Hotlink Protection Do Not Block Google, Bing or Yahoo

[jenni101]

Thanks for all your help on this – unfortunately the 3rd party software developer doesn’t want me to add in any hotlink protection code into the software’s .htaccess file as he thinks it might break something in it, so I’ve tried adding in the ‘allow’ code in my root wp site .htaccess via BPS custome code, as it sorted out the problem completely for my addon domain previously.

The code i added was this:

# CUSTOM CODE WP REWRITE LOOP START
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# To NOT apply rules to other CHILD websites or ADDON DOMAINS and
# to not log errors for these child sites
# and the RewriteRule for Custom Apps outside of WP
RewriteRule ^my-addondomain.co.nz/ - [L]
RewriteRule ^my-addondomain.com/ - [L]
RewriteRule ^my-stocklibrary/ - [L]

with the last line being the one for the subfolder with the image library software in. Unfortunately it hasn’t worked, so the images from the stock image library can’t be seen in any emails/invoices again (this was sorted when I commented out the hotlink protection code before).

Have I written the code correctly? as I’ve tried it with and without the trailing’/’ but still no joy.

Or as I previously mentioned, can’t I add in the ‘my-stocklibrary’ subfolder onto the whitelist? Just not sure of how to code it for a subfolder though – is it like this?…

SetEnvIfNoCase Referer "^(http|https)://www\.mydomain\.com.*$" whitelist
SetEnvIfNoCase Referer "^(http|https)://www\.mydomain\.com/my-stocklibrary.*$" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*my-stocklibrary.*" whitelist

Thanks.

[AITpro Admin]

images from the stock image library can’t be seen in any emails/invoices again

I don’t understand what this means. Is there a security log entry in your BPS Security Log for what is being blocked?  If so, post that log entry.

FYI – whether you control what happens to images with htaccess code/files from another site (if that is even possible in this case depending on the parent/child folder structure relationship) or the 3rd party image application site’s folder directly, the same end result will occur. Hotlink protection rules and whitelist rules will be applied to the 3rd party image application site. So where that code is added does not really matter in regards to this statement – “unfortunately the 3rd party software developer doesn’t want me to add in any hotlink protection code into the software’s .htaccess file as he thinks it might break something in it”.

[jenni101]

Hi again,

re; the invoice images not showing in the emailed invoices:- the stock image library generates an invoice based on a template from thesite user registration form. This invoice includes a thumbnail of the purchased image, which is based on the image filename. When the user looks in his account he can see/print a copy of each invoice, which also shows the image thumbnail (as it’s all still within our system as they’re logged in). Also on image purchase this invoice is automatically emailed to to the user/purchaser, and with Hotlink protection OFF in BPS the thumbnails show in this invoice too – but with the Hotlink Protection ON, all that shows is the file ref. ID number and no thumbnail.

The only way for me to test this (before it goes live) is for me to sign-in as a customer/registered user and ‘purchase’ an image. And when the hotlink protection code is ON, none of the images are displayed in the invoices sent to my email account – but they all reappear in these same emailed invoices when I comment out the hotlink protection again in my root worpress site in BPS custom code.

I’ve checked all the error logs and can’t find anything related to the image library, either in the BPS logs or in my cPanel error logs or in the image library software error logs – so no other info to show you I’m afraid.

So as you say above… Hotlink protection rules and whitelist rules will be applied to the 3rd party image application site.

…I’d like to try adding my image library subfolder to my whitelist to see if this helps, but need to check how to code it for a domain/subfolder. Please could you check my suggested code below to see if it’s correct for this purpose?

SetEnvIfNoCase Referer "^(http|https)://www\.mydomain\.com/my-stocklibrary.*$" whitelist 
SetEnvIfNoCase Referer "^(http|https)://.*my-stocklibrary.*" whitelist

And perhaps adding the Rewrite rule in again but coded differently, as the current code doesn't work.:

RewriteRule ^my-stocklibrary/ - [L]

Many thanks -and I’ll let you know the outcome.

[AITpro Admin]

What and where is the invoice?  I need the technical specific details from a Developer/Coder perspective and not an end user perspective.  Or in other words, I need exact specific technical details.  So far I still do not know what the exact problem/issue is. Before you can fix a problem you need to know what the problem is. Obviously the hotlink protection code is causing a problem for the 3rd party app, but I still do not have enough information to know why that problem is occurring.

Examples of technical specific details would be:  the folder structure is /blah/fubar/.  The URL’s are X, Y and Z.  Query strings involved are:  ?blah.  etc etc etc.

[jenni101]

Oh OK – I’m not able to give you that info as am only a newbie trying to tame the beast of security and general website style and development.

So don’t worry about this issue anymore – So FYI what I’ve ended up with is NO Hotlink protection code in the BPS custom code in my root site and just enabled the cPanel Hotlink protection tool (as you said that it’s now updated so should have some effect anyway) – and now all the thumbnails show up again in my emailed invoices!

And again very many thanks for all your time and help. Cheers.

[AITpro Admin]

Yeah I understand, but without being able to see how things are connected/interconnected/related to each other technically and the actual URL’s involved then I could offer guesses, but I prefer not to offer random guesses.

I probably should have mentioned very early on that hotlink protection is not a security measure in any way.  I don’t personally use hotlink protection on any of my sites.  If I had a site that had stock images for sale then I would definitely use hotlink protection.  These days the amount of bandwidth that comes with a basic/standard hosting account is more than you will ever use per day/week/month so the old logic of keeping shady people from using up your bandwidth is really no longer a valid reason to use hotlink protection.

[Darko]

[Topic has been merged into this relevant Topic]

Hello,

how can I prevent https sites from image stealing? Now, for example http://pravoslavnisvet.blogspot.com/2014/08/360-y.html hotlinking protection work, but for https://edukativnisajt.wordpress.com/2014/02/24/anonimnost-na-mrezi/ doesn’t

Hotlink protection code is:

RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://([^.]+.)?mydomain. [NC]
RewriteCond %{HTTP_REFERER} !google. [NC]
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn. [NC]
RewriteCond %{HTTP_REFERER} !yahoo. [NC]
RewriteRule .(jpg|png)$ https://lh5.googleusercontent.com/-4Du834Eq4QE/VH5D2rR32qI/AAAAAAAAAQs/Sj6mfHUGFB8/w622-h398-no/Kompjuteras.png [NC,L]

[AITpro Admin]

@ Darko – you can use the HotLink Protection code that you will find at the beginning of this Topic.

[Darko]

No, it still doesn’t block https sites from hotlinking. Code which I use is:

# CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
SetEnvIfNoCase Referer "^(http|https)://www\.kompjuteras\.com.*$" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist

<FilesMatch "\.(gif|jpg|jpeg|png|bmp)$">
Order Allow,Deny
Allow from env=whitelist
# Add Your Server IP Address
# Note: A Server IP address May be Required for
# everything to work depending on your Host Server
Allow from 194.106.162.118
</FilesMatch>

[AITpro Admin]

hmm interesting.  As far as a I know there would not be any difference between http and https schemes, but I will experiment with that and see if I find anything unusual.

[AITpro Admin]

What is interesting when I look at the Source Code for this site:  https://edukativnisajt.wordpress.com/2014/02/24/anonimnost-na-mrezi/ this site is getting your image file from here: https://i0.wp.com/kompjuteras.com/wp-content/uploads/2014/01/tor01.png and NOT your website.

<p>
<a href="http://kompjuteras.com/wp-content/uploads/2014/01/tor01.png" rel="post_1291">
<img alt="tor01" src="https://i0.wp.com/kompjuteras.com/wp-content/uploads/2014/01/tor01.png" width="306" height="280" /></a>
</p>

This site: http://pravoslavnisvet.blogspot.com/2014/08/360-y.html is doing typical hotlinking to your site and getting the image file from your website.

[AITpro Admin]

That site https://edukativnisajt.wordpress.com/2014/02/24/anonimnost-na-mrezi/ has the Jetpack plugin installed and it does something with other websites image files.

https://wordpress.org/support/topic/tiled-gallery-thumbnails-missing?replies=16

I’ve responded to you by email. i0.wp.com, i2.wp.com, etc are part of our CDN (content delivery network). When the Photon Jetpack module is active, your images get served by our CDN.

Means your image file has been copied and is now stored on the CDN by the Photon Jetpack module. I guess you would have to contact whoever runs that CDN and ask them to delete your image file from their server.

[Darko]

Strange, it was linked to my site, maybe it has changed somehow in the meantime 🙁

Thanks!

[AITpro Admin]

Well since the site has copied your image file then it is a moot point.  ie they now own your image file.  And of course the only way to protect any public image files from being copied would be to add a watermark in the image file.  And of course anyone with halfway decent Photoshop skills can remove that watermark.  Anything publicly displayed can be stolen.

[Darko]

Hello,

is there somehow possible to use code which you provide on comment http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/#post-8502 but instead of blocking to make redirection to other picture so hosts which are not whitelisted will have other picture on pages?

[Author]

Posts