How to Prevent Hotlinking and Protect Your Website Media

Key Takeaways

• Hotlinking lets other sites use your images or videos directly from your server, which can increase bandwidth usage, slow down your site, and raise hosting costs.
• You can prevent hotlinking using server-level rules like .htaccess, CDNs such as Cloudflare Enterprise, or WordPress plugins that restrict access to media files.
• Regularly monitoring your site’s access logs and running reverse image searches helps you identify hotlinking and take action, including sending DMCA takedown notices when necessary.

Hotlinking is basically a resource leak that happens behind your back. It is when someone else takes an image or video from your site and embeds it right onto theirs. Their page loads, but your server does the work. You pay for the bandwidth while they get the content for free. This can spike your costs and lag your site out.

You can stop it, though. A few quick changes can protect your files and keep your bandwidth for your own visitors. You can do this with server rules, plugins, or a CDN. It just depends on what you’re running.

In this guide, we’ll take you step by step through how to prevent hotlinking on any website, show solutions tailored for WordPress users, and finally dive into how Cloudways makes it easy to secure your media at the server level.

Let’s get into it…

What Hotlinking Is, How It Works, and Why It’s a Problem

Hotlinking is a headache for anyone running a site. It happens when another person points to a file on your server instead of hosting it themselves.

Instead of uploading your image to their own host, they just stick your URL in their HTML. It looks like this:

<img src="https://yourwebsite.com/images/photo.jpg">

When a visitor hits their page, your server delivers the file. It doesn’t matter if that person never visits your site. Your server still does the heavy lifting.

Since your server can’t tell who is asking for the file, it just sends it. That is how your bills start to climb. Every request uses data. Data is never free.

Check the math. A 250KB image viewed 2,000 times a day on someone else’s site eats 15GB of your bandwidth every month. That is just one file. If you are on a small plan, that extra load can get your account throttled or shut down.

Some reports show that hotlinking can account for 20% of a site’s total traffic. That is a lot of wasted data.

Here is why this matters:

• Hosting bills go up: Most plans have a data cap. Hotlinked files eat that cap and lead to overage fees.

• Your site gets slow: Too many requests put stress on your server, making your site load slow. Your actual users end up waiting longer for pages to load.

• You lose control: You can’t control how your images look on other sites. If you move the file, their site breaks, but it still looks bad on you.

• SEO hits: Slower speeds can hurt your Google rankings, overall SEO. Plus, your files are scattered on sites you don’t even like.

Hotlinking is more than just rude. When your server is busy serving files to sites you don’t even own, it’s a massive drain. It hits your wallet and your speed. You have to step in and block it.

Protect Your Website Media with Managed Hosting

Cloudways managed hosting helps reduce unwanted bandwidth usage with server level controls, CDN support, and security features that protect your site assets.

Try Free!

How to Prevent Hotlinking on Your Website

There isn’t just one “perfect” way to stop hotlinking. The best path depends on your server and where your images actually live. Some methods are much easier to keep up with than others.

If you already use a CDN, start there. It is the most efficient. If you don’t, you’ll need to write some rules at the server level to get the job done.

1. Use Your CDN for Automatic Blocking

If your images and static files are served through a CDN, enabling hotlink protection there is the cleanest solution.

A CDN stops unauthorized requests before they ever reach your origin server. This keeps your bandwidth and CPU power available for your actual visitors.

Cloudflare: Cloudflare makes this incredibly easy. You don’t even need code.

• Log into your dashboard.

• Select the domain you want to work on.

• On the left-hand sidebar, click on Scrape Shield.

• Toggle Hotlink Protection to ON. This stops other sites from showing your images but still lets Google and Bing crawl them for SEO.

KeyCDN: KeyCDN uses something called “Zone Referrers.”

• Go to your Zone settings.

• Find the Referrers section.

• Add your own domain (like yourwebsite.com). Once you save this, the CDN will only serve images if the request comes directly from your site. Everything else gets a 403 Forbidden error.

2. Lock Down Apache with .htaccess

If you don’t have a CDN and your site runs on Apache, you need to edit your .htaccess file. This file usually sits in your root folder.

Add this code to the file:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

In my case, I’ll modify the code like so:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?whichserversize\.net [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

What this code actually does:

• RewriteEngine on: Turns on the redirect tool.

• !^$: Allows “empty” referrers. You need this so people can still see images when they type your URL directly or open an image in a new tab.

• yourwebsite.com: This is your “allow” list. Change this to your actual domain.

• [F]: This stands for “Forbidden.” It kills the request.

3. Block Hotlinking on Nginx

If your site runs on Nginx, you don’t have a .htaccess file. Instead, you have to add a specific “location block” to your main server configuration file. This tells the server exactly what to do when someone tries to load your images from an outside site.

Open your Nginx config file and add this block:

location ~ \.(jpg|jpeg|png|gif)$ {

valid_referers none blocked whichserversize.net *.whichserversize.net;

if ($invalid_referer) {

return 403;

}

}

How this works for your site:

• The File Types: The first line tells Nginx to look for requests ending in common image formats like .jpg or .png.

• The Allowed List: The valid_referers line is your whitelist. I included whichserversize.net and *.whichserversize.net so your own site (and any subdomains) can still show your images.

• The “None” and “Blocked” terms: These are important. They make sure your images still show up for people who type your URL directly or use a browser that hides referrer data for privacy.

• The 403 Error: If a request comes from a site that isn’t on your list, Nginx kills the connection and sends back a “403 Forbidden” error.

Once you add this code, you have to restart Nginx for it to take effect. You can usually do that with this command:

sudo systemctl restart nginx

4. Use Watermarks for Visual Protection

Watermarking doesn’t stop a server request, but it makes hotlinking useless for the other guy. If they steal your image, your logo is still right in the middle of it.

If you use WordPress, plugins like Easy Watermark can do this automatically when you upload new files. For infographics or original photography, this is a must. Even if they “steal” the bandwidth, they are just giving you free advertising.

5. Watch Your Logs for Spikes

No setup is done until you verify it works. Check your hosting dashboard for bandwidth spikes. If you see one image getting 5,000 hits from a random domain, your rules might have a leak.

I suggest checking your “Access Logs” once a month. Look for high-volume requests where the “Referer” isn’t your site. If you see a specific domain popping up, you can add them to a manual block list.

How to find your logs:

If you’re a Cloudways customer, you easily view access and error logs right from the platform.

If you’re not a Cloudways customer, you can typically find them here on your server:

• Apache: /var/log/apache2/access.log
• Nginx: /var/log/nginx/access.log

You can just use an FTP client like FileZilla to download the log file and open it in a basic text editor. If you are okay using the terminal, run this command to see the latest activity:

tail -n 100 /var/log/nginx/access.log

When you look at the text, look for the URL right after the request. If you see a domain that isn’t yours, that’s your hotlinker.

How to Prevent Hotlinking on a WordPress Site

WordPress actually gives you plenty of ways to protect your images without making you touch a server config file or use SSH. These are the best options if you want to stay inside the WordPress dashboard and keep it simple.

1. Use WordPress Plugins for Hotlink Protection

Using a plugin is the fastest way to get this done. These tools work by checking the “referrer” of anyone trying to view your images. If the request isn’t coming from your site, the plugin shuts it down.

We looked at how to do this with KeyCDN earlier in this guide. If you prefer a CDN-level fix, you can absolutely go with that option instead. It works just as well.

But if you want to stick with a plugin, a very basic tool you can use is Prevent Direct Access (PDA).

How to do it: Once you install it, you can protect individual files or your whole library. You can set the rules so that only logged-in users or people visiting from your domain can actually see the images.

Why use this: This is perfect if you have premium content, like infographics or PDFs, that you only want your members to see. It stops outsiders from grabbing the file entirely.

2. Disable Right-Click on Your WordPress Site

Another simple step to discourage hotlinking is to disable right-click on your images. This won’t stop determined users, but it prevents most casual visitors from copying your files and embedding them elsewhere.

A solid option for this is the WP Content Copy Protection & No Right Click plugin.

It not only blocks right clicking on images but also stops text selection and simple drag‑and‑drop or keyboard shortcuts that could be used to copy content.

Here’s how to set it up:

• Once activated, go to the plugin’s settings from the dashboard sidebar.
• Enable protection options like Block Right‑Click, Disable Text Selection, and Block Image Dragging.

Once enabled, visitors who try to right‑click or select images will be blocked by the plugin. You can even customize the message they see when they attempt these actions.

This approach won’t stop every possible hotlink attempt. That’s why server or CDN rules are essential. But it adds another layer that stops most casual copying. If someone has to jump through a few extra hoops just to copy your images, they are much less likely to take the time.

3. Rename Files to Break Old Links

If you find that a specific image is already being stolen and eating your bandwidth, the damage is already done. Blocking them might show a broken icon, but they are still hitting your server. A great way to fix this is to just change the “address” of the image.

How to do it safely: If you just rename a file in your file manager, every post on your own site will show a broken image. To avoid this, use a plugin called Media File Renamer.

• Go to your Media Library.

• Find the image that is being hotlinked.

• Change the name (for example, change header-image.jpg to header-2025.jpg).

• The plugin will automatically find every post on your site and update the link. The other person’s site will still be looking for the old filename. They will get a 404 error, and your bandwidth drain stops instantly.

After you use any of the plugins we covered, you need to check your own site. Sometimes, these rules are so strict that they block your own images if you use a “WWW” version of your URL but didn’t list it in the settings. Always open your site in an Incognito window to make sure everything looks right for your visitors.

How to Prevent Hotlinking on Cloudways

While WordPress plugins are great for ease of use, Cloudways users can achieve better performance by blocking hotlinking at the server level or through the Cloudflare Enterprise add-on. This stops the “leak” before it ever reaches your application.

Since Cloudways manages your servers in a Platform-as-a-Service setup, you have control over your application configurations without needing to worry about full server maintenance.

Here’s how to tackle it:

1. Server-Level Rules via .htaccess

Because Cloudways uses a powerful hybrid stack (Nginx as a reverse proxy with Apache), the most direct and effective way to manage media requests is through your application’s .htaccess file. This is the safest method for most users as it doesn’t require root-level access.

Steps to block hotlinking:

• Connect to your server using SFTP (like FileZilla) or use the Cloudways File Manager add-on.

• Navigate to your application’s root folder (usually /public_html/).

• Open the .htaccess file and add the following code to block external requests:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain.com [NC]

RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [F]

2. Using Cloudways Cloudflare Enterprise (Edge Protection)

If you are using the Cloudways Cloudflare Enterprise add-on, you can enable protection with one click without leaving your dashboard.

Simply navigate to Applications → Your Application → Cloudflare and toggle on the Scrape Shield settings.

This saves 100% of the bandwidth and CPU that would have been used to process the request.

This is the recommended “zero-impact” solution, as it offloads the security work to Cloudflare’s global network.

By combining .htaccess rules with our integrated Cloudflare Enterprise tools, you can ensure that your server resources are preserved for your legitimate visitors and that your media remains your own.

What to Do if Your Content is Hotlinked

Sometimes, despite your best efforts, people will still steal your images. If you find a site that is eating up your bandwidth and refusing to stop, you have to take action.

1. Find the Thief

You can’t stop them if you don’t know who they are. You need to run a reverse image search to see exactly where your files are popping up.

• TinEye: This is often better than Google for exact matches. Upload your original image, and it will show you every other site using that exact file.

• Google Images: Click the little camera icon in the search bar. It will show you visually similar images, which helps spot people who might have cropped your watermark out.

2. Send a DMCA Takedown Notice

If they are hotlinking your content, they are technically stealing your bandwidth and infringing on your copyright. You can force them to take it down.

The important part: Don’t just email the site owner. They will likely ignore you. You need to email their hosting provider.

• Find the Host: Go to a site like WhoIs.com, IPlocation.io or HostingChecker and type in the thief’s domain. Look for the “Registrar” or “Name Server” info.

• Find the Abuse Email: In that same report, look for an email address listed under “Abuse Contact.”

• Send the Notice: Write a formal email stating you own the content. Include the URL where they are stealing it and the URL of your original.

Most hosting companies take these notices very seriously because they don’t want legal trouble. They will often take the content down for you within 24 hours.

3. Keep an Eye on Things

Just because you stopped one person doesn’t mean you are safe forever. You need to check in every now and then.

• Run a search once a month: upload your most popular images to TinEye just to see if any new sites have popped up.

• Watch your bandwidth: If you see your data usage spike on a Tuesday for no reason, check your access logs immediately. It is usually a sign that someone new has linked to your files.

Conclusion

Hotlinking is more than just an annoyance. It can quietly drain your server resources, slow down your site, and inflate your hosting costs.

In this guide, we’ve looked at what hotlinking is and the practical ways to stop it across any website. From CDN-level protection and server rules to WordPress-specific plugins and visual deterrents like watermarks, there are multiple strategies to keep your content secure.

Of all these options, if you’re hosting on Cloudways, you can seamlessly prevent hotlinking at both the application and edge levels. With the combination of Apache .htaccess rules and the Cloudflare Enterprise integration, your media is shielded before it even reaches your server. This saves bandwidth, improves performance, and keeps your content fully under your control.

If you have any questions, let me know in the comments below.