Prevent Image Hotlink and Leeching using PHP and Apache

1 August, 2014   |   Apache, PHP

Image hotlinking is a process where someone else directly links to your hosted images without your permission or consent. By hotlinking images in this way the hotlinker will use your images to their profit at the cost of your bandwidth, because for each image viewed in this way it will increase your bandwidth usage and ultimately your hosting bills. So many a times this type of usage is also called bandwidth theft.

Now there are several ways to stop image hotlink that involves Apache .htaccess and a PHP script for watermarking.

Solution 1 : Prevent Direct Hotlinking

First, We will show you how to disallow everyone else except your own domain to link to your images. For this, you will need to create a file called .htaccess in your root folder that is most probably located at /home/username/public_html/ for shared hosting accounts. Moreover, if you are not comfortable creating this file then just open Notepad in Windows and save the file as “.htaccess”, yes including the quotation marks. Read more on Apache Tutorial .htaccess files.

Code for .htaccess file:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain\.com/ [NC]
 RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]
 RewriteRule \.(bmp|gif|jpe?g|png)$ - [NC,F]

Replace with your own domain name and extension. By implementing this code on your website, you will prevent almost all the direct image hotlinking with a forbidden response message. That means the hotlinked image on all other websites will just show a small red cross instead of the original image. We have intentionally excluded the major image search engines form the disallowed rule so that they can easily crawl your images and show them on image searches. If you want you can remove that line from the above code or add more image crawler user agent to it.

Solution 2 : Send Replacement Image

If you want to show the end users that this image has been hot linked from your website domain then you can send a hotlink replacement image in place of the original requested image. In this case, any hotlink request will be served with the replacement image that will be shown to the end users. For this to work properly, you will need to create a replacement image and you can add any custom message in it.

Code for .htaccess file:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain\.com/ [NC]
 RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]
 RewriteCond %{REQUEST_URI} !^/hotlink\.png$
 RewriteRule \.(bmp|gif|jpe?g|png)$ /hotlink.png [L]

Replace with your own domain name and extension. The replacement image should be in root folder (public_html) with the file name “hotlink.png”. You can customize the file name and file path of the replacement image but do remember to change it accordingly in the above given hotlink protection code.

Solution 3 : Send Watermarked Image

Now if you only want to inform the end users that the hotlink image belongs to you then you can simply watermark your images. For this, we will route all the incoming hotlink image requests to a PHP watermarking script that will watermark that image on the fly and will send it back to the end user via browser. You will need to create a custom watermark image that will be used for watermarking and a PHP script that will handle all the image requests. Read more on Digital Watermarking.

Code for .htaccess file:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain\.com/ [NC]
 RewriteCond %{HTTP_USER_AGENT} !(googlebot-image|msnbot|psbot|yahoo-mmcrawler) [NC]
 RewriteRule (^.*\.(bmp|gif|jpe?g|png)$) /watermark.php?src=$1 [L]

Code for watermark.php PHP file:


 header('content-type: image/jpeg');
 $image = imagecreatefromjpeg($_GET['src']);
 $watermark = imagecreatefrompng('watermark.png');
 $watermark_width = imagesx($watermark);
 $watermark_height = imagesy($watermark);
 $dest_x = imagesx($image) - $watermark_width;
 $dest_y = imagesy($image) - $watermark_height;
 imagecopymerge($image, $watermark, $dest_x - 5, 5, 0, 0, $watermark_width, $watermark_height, 80);
 imagejpeg($image, NULL, 85);


Replace with your own domain name and extension. The PHP script and the watermark image should be placed in root folder (public_html) with file name “watermark.php” and “watermark.png” respectively.

This basic configuration will watermark your images on the top right side of the original image and will be semi transparent. If you want to play around with these settings then please refer to Image Processing and GD Functions on PHP website, especiall imagecopymerge function which handles actual merging of original and watermak image.

You can test image hotlink protection and see whether it is effective or not.

Now with all this preventive measures for hotlink images in place you will be sure saving your bandwidth or advertising your domain with your digital images.



Ulugbek 27 January, 2015

Thank you for your post. Very useful. But it would be much better if you could inform how can we achieve making watermark image size automatically sized as image itself.

Petra 26 July, 2015

Hi there!

Thank you very much for your article. I was looking for my wordpress site for a solution without overloading with too many plugins.

Question: I’ve just done the .php version, moved it to the root folder and checked in Google images.
As my website is brandnew (I indexed it only yesterday and put the link today in Google Webmaster Tools), I don’t know yet if it’s working correctly already.
Only one image is appearing right now (in Google images), when I click on it the following “Fowarding remark” is appearing:

1. Is it a matter of time until it arrives with watermarked image (so I’ve to be more patient ;-))? Or
2. has Google updated their handling for thoses cases in between with the above mentioned message?
3. If so, can I enter in your code a “text” part where I write some an explaination… that user will not get irritated by Googles message?

I would be VERY happy if you can give me answers :-)!!

Many thanks again for your article and kind regards from sunny Germany,

Milan Kaneria 27 July, 2015


If you want to check if hotlink prevention script is working or not then verify it here

Regarding Google, the htaccess code in “Solution 3 : Send Watermarked Image” already takes care of the Google Images bot and serves the original image. So that means you will always see original image in Google Images and the other white listed bots (googlebot-image|msnbot|psbot|yahoo-mmcrawler).

Leave a Comment