Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

Major Problem with cPanel Hotlink Protection and htaccess

There is a major problem with the “Hotlink Protection” feature of cPanel. To summarize the issue, allow me to quote a recent email sent to a completely unresponsive tech support department:

…The problem is that if I try to include any rewrite rules for permalinks, hotlinking, or blocking spambots, cPanel automatically enables its “Hotlink Protection” feature. And, even worse, it automatically adds every URL from every rewrite rule (even the ones for blocking spambots) to its “auto-discovered” list of URL’s for which image access is allowed.

This means that every spammer that I am trying to block now has access to my images! If I try to remove the spammers directly from the “allow-image-access” list, the associated rewrite rules are automatically removed from my htaccess file, thus giving spammers full access to my entire site (instead of just access to images).

So, it is indeed the case that I can’t add any rewrite rules to my site’s root htaccess file without cPanel automatically assuming that every URL on the page is related to hotlinking and subsequently adding them all to the “allow-image-access” list…

[ Image: Train Wreck ] In other words, cPanel screws up htaccess rewrite rules via its “Hotlink Protection” feature. More specifically, spammers and robots that are denied site access via root-htaccess rewrite rules are automatically listed in the “allow access to images” field of the Hotlink Protection panel. Not good. Even worse, disabling Hotlink Protection automatically removes every rewrite rule from the htaccess file. Such bizarre functionality forces the user to choose between complete hotlink protection and other essential features such as pretty permalinks or spam blocking. Pretty sucky if you ask us. Nonetheless, here is a concise summary of the problem with the cPanel Hotlink Protection (cHP) feature:

  1. cHP enables itself when any rewrite rules are added to root .htaccess
  2. cHP includes every URL associated with such rewrite rules in its list of allowed sites
  3. cHP removes all rewrite rules from .htaccess when it’s manually disabled
  4. cHP deletes rewrite rules associated with any URL that is selectively removed from its whitelist

Therefore, based on the automatically perpetuated behavior of cHP, it appears impossible to enjoy htaccess hotlink protection along with any other rewrite-rule functionality. For example, you could employ hotlink protection but not WordPress permalinks. Likewise, to block spammers and scrapers, you would have to sacrifice hotlink protection. With cHP, it’s one or the other — you simply can’t have both. Very frustrating!

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
Wizard’s SQL for WordPress: Over 300+ recipes! Check the Demo »

16 responses to “Major Problem with cPanel Hotlink Protection and htaccess”

  1. I just went through HELL with this, it’s more problems than you describe, now i have to probably change host, because of the shitty cpanel and get a host who uses less sucky server manager software.

  2. Jeff Starr 2008/10/26 8:07 am

    I feel your pain, Jim! Good luck! :)

  3. David Grega 2008/11/19 7:39 am

    The behavior you describe of any RewriteRule in .htaccess automatically enabling Hotlink Protection is abnormal. I have a website myself that uses very many RewriteRules as well as Hotlink Protection without issue. I recommend you have your hosting provider contact us directly regarding this issue so we can determine what is causing this behavior on the servers on which your website is hosted and take corrective action.

  4. Hi David, I disagree entirely that the issue described in the article is anything at all abnormal. I have developed many sites that use cPanel and have never seen the anti-hotlinking feature work correctly. The behavior carefully documented in the article is seen on a variety of hosts and for a variety of configurations.

    The workaround that I have been using successfully now for over a year is to simply ignore/avoid any cPanel features that involve anything to do with rewrite rules, redirects, or anything else that may affect/modify my local htaccess files. In my opinion, the user should be able to completely disable/enable any of the available cPanel features according to their needs.

  5. I enabled Hotlink Protection in cPanel but it didn’t work, so I disabled it. After that I couldn’t access any of my sites! Come to find out, cPanel had rewritten my .htaccess files and screwed them ALL up. It took me the better part of a day to fix them all. cPanel never even warns you when it is about to change your .htaccess files. cPanel is the worst!

  6. UbuntuLinuxHelp 2010/01/12 6:35 am

    Further to the comment here:

    I spoke with cPanel (a lot) after reading this post and the issues I saw. They were able to duplicate the issue both on the server (experiencing the issue) as well as on their test servers – That is actually good news, meaning they didn’t “deep-six” the issue as trivial.

    As a result, they’ve created an internal bug report and forwarded to their developers (internal report ID is FB#36768). I asked if there was a way to track this, but they said it was internal and there was no way to (externally) subscribe to the thread. They said I should monitor the RSS for: http://changelog.cpanel.net/

    Either way, I hope they are able to fix it sooner than later, as not everyone is in a position to ssh into a server and use tools like nano to edit the .htaccess file.

    I hope more people read your post and start contacting cPanel about this, I’m sure it would speed things up (especially since this has been an issue for a least over two years; based on your original post date).

  7. I hope cPanel does decide to do something about this. I was surprised at the utter lack of concern two years ago when I tried getting some help. I even got some “deniers” such as David Grega (in comment #3 above), who claimed my finding was “abnormal” and that the issue resulted from my server configuration and not cPanel.

    The simplest solution I found was to upload the htaccess file content that you would like to use and then stay the heck away from any of cPanel’s “automatic” hotlink, www, or redirect settings. As in, don’t even open any of those pages in cPanel. This has worked fine for the past two years.

    In any case, I am grateful that you took the time to “bug” cPanel about this, and for sharing your findings with us here at Perishable Press.

  8. UbuntuLinuxHelp 2010/01/13 2:38 pm

    Well I do hope they get it fixed sooner than later. The guy I was talking to confirmed that the issue happens (now) simply by uploading am htaccess file – Aaaargh! (Which makes it worse than a couple years ago).

    Note: The tech used two different FTP servers on both the test and the “problem” server; and had the same results.

    I guess I’ll have to keep pushing (and if I see more news, I’ll let the readers here know too).

    Cheers!

  9. UbuntuLinuxHelp 2010/01/30 8:42 am

    I just followed up again (Jan. 29, 2010) and here’s the brief transcript:

    Me:

    “…I’ve been closely watching http://changelog.cpanel.net/ to see if the .htaccess vs. cPanel Hotlink issue (FB#36768) has a fix yet.

    Is there any more information or news about this?
    Any updates?…”

    cPanel:

    “…There is currently no new updates on this bug. Our QA and Development teams are hard working on everything and should be getting to this sometime in the near future. Unfortunately, we can not provide an ETA but feel free to contact us again for an update in the future if needed…”

  10. Jeff Starr 2010/02/01 9:52 am

    Thanks for the followup. It almost sounds like they are trying to ignore the issue..? I certainly hope not. I have always thought of cPanel as one of the best, hopefully they’ll take a few moments and at least look into it. I can’t imagine it would be too difficult to fix, assuming they had the desire to do so.

    In any case, thanks for keeping the pressure on ‘em and for keeping us in the loop.

  11. UbuntuLinuxHelp 2010/02/25 10:47 am

    Another update today after ticket follow up (2 updates actually).

    1st, a Technical Analyst III was able to duplicate the issue as well (which adds further importance, I assume):

    “…I too am able to replicate this matter. I am investigating this and filing a case immediately. I apologize for the wait and I want to assure you that my aim is to expedite and resolve this issue as soon as possible…”

    2nd, a follow up after viewing code and the issue at hand, etc.:

    “…I do apologize, but this was something beyond my ability to correct for you and will need to be addressed by Development. I did go ahead and file a case so you can refer back to this inquiry, 554717, to get further updates on the progress if I have not yet notified you….”

    The good thing, I think, is that it’s moving up the chain towards resolution; instead of being relegated to trivial status.

    Looks like it’s past the report stage and is at the case stage.

    It’s nice to see that cPanel personnel are following up and forwarding to the best people for the job, the developers, so it appears.

  12. That is great news — looking forward to seeing this finally resolved. It’s good to know that cPanel is still keeping it real and striving to improve their product. There may be a happy ending to this yet.

    Thanks again for staying on top of this and keeping us updated.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
.htaccess made easy: Improve site performance and security.
Thoughts
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources. Also: “The Web” is not a valid answer.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.