Stopping bandwidth theft through image hotlinking with .htaccess

These days, even cheap shared web hosting tends to offer unlimited bandwidth so the practice of stealing bandwidth by hotlinking to images isn’t as detrimental as it was in the past, but there’s still the principle involved. In short, having your work stolen is one thing, being forced to host the stolen work while someone else grabs the benefits is something else altogether.

For instance, there are more than 70 different wallpaper images, each available in several different dimensions, at the Aston Villa Wallpaper mini-site. I don’t have any real issue with people taking them and re-distributing them, most won’t go to the trouble of cropping the site identification.

In any case, I can’t be too precious about it since most of the wallpapers are based on photos I don’t own the rights to myself. The main purpose is to share some Aston Villa flavoured creative work with fellow fans; if a small percentage of that work helps promote Aston Villa Central then so much the better, but it’s not something that’s intended to make money.

However, I really do take issue with sites that not only fail to provide a link back to the original site (i.e. me), but also have the barefaced cheek to hotlink to the images. To be clear: hotlinking in the practice of displaying images in a webpage that are hosted on another site to save on server resources and bandwidth.

In my case, a lot of the wallpapers are available as 1920×1200 and are in excess of 1Mb in size. That can soon add up to quite a load on my server and a massive saving for the thieves when multiplied across multiple source sites.

So what can be done about it?

Diverting to a dummy image using a whitelist

Adding the following script to your .htaccess file in the web root will divert calls for images to a specified alternative image – allowing for some fun – except for a specified list of domains:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?myothersite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png|jpg)$ /images/nohotlink.jpe [L]

Obviously ‘mysite’ and ‘myothersite’ should be changed to the real domains you wish to allow images to appear.

Each ‘RewriteCond’ line should end in ‘[NC,OR]‘. ‘NC’ is an instruction to ignore the case (upper or lower) of the domain and ‘OR’ simply means “or the next line”. Obviously the last ‘RewriteCond’ line should simply end in ‘[NC,OR]‘.

This script redirects all calls for images to the following substitute:

Notice that I’ve saved the image file as a .JPE since .JPG and .JPEG files are automatically being redirected.

Depending how mischievous you’re feeling, you could use an image that’s far more to the point, but it should be remembered that not everyone is acting in underhand ways. Some people might not realise they’re stealing at all.

And that kind of leads on to a downside of this method; it’s a bit of a blunt tool that can easily block the use of images in places where you’d actually like them to be displayed such as RSS feeds and in email versions of blog posts.

Now, I believe the majority of RSS subscribers use Google Reader these days so it’s easy enough to allow images to appear in their feeds by including google.com in the whitelist. Bloglines is another popular method, but what client readers choose to use is out of our control and never-ending list of exceptions is hardly practical.

Email is a bigger problem. Adding google.com to the whitelist seems to work with Gmail, and I’d assume other web-based email applications could be dealt with in the same way, but what about local based clients such as Outlook?

So instead of blocking everything and then adding a whitelist of exceptions, why not just block specific offenders with a blacklist?

Diverting to a dummy image using a blacklist

It’s basically the same script in the .htaccess file, but with the exclamation marks (‘!’) removed:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?badsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?anotherbadsite\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png|jpg)$ /images/nohotlink.jpe [L]

Simple enough, but how do you know the sites to blacklist? Well, it can just be a matter of keeping your eyes peeled. I conduct Google searches every now and again just to keep abreast of trends and developments, I’ve discovered one or two theft sites that way.

I’ve also noticed an incoming link in Google Webmaster Tools and I discovered one today (that prompted writing this post) from my daily Google Alerts email for the term “Aston Villa Central”. It was a simple matter of following the links, confirming that the site is hotlinking, and adding the domain to the blacklist.

It might also be a good idea to keep an eye on bandwidth usage via your control panel stats; sudden spikes should prompt an investigation to see where the traffic is coming from.

In the end, you’ll have to make your own decision whether blacklisting or whitelisting is the way to go. You pays your money and you makes you choice I suppose.