Hotlink Protection

Hotlinking is when another website embeds your images or files directly, using your server's bandwidth to display their content. Hotlink protection blocks this by only allowing specified domains to load your files.

What is Hotlinking?

When someone hotlinks your images, they use an <img> tag on their website that points directly to a file on your server. Every time someone visits their page, your server delivers the image and uses your bandwidth, not theirs.

For example, if another site uses:

<img src="https://yourdomain.com/images/photo.jpg">

Every visitor to their site downloads that image from your server, consuming your bandwidth and server resources.

Enabling Hotlink Protection

Log into cPanel.
Scroll to the Security section.
Click Hotlink Protection.
Click Enable to turn on hotlink protection.
Configure the settings:
- URLs to allow access: Add the domains that should be allowed to display your files. Your own domain is included by default. Add any other domains you want to permit (e.g., https://www.google.com for Google Image search).
- Block direct access: Check this if you want to prevent people from typing a file URL directly into their browser. Leave unchecked if you only want to block embedding on other sites.
- File extensions to protect: Specify which file types to protect. Common choices include jpg, jpeg, gif, png, bmp, webp, svg.
- Redirect URL: Optionally enter a URL to redirect hotlinked requests to (e.g., a page explaining that hotlinking is not allowed, or a placeholder image).
Click Submit to save your settings.

Note Hotlink protection works by checking the Referer header sent by browsers. Most browsers send this header, but it can be disabled or blocked by privacy extensions. Requests without a Referer header are typically allowed through.

Recommended Allowed URLs

In addition to your own domain, consider allowing these URLs so your images continue to appear properly:

https://www.google.com — Google Image search results.
https://www.bing.com — Bing Image search results.
Any CDN domains you use (e.g., https://cdn.yourdomain.com).
Social media platforms if you want your images to display when shared (though most social platforms cache images on their own servers).

How It Works Behind the Scenes

Enabling hotlink protection adds rules to your .htaccess file. The rules look something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [NC,F,L]

You don't need to add these rules manually — cPanel handles this for you. But if you need more fine-grained control, you can edit the .htaccess file directly.

Disabling Hotlink Protection

Go to Security → Hotlink Protection in cPanel.
Click Disable.

Tip If you notice unusually high bandwidth usage, check your access logs (Metrics → Raw Access in cPanel) for patterns of external sites loading your images. Hotlink protection can significantly reduce unnecessary bandwidth consumption.

Warning If you protect file types like CSS or JS, make sure any external services or CDNs that serve those files are in your allowed list. Blocking access to critical files can break your website's appearance or functionality.