Book Sale! Save 20% on WordPress books with discount code: SAVE20
Web Dev + WordPress + Security

Three Ways to Allow Hotlinking in Specific Directories

After implementing any of the hotlink-prevention techniques described in our previous article, you may find it necessary to disable hotlink-protection for a specific directory. By default, htaccess rules apply to the directory in which it is located, as well as all subdirectories contained therein. There are (at least) three ways to enable selective hotlinking:

Place hotlink images in an alternate directory

This method works great if your hotlink-protection rules are located in a directory other than the site root. Simply create another directory outside of the directory containing the htaccess rules and place your hotlink-allowed images into that directory.

Create a pseudo-rewrite rule for the target directory

If your images are located within the influence of your hotlink-protection rules, and you need to enable hotlinking for a specific directory, it is possible to circumvent the anti-hotlink rewriting for that directory. In the htaccess file for the target directory, add the following, pseudo-rewrite rules:

# disable hotlink protection
RewriteEngine on
RewriteRule ^.*$ -

Turn off the rewrite engine in the target directory

Ahh, the joys of simplicity. If neither of the previous methods seem appealing to you, perhaps the simple elegance of this effective method will inspire you: turn off the rewrite engine in the directory that houses your hotlink images. That’s it. Simply add the following line to your target directory’s htaccess file and enjoy immediate results:

# disable hotlink protection
RewriteEngine off

Any one of these methods works fine, but disabling the RewriteEngine in the target directory is by far the most elegant solution.


An alternate way of disabling mod_rewrite is to flag the last RewriteRule with the [END] flag. For example:

RewriteRule /(some-other-rule)/ [END]

What about enabling hotlink-protection in a specific directory? Read on, my friend..

Selectively protect files in a specific directory

Protecting the contents of a specific directory (as opposed to all directories) requires a simple addition to any of the anti-hotlinking measures presented in our previous article. If, say, you wanted to protect all files located in a directory called “private,” you would modify the RewriteRule as follows:

# protect all content in private directory and return a forbidden error
RewriteRule protected/(.*)$ - [F,NC,L]

..or, alternatively:

# protect all content in private directory and return a nasty image
RewriteRule protected/(.*)$ http://domain.tld/hotlink.jpg [R,NC,L]

In other words, prepend the name of the target directory to the list of protected file types, which in this example is all files, as represented by the wildcard expression ((.*)).

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

9 responses to “Three Ways to Allow Hotlinking in Specific Directories”

  1. Hi.

    It’s there anyway to HotLink Protect my hole site, and just only allow one folder for hotlink. I like to use one folder that i store all my avatars and sigs to other forums.
    It’s that possible?


  2. Jeff Starr
    Perishable 2008/01/21 8:09 am


    Um, yes, allowing hotlinking in a specific directory is exactly what this article is about. After implementing hotlink-protection sitewide (see link in first paragraph), return to this post and employ any of the three methods to disable protection for the folder of your choice. (Sorry for the redundancy — I just wanted to be clear:)


  3. Great tutorial man… thanks for your help…… bookmarking this page…

  4. I just did some more testing and it isn’t stopping any hotlinks at all. I deleted her renamed the most problematic files first and that is what is giving people the 403 error. I just tried commenting the symnlinks line too.. Maybe I should have tried a simpler solution first…

    # ultimate hotlink protection #
    # disable directory browsing
    # uncomment this option to protect access to directories
    # Options -Indexes
    # enable the following of symlinks
    # uncomment this option if hotlink protection fails to work
    Options +FollowSymLinks
    # verify presence of mod rewrite
    # enable the rewrite engine
    RewriteEngine on
    # check that file exists
    RewriteCond %{REQUEST_FILENAME} -f
    # check for requested file types
    # include additional file types here
    RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    # allow blank referrer requests
    RewriteCond %{HTTP_REFERER} !^$
    # allow all requests from your domain
    # edit the domain to match your own
    RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?muschamp\. [NC]
    # additional site access
    # include additional sites here replace domain names and or 
    # remove unnecessary lines or add new lines for more sites
    # RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_01\. [NC]
    # RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_02\. [NC]
    # RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain_03\. [NC]
    # search engine access
    # include or remove search engines feed readers and other sites
    RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
    RewriteCond %{HTTP_REFERER} !google\. [NC]
    RewriteCond %{HTTP_REFERER} !slurp\. [NC]
    RewriteCond %{HTTP_REFERER} !mmcrawler\. [NC]
    RewriteCond %{HTTP_REFERER} !msnbot\. [NC]
    RewriteCond %{HTTP_REFERER} !sandcrawler\. [NC]
    RewriteCond %{HTTP_REFERER} !msrbot\. [NC]
    RewriteCond %{HTTP_REFERER} !teoma\. [NC]
    RewriteCond %{HTTP_REFERER} !jeeves\. [NC]
    # allow access to all requests for your anti hotlink image
    # to serve an image instead of delivering a 403 error
    # uncomment the next line and edit the path and file name
    RewriteCond %{REQUEST_URI} [NC]
    # deliver the hotlink image for all requests for the listed files
    # protect additional file types by editing the list below
    # if you are serving a file instead of a 403 
    # uncomment the next line and edit the path and file name
    RewriteRule \.(gif|jpe?g?|png)$ [R,NC,L]
    # return a 403 error when any of the following file types is requested
    # you can protect additional file types by editing the list below
    # RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
  5. hi,

    Is there any way to disable hotlinking only in specific folders in lighttpd and not on whole site?
    Note :-i am talking about lighttpd not apache

  6. Thanks for this great post. Fixed my problem in minutes !

  7. Is this supposed to show me how to maintain just ONE .htaccess file for my entire hosted space? I don’t want multiple .htaccess files since I am constantly editing this one to block bots and crawlers. I purchased the guide but so far I have not found such a solution in it.

    • Jeff Starr
      Jeff Starr 2012/12/18 1:49 pm

      It’s completely up to you.. some sites may use only .htaccess file, others may use multiple files.. it all depends on your goals and the structure of your site. Most cases one .htaccess in the root directory is all that’s needed.

  8. Pali Madra 2013/03/02 10:11 am

    Thanks this helped a lot was stuck with one of the site of a client which was not loading properly because hotlinking was disabled.

    @jeff I wanted to know if the .htaccess file follows some inheritance rules or not?

    Thanks again.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Blackhole Pro: Trap bad bots in a virtual black hole.
Our neighbor just lets their little rat dog bark incessantly 24/7. Endless barking for the whole neighborhood.
Loving Waterfox, my new favorite browser for general surfing and playing on teh Web.
Avoiding Amazon until they stop forcing 2-factor authentication. Frustrating waste of time. Make it optional imbeciles.
Today my trusty scanner died. Not going to replace it. And when my printer finally dies, I'm not going to replace that either.
Spent about a week or so away from screens and media as much as possible. Helps to regain perspective.
Celebrating 8 years providing premium WordPress plugins at Plugin Planet!
Power is *not* relying on a 3rd-party service to handle your email.
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.