Articles in this section

See more

How to prevent hotlinking graphics from the domain?

Avatar
George Alibegashvili
Updated
Follow
Plesk for Windows Plesk for Linux kb: how-to ext: wptk ABT: Group A

Applicable to:

  • Plesk for Linux
  • Plesk for Windows

Question

How to prevent hotlinking graphics from the domain?

Answer

Bandwidth theft or "hotlinking" is a direct linking to web site's files (images, video, etc.).

For WordPress domains:

If it is WordPress domain, that is required to be secured from hotlinking, it is possible to secure domain in WordPress Toolkit starting from 3.5.0 version.

  1. Log into Plesk;

  2. Go to WordPress > example.com > Security status - View and check the mark for Hotlink Protection in opened window:security.PNG

For Plesk on Windows

Enable Hotlink Protection in Domains > example.com > Hotlink Protection. Refer to the Documentation on how to configure protection settings.

For Plesk on Linux

Hotlink protection is yet to be implemented in Plesk for Linux. Take part in our product improvement by voting for this feature on Plesk Uservoice portal.

As workaround, hotlink protection can be prevented by use of Apache module mod_rewrite:

  1. Log in Plesk;

  2. Browse to Home > Domains > example.com > Apache & nginx Settings;

  3. Add the following rewrite rules to Additional directives for HTTP/Additional directives for HTTPS fields:

    Note: Mind part marked in bold that, in Additional directives for HTTPS, it must be changed to HTTPS.

    CONFIG_TEXT: RewriteEngine on
    RewriteCond % !^$
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/)?.*$ [NC]
    RewriteRule \.(gif|jpg|jpeg|png|swf)$ - [NC,F]

If nginx support is enabled on the server, verify that Serve static files directly by nginx option is disabled on Home > Domains > example.com > Apache & nginx Settings page

mceclip0.png

Then, add the following directives to Additional nginx directives field:

CONFIG_TEXT: location ~ ^/(.*\.(jpe?g|png|gif))$ {
valid_referers none blocked example.com *.example.com;
if ($invalid_referer) {
return 403;
}
}

Comments

7 comments

Sort by Date Votes
  • Avatar
    Thomas Kim

    Hi after changing the settings, other people cannot access the images files in my domain?

    But I have tried to https://domain.name/imgs/facebook.png, I can still view it even after hard reload and clear cache. I followed the steps in Linux, and I have check my domain is using Nginx. 

    Did I do anything wrong? 😔

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @Thomas Kim,

    Thank you for your question.

    I double checked provided steps on the test environment and found that images will not be available in case if nginx is enabled, but the Serve static files directly by nginx option is disabled.

    So it is highly recommended to double check that Serve static files directly by nginx option is enabled on Home > Domains > example.com > Apache & nginx Settings page.

    If the option is enabled and the issue still can be seen, the most probable cause of the issue is that the domain has mixed content.
    To check it, please follow steps from the next article: The site opens with warning: This content should also be served over HTTPS

    If no issues are found there as well, please submit a request to Plesk Technical Support: How to submit a request to Plesk support?

    0
    Comment actions Permalink
  • Avatar
    Patrick Furgerson

    Is it possible to whitelist another domain that I own?

    e.g. I want to block hotlinking for everyone else but do want another one of my domains to still be able to serve images from my primary website.

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @Patrick Furgerson,

    Thank you for your question.

    Yes, it can be done using the following rewrite rules for Additional directives for HTTP/Additional directives for HTTPS fields:

    RewriteEngine on
    RewriteCond % !^$ 
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/)?.*$ [NC,OR] 
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?any_domain_name\.com(/)?.*$ [NC,OR]
    RewriteRule \.(gif|jpg|jpeg|png|swf)$ - [NC,F]

     

    If nginx support is enabled on the server, the following directives can be used in Additional nginx directives field:

    location ~ \.(jpe?g|png|gif)$ {
    valid_referers none blocked mysite.com *.mysite.com example.com;
    if ($invalid_referer) {
    return 403;
    }
    }
    1
    Comment actions Permalink
  • Avatar
    Erich Thienhaus

    Hello @...,

     

    thank you for this description, however It does not work on my Linux Plesk system. After adding the nginx directives, images are still directly accessible through the corresponding link. I tested both, with the "serve static files directly by nginx" option enabled and disabled.

    I am running nginx not in proxy mode.

    Is there any solution for this so far?

    Thanks!

    1
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Erich Thienhaus

    Please, make sure you've edited the proposed directives with respect to your domain name.

    In case this is already done, I suggest submitting a support request for additional investigation. 

    0
    Comment actions Permalink
  • Avatar
    Pasquale Guarino

    Hello @Daria Gavrilova

    how can i enable all .com .es .fr

    Like for all the domains of google .it .com .co.uk without writing them one by one?

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles