<img src="https://yoursite.com/photo.jpg"> into their forum post, every visitor to that forum loads the image from your bandwidth. Hotlink Protection serves them a 403 instead.
Open it from cPanel home → Security → Hotlink Protection.
Turn it on
Review the URLs to allow
cPanel pre-fills the URLs to allow access box with the variants of your own domain (
http://, https://, www. and bare). Anything in this list is treated as a same-site referrer; requests with these referrers go through.Add partner sites if you legitimately want them to embed your media. Strip back to just your own domains if you don’t want anyone embedding.Review the file extensions
The default list covers images, video, and audio (
jpg jpeg gif png bmp mp3 wav avi mov mpg mpeg). Add or remove based on what you actually serve. Use lowercase, no leading dot.Choose what blocked requests get
Two options:
- Allow direct requests (recommended on). Browsers visiting the file URL directly (no referrer) still see the file. Without this, typing the image URL into a browser would also fail.
- Redirect URL. Optional. If you want hotlinkers to land on a specific page (your own logo, a “stop hotlinking” notice, the homepage), put the URL here.
Disable it
The same page has a Disable button. Click it. The.htaccess rules are removed.
What gets blocked, exactly
Apache reads theReferer HTTP header on every request. Hotlink Protection compares the value against your allowlist:
- Empty referer (direct browser visit, image preloader, some tools) is allowed if Allow direct requests is on, blocked otherwise.
- Referer matches an entry in URLs to allow access is allowed.
- Anything else is blocked or redirected.
Referer header in some cross-origin contexts (especially with Referrer-Policy: no-referrer). Those requests look like direct visits. Hotlink Protection can’t tell them apart.
When not to use it
- API or CDN endpoints. If you serve files to a JavaScript app on a different origin or a CDN that fetches without referer, hotlink protection blocks them. Either allowlist the origin, or skip it.
- OG image previews. Slack, Discord, and X scrape OpenGraph images server-side, often without a referer. With Allow direct requests on, this works. Off, your link previews are blank.
- Image search. Google Image Search shows thumbnails and links to the source. With hotlink protection on, the thumbnail still loads (Google caches it) but the link click can fail if Google strips the referer. For SEO-sensitive sites, allowlist
*.google.comand*.googleusercontent.com.
Common issues
My own site can't load its own images
My own site can't load its own images
Cloudflare or another CDN sits between visitor and origin and forwards a referer that doesn’t match your allowlist. Add the CDN’s domain to URLs to allow access, or add Cloudflare’s
*.workers.dev etc. as needed.Images load fine but PDFs return 403
Images load fine but PDFs return 403
PDF wasn’t in the extension list when you saved. Add
pdf, save again.Email signature image breaks
Email signature image breaks
Mail clients fetch images server-side, often with no referer or a strange one. Either turn Allow direct requests on, or skip hotlink protection for that one image’s path.
Hotlink protection looks on, but bandwidth still spikes
Hotlink protection looks on, but bandwidth still spikes
Hotlinkers may have downloaded the file and re-hosted it on their side, in which case there’s nothing to block. Or the bandwidth is going to legitimate visitors and you’ve just gotten popular. Check raw access logs in Logs.