Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

Allow Feedburner Access to Hotlink-Protected Images

[ Image: Feedburner Icon ] Recently, we installed and configured the excellent WordPress Feedburner plugin by the venerable Steve Smith. The plugin basically redirects our various WordPress-powered content feeds to Feedburner, which then delivers them to subscribers. This method enables us to take advantage of Feedburner’s excellent statistical tools. Further, all of the action happens silently, beneath the surface, and without the subscriber even realizing it.

After a few weeks running the plugin with great success, we began hearing reports of broken and missing images messing up our feeds. After some investigating, we realized that our tried-and-true anti-hotlinking strategy was doing its job a little too well — blocking everyone outside our domain from accessing our image content — including Feedburner.

As far as I am concerned, delivering high-quality feeds is a critical component of any successful website. While some people prefer not to clutter their feeds with all sorts of images, it is always nice to display an official logo or other site graphic for branding purposes, recognition, etc. Feedburner even promotes such customization with its excellent feature, Feed Image Burner. In any case, to enable images to display in our feeds, we need to enable Feedburner to bypass our stringent hotlink-prevention rules.

Hotlink Protection via htaccess

As many savvy bloggers know, hotlink protection via htaccess is an excellent method for preventing unauthorized use of your site’s content. Unfortunately, the commonly implemented ruleset stops Feedburner — as well as every other feed-delivery service — from displaying your images in feeds. For example, the following htaccess code will protect your images from bandwidth theft and is pretty much standard-issue htaccess hotlink-protection:

# Hotlink Protection
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://example.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]
RewriteRule .*\.(gif|jpg|jpeg|png|bmp)$ - [F,NC,L]

Let’s examine this typical hotlink-protection htaccess code. After initiating mod_rewrite in the first line, the code checks the referring URL against the predefined strings in the following five lines. In this case, we are allowing all no-referrer requests as well as any referrer that is from our own domain, example.com (both www and non-www versions). Everything else is denied access to the file types listed in the last line, namely popular image files.

To use this code on your own site, simply replace all instances of example.com and edit (if necessary) the list of file types that you would like to protect. Also note that you may protect any file type with this htaccess ruleset by simply adding it to the list. For example, if we wanted to add some other commonly used file types to the list:

gif|jpg|jpeg|png|bmp|js|css|zip|mp3|avi|wmv|mpg|mpeg|swf

That could be added to the RewriteRule, replacing the current lineup of allowed file types.

Allow Feedburner Access

Given the htaccess hotlink-protection rules described above, it is relatively simple to allow Feedburner access to your images. Here are the additional htaccess rules:

# Allow Feedburner Access
RewriteCond %{HTTP_REFERER} !^http://www.feedburner.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://feeds.feedburner.com/example-feed$ [NC]
RewriteCond %{HTTP_REFERER} !^http://feeds.feedburner.com/example-feed-comments$ [NC]

In the previous code, we are matching anything coming from the feedburner.com domain, while also matching our two example feeds (http://feeds.feedburner.com/example-feed and http://feeds.feedburner.com/example-feed-comments) specifically. To allow Feedburner access to your feeds, simply replace the two specific feed URLs with those of your own.

All Together Now

After editing the previously discussed ruleset to suit your specific needs, simply splice it into your hotlink-protection code like so:

# Hotlink Protection with Feedburner Access
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://example.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.example.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.feedburner.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://feeds.feedburner.com/example-feed$ [NC]
RewriteCond %{HTTP_REFERER} !^http://feeds.feedburner.com/example-feed-comments$ [NC]
RewriteRule .*\.(gif|jpg|jpeg|png|bmp)$ - [F,NC,L]

Our finished product instructs Apache to deny access for any image request that is not from feedburner.com, our example domain, or either of our example feeds. Simply copy and paste the entire ruleset into your site’s root htaccess file. And with that, Feedburner will have access to your images, and your subscribers will enjoy a richer user experience with your feed.

Update: In July of 2007, the WordPress Feedburner plugin was acquired by Feedburner and renamed “FeedSmith”. As if that weren’t enough, the Feedburner company itself was soon thereafter acquired by Google.

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
Banhammer: Protect your WordPress site against threats.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources. Also: “The Web” is not a valid answer.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.