Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

Major Problem with cPanel Hotlink Protection and htaccess

There is a major problem with the “Hotlink Protection” feature of cPanel. To summarize the issue, allow me to quote a recent email sent to a completely unresponsive tech support department:

…The problem is that if I try to include any rewrite rules for permalinks, hotlinking, or blocking spambots, cPanel automatically enables its “Hotlink Protection” feature. And, even worse, it automatically adds every URL from every rewrite rule (even the ones for blocking spambots) to its “auto-discovered” list of URL’s for which image access is allowed.

This means that every spammer that I am trying to block now has access to my images! If I try to remove the spammers directly from the “allow-image-access” list, the associated rewrite rules are automatically removed from my htaccess file, thus giving spammers full access to my entire site (instead of just access to images).

So, it is indeed the case that I can’t add any rewrite rules to my site’s root htaccess file without cPanel automatically assuming that every URL on the page is related to hotlinking and subsequently adding them all to the “allow-image-access” list…

[ Image: Train Wreck ] In other words, cPanel screws up htaccess rewrite rules via its “Hotlink Protection” feature. More specifically, spammers and robots that are denied site access via root-htaccess rewrite rules are automatically listed in the “allow access to images” field of the Hotlink Protection panel. Not good. Even worse, disabling Hotlink Protection automatically removes every rewrite rule from the htaccess file. Such bizarre functionality forces the user to choose between complete hotlink protection and other essential features such as pretty permalinks or spam blocking. Pretty sucky if you ask us. Nonetheless, here is a concise summary of the problem with the cPanel Hotlink Protection (cHP) feature:

  1. cHP enables itself when any rewrite rules are added to root .htaccess
  2. cHP includes every URL associated with such rewrite rules in its list of allowed sites
  3. cHP removes all rewrite rules from .htaccess when it’s manually disabled
  4. cHP deletes rewrite rules associated with any URL that is selectively removed from its whitelist

Therefore, based on the automatically perpetuated behavior of cHP, it appears impossible to enjoy htaccess hotlink protection along with any other rewrite-rule functionality. For example, you could employ hotlink protection but not WordPress permalinks. Likewise, to block spammers and scrapers, you would have to sacrifice hotlink protection. With cHP, it’s one or the other — you simply can’t have both. Very frustrating!

About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
The Tao of WordPress: Master the art of WordPress.

16 responses to “Major Problem with cPanel Hotlink Protection and htaccess”

  1. Yes i’m having a lot of issues with hotlink protection, i disabled it and contnue having problems.

    The feature is poor from my point of view, anyways i could make my php proxy http://www.proxy2surf.com run after some headaches.

    Honestly cPanel developers have to improve this hotlink feature.

  2. This problem happened to me today (files screwed up after disabling cHP manually). I’m not an expert at all. Only my add-on domain did experience problems and none of the images were shown after disabling cHP manually.

    After restoring a Full CPanel back-up I like to edit my .htaccess file adding a manual code for Hotlink Protection (with some permitted sites).
    What do I need to do with the cHP-option? Keep it enabled or disabling it again with the risk that the files are going to be screwed up again? Does cHP adept itself to the lines of code you add manually to the .htaccess file?

    Thanks a lot for your help.

  3. Jeff Starr 2011/07/17 1:29 pm

    I’ve long-since moved away from cpanel, but if I recall, the trick was setting .htaccess manually and then just NEVER visit anything in cpanel that has anything to do with it.

    Another trick is knowing when the .htaccess file contains your code exactly and not the screwed-up stuff that cpanel does. So make the changes, view the file from the cpanel File Manager, and if it looks good, just never go back into any of those cpanel option areas.

    If I recall, it was actually visiting/accessing those pages that caused cpanel to fudge up your .htaccess files. So configure .htaccess manually and stay away from cpanel’s hotlinking/htaccess pages.

    Good luck.

  4. UbuntuLinuxHelp 2011/07/17 7:11 pm

    This has been fixed is subsequent updates.

    It turned out that cPanel was detecting the changes in the .htaccess file (even if they were manually created NOT using cPanel).

    The fix was to update WHM (which also updates Panel for each client on the server).

    SSH into your server and run the update command as:

    /scripts/upcp

    This will cause the update scripting to run, and fix the issue.

    I hope this helps some of you out there.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Thoughts
I disabled AI in Google search results. It was making me lazy.
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources. Also: “The Web” is not a valid answer.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.