Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

Three Ways to Allow Hotlinking in Specific Directories

After implementing any of the hotlink-prevention techniques described in our previous article, you may find it necessary to disable hotlink-protection for a specific directory. By default, htaccess rules apply to the directory in which it is located, as well as all subdirectories contained therein. There are (at least) three ways to enable selective hotlinking:

Place hotlink images in an alternate directory

This method works great if your hotlink-protection rules are located in a directory other than the site root. Simply create another directory outside of the directory containing the htaccess rules and place your hotlink-allowed images into that directory.

Create a pseudo-rewrite rule for the target directory

If your images are located within the influence of your hotlink-protection rules, and you need to enable hotlinking for a specific directory, it is possible to circumvent the anti-hotlink rewriting for that directory. In the htaccess file for the target directory, add the following, pseudo-rewrite rules:

# disable hotlink protection
RewriteEngine on
RewriteRule ^.*$ -

Turn off the rewrite engine in the target directory

Ahh, the joys of simplicity. If neither of the previous methods seem appealing to you, perhaps the simple elegance of this effective method will inspire you: turn off the rewrite engine in the directory that houses your hotlink images. That’s it. Simply add the following line to your target directory’s htaccess file and enjoy immediate results:

# disable hotlink protection
RewriteEngine off

While any of the above-described methods works fine, disabling mod_rewrite in the target directory is by far the simplest, most elegant solution.

Update

An alternate way of disabling mod_rewrite is to flag the last RewriteRule with the [END] flag. For example:

RewriteRule /(some-other-rule)/ https://perishablepress.com/ [END]

What about enabling hotlink-protection in a specific directory? Read on, my friend..

Selectively protect files in a specific directory

Protecting the contents of a specific directory (as opposed to all directories) requires a simple addition to any of the anti-hotlinking measures presented in our previous article. If, say, you wanted to protect all files located in a directory called “private,” you would modify the RewriteRule as follows:

# protect all content in private directory and return a forbidden error
RewriteRule protected/(.*)$ - [F,NC,L]

..or, alternatively:

# protect all content in private directory and return a nasty image
RewriteRule protected/(.*)$ http://domain.tld/hotlink.jpg [R,NC,L]

In other words, prepend the name of the target directory to the list of protected file types, which in this example is all files, as represented by the wildcard expression ((.*)).

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
BBQ Pro: The fastest firewall to protect your WordPress.

9 responses to “Three Ways to Allow Hotlinking in Specific Directories”

  1. Hi.

    It’s there anyway to HotLink Protect my hole site, and just only allow one folder for hotlink. I like to use one folder that i store all my avatars and sigs to other forums.
    It’s that possible?

    Thanks.

  2. Perishable 2008/01/21 8:09 am

    Proximuz,

    Um, yes, allowing hotlinking in a specific directory is exactly what this article is about. After implementing hotlink-protection sitewide (see link in first paragraph), return to this post and employ any of the three methods to disable protection for the folder of your choice. (Sorry for the redundancy — I just wanted to be clear:)

    Regards,
    Jeff

  3. Great tutorial man… thanks for your help…… bookmarking this page…

  4. I just did some more testing and it isn’t stopping any hotlinks at all. I deleted her renamed the most problematic files first and that is what is giving people the 403 error. I just tried commenting the symnlinks line too.. Maybe I should have tried a simpler solution first…

    ###############################
    # ultimate hotlink protection #
    ###############################
    
    # disable directory browsing
    # uncomment this option to protect access to directories
    # Options -Indexes
    
    # enable the following of symlinks
    # uncomment this option if hotlink protection fails to work
    Options +FollowSymLinks
    
    # verify presence of mod rewrite
    
    # enable the rewrite engine
    RewriteEngine on
    
    # check that file exists
    RewriteCond %{REQUEST_FILENAME} -f
    
    # check for requested file types
    # include additional file types here
    RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    
    # allow blank referrer requests
    RewriteCond %{HTTP_REFERER} !^$
    
    # allow all requests from your domain
    # edit the domain to match your own
    RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?muschamp\. [NC]
    
    # additional site access
    # include additional sites here replace domain names and or 
    # remove unnecessary lines or add new lines for more sites
    # RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_01\. [NC]
    # RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_02\. [NC]
    # RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_03\. [NC]
    
    # search engine access
    # include or remove search engines feed readers and other sites
    RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
    RewriteCond %{HTTP_REFERER} !google\. [NC]
    RewriteCond %{HTTP_REFERER} !slurp\. [NC]
    RewriteCond %{HTTP_REFERER} !mmcrawler\. [NC]
    RewriteCond %{HTTP_REFERER} !msnbot\. [NC]
    RewriteCond %{HTTP_REFERER} !sandcrawler\. [NC]
    RewriteCond %{HTTP_REFERER} !msrbot\. [NC]
    RewriteCond %{HTTP_REFERER} !teoma\. [NC]
    RewriteCond %{HTTP_REFERER} !jeeves\. [NC]
    
    # allow access to all requests for your anti hotlink image
    # to serve an image instead of delivering a 403 error
    # uncomment the next line and edit the path and file name
    RewriteCond %{REQUEST_URI} http://muschamp.ca/CommonImages/doNotHotLink.jpg [NC]
    
    # deliver the hotlink image for all requests for the listed files
    # protect additional file types by editing the list below
    # if you are serving a file instead of a 403 
    # uncomment the next line and edit the path and file name
    RewriteRule \.(gif|jpe?g?|png)$ http://muschamp.ca/CommonImages/doNotHotLink.jpg [R,NC,L]
    
    # return a 403 error when any of the following file types is requested
    # you can protect additional file types by editing the list below
    # RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
  5. hi,

    Is there any way to disable hotlinking only in specific folders in lighttpd and not on whole site?
    Note :-i am talking about lighttpd not apache

  6. Thanks for this great post. Fixed my problem in minutes !

  7. Is this supposed to show me how to maintain just ONE .htaccess file for my entire hosted space? I don’t want multiple .htaccess files since I am constantly editing this one to block bots and crawlers. I purchased the guide but so far I have not found such a solution in it.

    • Jeff Starr 2012/12/18 1:49 pm

      It’s completely up to you.. some sites may use only .htaccess file, others may use multiple files.. it all depends on your goals and the structure of your site. Most cases one .htaccess in the root directory is all that’s needed.

  8. Pali Madra 2013/03/02 10:11 am

    Thanks this helped a lot was stuck with one of the site of a client which was not loading properly because hotlinking was disabled.

    @jeff I wanted to know if the .htaccess file follows some inheritance rules or not?

    Thanks again.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Blackhole Pro: Trap bad bots in a virtual black hole.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.