Save 25% on Wizard’s SQL for WP w/ code: WIZARDSQL
Web Dev + WordPress + Security

Major Problem with cPanel Hotlink Protection and htaccess

There is a major problem with the “Hotlink Protection” feature of cPanel. To summarize the issue, allow me to quote a recent email sent to a completely unresponsive tech support department:

…The problem is that if I try to include any rewrite rules for permalinks, hotlinking, or blocking spambots, cPanel automatically enables its “Hotlink Protection” feature. And, even worse, it automatically adds every URL from every rewrite rule (even the ones for blocking spambots) to its “auto-discovered” list of URL’s for which image access is allowed.

This means that every spammer that I am trying to block now has access to my images! If I try to remove the spammers directly from the “allow-image-access” list, the associated rewrite rules are automatically removed from my htaccess file, thus giving spammers full access to my entire site (instead of just access to images).

So, it is indeed the case that I can’t add any rewrite rules to my site’s root htaccess file without cPanel automatically assuming that every URL on the page is related to hotlinking and subsequently adding them all to the “allow-image-access” list…

[ Image: Train Wreck ] In other words, cPanel screws up htaccess rewrite rules via its “Hotlink Protection” feature. More specifically, spammers and robots that are denied site access via root-htaccess rewrite rules are automatically listed in the “allow access to images” field of the Hotlink Protection panel. Not good. Even worse, disabling Hotlink Protection automatically removes every rewrite rule from the htaccess file. Such bizarre functionality forces the user to choose between complete hotlink protection and other essential features such as pretty permalinks or spam blocking. Pretty sucky if you ask us. Nonetheless, here is a concise summary of the problem with the cPanel Hotlink Protection (cHP) feature:

  1. cHP enables itself when any rewrite rules are added to root .htaccess
  2. cHP includes every URL associated with such rewrite rules in its list of allowed sites
  3. cHP removes all rewrite rules from .htaccess when it’s manually disabled
  4. cHP deletes rewrite rules associated with any URL that is selectively removed from its whitelist

Therefore, based on the automatically perpetuated behavior of cHP, it appears impossible to enjoy htaccess hotlink protection along with any other rewrite-rule functionality. For example, you could employ hotlink protection but not WordPress permalinks. Likewise, to block spammers and scrapers, you would have to sacrifice hotlink protection. With cHP, it’s one or the other — you simply can’t have both. Very frustrating!

Jeff Starr
About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
Banhammer: Protect your WordPress site against threats.

16 responses to “Major Problem with cPanel Hotlink Protection and htaccess”

  1. Avatar photo

    Yes i’m having a lot of issues with hotlink protection, i disabled it and contnue having problems.

    The feature is poor from my point of view, anyways i could make my php proxy run after some headaches.

    Honestly cPanel developers have to improve this hotlink feature.

  2. This problem happened to me today (files screwed up after disabling cHP manually). I’m not an expert at all. Only my add-on domain did experience problems and none of the images were shown after disabling cHP manually.

    After restoring a Full CPanel back-up I like to edit my .htaccess file adding a manual code for Hotlink Protection (with some permitted sites).
    What do I need to do with the cHP-option? Keep it enabled or disabling it again with the risk that the files are going to be screwed up again? Does cHP adept itself to the lines of code you add manually to the .htaccess file?

    Thanks a lot for your help.

  3. Avatar photo
    Jeff Starr 2011/07/17 1:29 pm

    I’ve long-since moved away from cpanel, but if I recall, the trick was setting .htaccess manually and then just NEVER visit anything in cpanel that has anything to do with it.

    Another trick is knowing when the .htaccess file contains your code exactly and not the screwed-up stuff that cpanel does. So make the changes, view the file from the cpanel File Manager, and if it looks good, just never go back into any of those cpanel option areas.

    If I recall, it was actually visiting/accessing those pages that caused cpanel to fudge up your .htaccess files. So configure .htaccess manually and stay away from cpanel’s hotlinking/htaccess pages.

    Good luck.

  4. UbuntuLinuxHelp 2011/07/17 7:11 pm

    This has been fixed is subsequent updates.

    It turned out that cPanel was detecting the changes in the .htaccess file (even if they were manually created NOT using cPanel).

    The fix was to update WHM (which also updates Panel for each client on the server).

    SSH into your server and run the update command as:


    This will cause the update scripting to run, and fix the issue.

    I hope this helps some of you out there.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Digging Into WordPress: Take your WordPress skills to the next level.
DIY: Monitor File Changes via Cron working perfectly for over a decade.
Mastodon social is a trip. Glad I found it.
As a strict rule, I never use cache plugins on any of my sites. They cause more problems than they solve, imho. Just not worth it.
Currently on a posting spree :)
6 must come before 7.
My top three favorite-to-write coding languages: CSS, PHP, JavaScript.
If you’re not 100% sure that you can trust something, you can’t.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.