Tom Raftery’s Social Media

In my last post on using .htaccess to block direct linking of images, I advised simply using the RewriteRule to forbid display of images (i.e. RewriteRule .(gif|png|jpg|jpeg?)$ – [NC,F]). This is a nice simple rule which works a treat to block display of your images on remote sites.

However, if you want to take this a step further, you can re-direct requests for images from remote webpages to an image of choice on your website. I have created an image, called stolenimage.jpg, which simply says “This image is stolen”. Anyone trying to link directly to images on my site is, therefore, inadvertantly serving that image on their pages.

The code to put in .htaccess to achieve this is:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?tomrafteryit.net [NC]
RewriteRule \.(png|gif|jpe?g)$ stolenimage.$1 [NC,L]

This is the same code as is in my previous post except for the RewriteRule.

It is a very good idea not to redirect a browser from one file type to another. The cleanest approach is to make a seperate version of your the stolenimage.jpg file in each format that you use on your site – for example I have one in gif format, one in jpg format, one in jpeg format, and one in png format. Then redirect each hot-linked image to the matching filetype.

In the RewriteRule above, the “$1″ in the last line refers back to the contents of the parenthesis in the same line. That is, a request for a .jpg file will be redirected to http://www.tomrafteryit.net/stolenimage.jpg, and a request for a .gif file will be redirected to http://www.tomrafteryit.net/stolenimage.gif, etc.

The L in the square brackets is the “last rule” – it stops the rewriting process here and tells the .htaccess file not to apply any more rewriting rules. See the Apache mod_rewrite URL Rewriting Engine page for more.

Obviously, if you are feeling a bit mischievous, you can serve other images to people hotlinking your images – “Free shipping worldwide – we ship anywhere for free”, “Order one, get three free” or “This site supports the Taliban’s policy on Feminism” are some possibilities! You are only limited by your imagination.

Many thanks to all the contributers to the WebmasterWorld forums, from where I gleaned most of the information in these posts.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Hotlinking, remote image linking, direct image linking is when a remote website embeds images from your site on their webpage(s) – this causes the image to be served from your website to anyone browsing their site – thus they are robbing your bandwidth.

How can you stop this? Well, using an .htaccess file in your images folder(s), there are a number of options.

The most straightforward is to simply create an .htaccess file with the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?tomrafteryit.net [NC]
RewriteRule \.(png|gif|jpe?g)$ – [NC,F]

The first line here turns on mod_rewrite (a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly) and only needs to be done once per .htaccess file.
The next line is needed to allow your site to be viewed through proxy caches. If you take it out, then anyone without a referer won’t be able to view your site. Many proxy caches, for instance, block referers… and that looks the same as a directly-entered URL.
The third line tells the .htaccess file where to allow image files to be served from – in this case it will allow images be served from http://tomrafteryit.net and http://www.tomrafteryit.net (remember to update this for your own domain!) and
The final line is case insensitive (the NC) and instructs the .htaccess file what file types to restrict the serving of. You could just as easily use this to protect .mp3s, .pdf’s or any other file type by substituting the file type in this line. The F in the square brackets forces the current URL to be forbidden.

For more infomation on this see the Apache mod_rewrite URL Rewriting Engine page.

There are more things you can do via .htaccess to stop people hotlinking to your images that I’ll cover in my next post.

Warning – The .htaccess file is very powerful (it can potentially take your entire site offline) and sensitive to typo’s – always test your site after making changes and be sure you have a plan to revert in the event of a problem arising.

If you enjoyed this post, make sure you subscribe to my RSS feed!

The .htaccess file is a very powerful tool – amongst other things, it allows you to password protect folders, redirect users automatically, use custom error pages, change your file extensions, ban users by IP address, only allow users with certain IP addresses, stop directory listings and use an alternate index file.

Creating the file is easy, you just need enter the appropriate code into a text editor (like notepad). You may run into problems with saving the file because .htaccess is a strange file name (the file actually has no name but a 8 letter file extension). You may need to name it something else (e.g. htaccess.txt) and then upload it to the server using an ftp client program (.htaccess files must be uploaded in ASCII mode, not BINARY). Once you have uploaded the file you can then rename it using your FTP program.

You may need to CHMOD the htaccess file to 644 or (RW-R–R–). This makes the file usable by the server, but prevents it from being read by a browser, which could seriously compromise your security.

For more information on .htaccess files see the Comprehensive guide to .htaccess.

In my next post I’ll be going through some cool things you can do with the .htaccess file

If you enjoyed this post, make sure you subscribe to my RSS feed!