Are strange web sites showing up in your referer logs? Are people linking directly to images or movies on your website without your permission? Want to stop them? If so, read on.

What is bandwidth leeching or hotlinking?

People who display your images or movies on their site by linking directly to your site are engaging in “hotlinking” or “bandwidth leeching.”

What’s the harm?

Is it the end of the world? Probably not. Heck, I’m flattered that anyone might be interested in a photo I have taken. But, this practice can consume your bandwidth and slow down your web server. If it is excessive, you might even end up footing an extra bill from your hosting provider.

How do I know if it is happening to me?

One tell-tale sign of hot linking is the appearance of strange web sites in your referer logs. I first became aware that this was happening on my site when I started seeing myspace.com and other similar URLs showing up in my logs. These sites wouldn’t normally be interested in my site, so I knew something was up. Upon visiting some of these pages, I noticed my photos were posted there. And sure enough, they hadn’t made a copy of my photo. There were linking directly to the photo hosted on my web site.

Another sign of hot linking might be a higher than normal amount of bandwidth consumption. Your log analysis tools might even show a higher number of hits for an image than for the page that displays it.

How can I stop it?

The only 100% fool-proof way to stop hot linking is to turn off your web site. But, that’s a little extreme.

One way to slow down hotlinking is to redirect these requests to another image of your choosing. For example, let’s say crazyaboutcats.com is hot linking to your prized photo of your cat Max. By implementing a redirect on your site, crazyaboutcats will now see an image that says, “Please stop hotlinking to my photos” (or something more devious.)

Some people recommend a white list approach. That is, to block all referers except for those that come from sites that you allow. I think that’s a little extreme.

It is hard enough to get people to come to my site. I don’t want to accidentally block legitimate requests from search engines, feed readers, etc.

So we’re going to take a black list approach and block some specific sites that are the worst offenders.

You will need:

• an Apache web server with…
• mod_rewrite enabled
• support for .htaccess
• and about 30 minutes to setup and test.

Ask your web hosting provider if you are not sure about any of this.

Create a stop image

Create a friendly image that you would like to show to the hotlinkers and upload it to your web server.

Here is the one I’m currently using.

Create a .htaccess file

Create a text file called .htaccess that contains the following:
(without the leading line numbers of course)

RewriteEngine on

# Attempt to stop hot linking from these specific sites

RewriteCond %{HTTP_REFERER} ^(.+\.)?xanga.com/  [OR]

RewriteCond %{HTTP_REFERER} ^(.+\.)?livejournal.com/  [OR]

RewriteCond %{HTTP_REFERER} ^(.+\.)?myspace.com/

RewriteCond %{REQUEST_URI} !/path/to/your/stop.png

RewriteRule .*\.(gif|jpg|png|avi)$ http://yoursite.com/path/to/your/stop.png

Let’s look at what each one of these lines does.

1. Tell Apache to turn on the rewrite engine.
2. Lines that start with # are comments and are ignored.
3. Match any request where the HTTP_REFERER starts with *.xanga.com OR…
4. *.livejournal.com OR…
5. *.myspace.com.
6. Do not match any requests to the stop sign image. (Without this, you would go into an infinite redirect loop.)
7. If you matched any of the above referers, and they are requesting a .gif, .jpg, .png or .avi file, redirect them to my friendly stop sign.

Of course, you should replace lines 3-5 with the sites that you want to block and update lines 6 & 7 with the appropriate paths.

Upload your .htaccess file

This .htaccess file should go in your web site’s root directory on your web server.

Verify that everything is working properly.

Make sure everything is working properly on your site. Mod_rewrite is very powerful, but one typo and all hell can break loose.

Check out a site that you have blacklisted and see if your stop image is now being shown where your cat Max used to be.

What other approaches have you used for fighting hotlinking and bandwidth leeches?