Hotlink Protection Do Not Block Google, Bing or Yahoo

[Krzysztof]

I don’t think so – I took a random image and tested it here: http://coldlink.com/htm/tool.htm

The image is still displayed. Something must be wrong with my setup.

[AITpro Admin]

Yes. You are correct.  Hotlink protection is no longer working on your site.  I was able to hotlink to one of your images here:  http://bulletproof-security-pro.com/bpspro/hotlink-protection-test/  I will be updating the very beginning of this forum topic with a list of possible causes for hotlink protection problems and troubleshooting steps to check those possible causes.

[AITpro Admin]

This is dumbed down hotlink protection code that will work on all servers.  This code is Google, Bing and Yahoo safe hotlink protection.  This code and additional help information will be added to the beginning of this forum topic.

# Hotlink Protection code Dumbed Down to work on all servers:
# Regex ? character & SetEnv directive do not work on some servers
# Forbid empty Referer & all other domains from hotlinking to images
# Except for your domain, google, yahoo or bing domains
# Replace the ait-pro.com domain name with your website domain name 
RewriteCond %{HTTP_REFERER} !^($|(http|https):\/\/.*(ait-pro\.com|google\.com|yahoo\.com|bing\.com)) [NC]
RewriteCond %{REQUEST_URI} ^.*\.(jpeg|jpg|gif|bmp|png)$ [NC]
RewriteRule ^(.*)$ - [F]

[AITpro Admin]

The main forum topic post in this topic has been updated with new Hotlink Protection code and help information.

[Krzysztof]

I have placed the new code and now I think that it works. (I think that one needs to test it on a clean browser as the cache code is working and it displays the image – on a clean Opera the image is not displayed) The bottom line is – today’s situation is another good example why BPS Pro is absolutely the first league when it goes for security and why it is worth to promote it 🙂

Thank you very much for your extensive help!

[Krzysztof]

Hmm my server is not cooperating with us at all 😉 I have tried the test again here: http://coldlink.com/htm/tool.htm and it doesn’t work again.

[AITpro Admin]

Your Hotlink Protection code is working.  Look at this testing site: http://bulletproof-security-pro.com/bpspro/hotlink-protection-test/ where I am trying to hotlink to your image – it is blocked.  The image is not displayed.

[AITpro Admin]

Hmm I just thought of something.  Maybe you are not exactly sure what “hotlinking” means.  A direct link to your website is not a hotlink.  A hotlink to an image is when someone is loading your image file on their website by using code like this below, which as you can see is blocked below since your Hotlink Protection code is working.
[hotlink example – removed/deleted]

Or another very common thing that happens all the time is this scenario:  Your image was not originally hotlink protected and another website hotlinked to that image file.  That other site is using an external service like cloudflare or a CDN and cloudflare or the CDN is displaying the image and not that actual website that originally hotlinked your image.  External services like cloudflare and CDN’s literally copy data and images and store and display them from their servers.  Basically this means that your image file has been copied and if that is the case then you cannot do anything about that.  The image is no longer being retrieved from your website, it is being retrieved from cloudflare or a CDN that copied your image.

[Krzysztof]

Hmm – I just did what was written on that site – I have posted a direct link to a picture like in the example: http://www.example.com/picture.jpg and it displayed it there. That is why I thought that it is not working.

[AITpro Admin]

Neither here nor there my friend.  I tried to hotlink to an image file on your website in this forum topic and as you can see the hotlinked image file is not displayed and is being blocked from being hotlinked from your website.

[James]

Thanks guys for the update.

I’ve been trying to get the standard hot linking code to work, but to no avail.  It keeps blocking all access to the images, even from the websites that are whitelisted (including the WP site which hosts the images).  My server does not have Lightspeed, but it does run with DSO for caching so I am assuming that this is also not compatible with the code?  Maybe worth mentioning this in the troubleshooting info. The ‘dumbed down’ version of the hot-linking code seems to work just fine though!

Cheers, James

[John]

Hi,
I’m using WPML to run a multilingual site. Each language is structured by subdirectory. With regards to your comment #15381, does this mean I should add .* after the root domain name like this?

SetEnvIfNoCase Referer "^(http|https)://.*\.domain\.com.*" whitelist

And do I understand correctly that if each language is structured by subdomain, the code should go like this?

SetEnvIfNoCase Referer "^(http|https)://.*domain\.com$" whitelist

Apparently, I’m not really a technical person, so I’d really appreciate if you could advise me on this.

Best regards,

[AITpro Admin]

In Regular Expressions (Regex) code the .* characters mean match anything/everything. So this code below would match subdomains and also subdirectories: example.domain.com and/or domain.com/subdirectory/

SetEnvIfNoCase Referer "^(http|https)://.*\.domain\.com.*" whitelist

[John]

I tried using this code

SetEnvIfNoCase Referer "^(http|https)://.*\.domain\.com.*" whitelist

but some of the thumbnail images on my dashboard were not displayed. So I tried this code instead

SetEnvIfNoCase Referer "^(http|https)://.*domain\.com.*" whitelist

and the thumbnail images are properly displayed. Could you please confirm again if this is correctly done?

Thanks.

[AITpro Admin]

@ John – Yes, that looks correct.

[Author]

Posts