To begin with, a hotlink is when someone links any kind of file from an external site to your server. The link can be targeted to an image, a video, a pdf document, a zip file, etc, etc. There’s nothing wrong about this except for two possible reasons:

• You have private files you don’t want to be accessed by everyone
• Your hosting service provides a limited bandwidth (and so you don’t want to become a file hosting service).

The best way to block hotlinking on your site is by editing .htaccess and configure the RewriteCond. The .htaccess is nothing but a plain text file located on your www folder (and/or a subfolder) which tells your apache server what access restrictions apply to the files in the folder it is located at; The RewriteCond is a “command” which rewrites the URL of your site, is used for a lot more things than just blocking hotlinks. For example to change the .php extensions from your web pages, or to show the URL as a permalink. It’s php voodoo as some say.

In order to use the RewriteCond, the mod_rewrite.so needs to be enabled in your apache2 configuration. In ubuntu, this module is not loaded by default in a standard repository-based apache install, and the process to enable it a slightly different from the process – wide spread on google first results – followed in other apache installs (older versions, different linux distros, etc etc). Moreover, .htaccess directives are not enabled by default. But let’s not worry too much, all this can be solved in a few steps… let’s get it working

First thing to do is to get straight to the action and create an .htaccess file and test to see if it works. If it does work you can be happy right away, if it doesn’t, you will have to follow step 3 to get it working.

Step 1. Creating the .htaccess file

Open a new text editor and paste this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|zip|rar|docx|xlsx)$ - [NC,F,L]

You should replace”yourdomain.com” with… your domain name, duh, and the file tipes you want to block from hotlinking.

Let me explain what this lines mean:

First line will enable the RewriteEngine.
Second line will allow blank referers, this is usually enabled because some firewalls block the HTTP_REFERER data, so if someone have a strong antivirus + firewall thing enabled, he might be unable to download a file or see an image even when its not a hotlink.
Third line will block any referrer that is not your own domain, with or without the www and case insensitive ([NC]).
Fourth line will block all file types specified inside the brackets, case insensitive [NC] and will show a the “403 forbbiden” [F] message, The [L] means “Last Rule”, no more rules will be proccessed if this one was successful.

There are a lot of sites that will help you generate all this lines for you, here’s one.

save this file and name it .htaccess (starting with a dot). The rules in .htacces will apply to the folder it is located at and all it’s subfolders. So if you want to protect all your sites you should place .htaccess in your web server root folder (usually /var/www).

Step 2. Testing

First of all, load your own site from a browser and see if it works, if you see some “misconfiguration error” thing, rename the .htaccess file you’ve just created to anything else and everything will be back to normal, we’ll get back to it later. This error points that you don’t have the rewrite_mod enabled in your server, and you have to enable it by following step 3.

On the other hand, if no error is shown, copy any image *location* (right click, copy image location) from your site and send yourself an email with the link. CLEAR YOUR BROWSER’S CACHE and then try to click the link. You should see the 403 forbidden page.
Also, this page has a hotlink testing tool, remember to clear your browser’s cache each time, otherwise the image may show up directly from your computer’s HDD.

If everything worked you are done, you can be happy now, no need to do anything else…
if not, go to step 3.

Step 3. Enable mod_rewrite.so and AllowOverride in ubuntu (only if step 1 didn’t work)

To enable this module in ubuntu, first you’ll need to copy

/etc/apache2/mods-available/mod_rewrite.so

to

/etc/apache2/mods-enabled/mod_rewrite.so

Now, in order to allow the .htaccess policies to apply, you need to edit this file

etc/apache2/sites-enabled/000-default

And make the proper changes to the sections shown here:
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
allow from all
</Directory>

And finally restart apache

sudo /etc/init.d/apache2 restart

Done!, now go back to step 2 and test that everything works. Remember to rename back the .htaccess file.

Cheers

The Block hotlinks with apache server on ubuntu by Red Mezzanine, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 3.0 Unported License.