with htaccess in WordPress

I didn’t store any images in my site before, because I don’t want to see any of my bandwidth consumed by others who are hotlinking my files. Even when I started to use magazine-style themes, which require a lot of images, I didn’t upload images here.

Everything changed when I found a script called timthumb by Darren Hoyt. You can utilize this script to display custom-field image in whatever size you want. The only handcuff of the script is, you’ll have to upload your own image or it won’t work. It is so convenient that I decide to obey the rule.

Then the hotlinking protection problem comes into my sight. Most of the online articles talk about how to add some rewrite rules into your .htaccess file to stop hotlinking, but they don’t take WordPress into account, neither do they explain the meaning of the rules. Now that WordPress also uses the .htaccess file to achieve the permanent link function, if you don’t put those rules in the proper order, either the protection doesn’t function or the permanent links are not reachable.

So, if you happen to run into the same problem as I do, let’s figure it out now. Here’s how: simply put these lines below into your .htaccess file and everything is under control. I’ll explain the codes later.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?ralphdunn\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ – [F]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress


  1. The line “RewriteCond %{HTTP_REFERER} !^$” means allow empty referrals, that is, an image could be shown by opening its link in the address bar.
  2. The line “RewriteCond %{HTTP_REFERER} !^http://(.+\.)?ralphdunn\.com/ [NC]” matches any requests from URL. Just replace “ralphdunn” with your own domain name.
  3. The line “RewriteRule .*\.(jpe?g|gif|bmp|png)$ – [F]” matches any files ending with the extension jpeg, jpg, gif, bmp, or png. A 403 Forbidden error code will be displayed instead of an image.
  4. The rest of lines are used to get the permanent link to work.
  5. “NC” in square braces means Not Case-sensitive, while “F” means 403 Forbidden.


  • For detail information and alternatives, visit altlab. There is also a strong hotlinking testing tool located at coldlink.


Image by delunita via Flickr

  1. Hotlinking protection is implemented through judging the HTTP_REFERER sent by your browser, and if you’re using Firefox, you may simply modify some configuration in about:config or install a certain plugin to hack it. Because it is way out of the current topic, I don’t think further discussion should be made here. Go google it yourself, and you’ll find it’s easy.
  2. The Greek codes are regular expressions. If you plan to get an in-depth understanding of them, here’s a book you may refer to: Mastering Regular Expressions.
  3. For those who have done reading this long post, the photo is your reward. ^^
Zemanta Pixie

作者:Keefe Dunn

a dreamer, a learner, a lawful beginner.