WordPress.org

Ready to get started?Download WordPress

Forums

BulletProof Security
[resolved] hotlinking prevention code (6 posts)

  1. definitio
    Member
    Posted 1 year ago #

    Hello, thank you very much for this great plugin.

    I've decided to enable the part of the secure htaccess file code that prevents hotlinking of images by other domains.
    In the comment section of that code you point to a webpage for hotlink testing. In that page the hotlinking prevention code has one difference from the one you have included in your htaccess file

    The suggested code in that page is (talking about this one line)
    RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
    While your code is
    RewriteCond %{HTTP_REFERER} !^https?://(www\.)?mysite\.com [NC]

    I wanted to ask about that final slash "/" in the first instance, which is missing from the second.
    I've tried both with and without both seem to work effectively (with and without the slash).
    Does that slash make any difference in any scenario? Only asking because you pointed to that website in your code.

    Thank you.

    http://wordpress.org/extend/plugins/bulletproof-security/

  2. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Nope the slash does not make a difference in this case - it is an assumed slash after .com (or .net, .org, etc) if it does not exist.

  3. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Hmm the question mark before "mysite" does not need to be there. ;) And if you have some subdomains you could do something like this.

    RewriteCond %{HTTP_REFERER} !^https?://(www\.|subdomain1\.|subdomain2\.)mysite\.com [NC]
    
    Or
    
    RewriteCond %{HTTP_REFERER} !^https?://(www|subdomain1|subdomain2)+\.mysite\.com [NC]
  4. definitio
    Member
    Posted 1 year ago #

    Thank you very much for you response.

    Nope the slash does not make a difference in this case - it is an assumed slash after .com (or .net, .org, etc) if it does not exist.
    I probably don't understand and I certainly have no knowledge on this, but aren't all files that need hotlink protection after that slash (e.g. h**p://mysite.com/wp-content/uploads/2013/01/myimage.jpg) ?
    But that's just a novice rationalization, so you can ignore me.

    I don't have any subdomains and the code works for me. Of course f it can be improved for all, under you criteria, that's also great. Would happily update to the new version.

  5. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    The condition is based on your domain name and not individual files or file types. So what this rule says is if the Referrer is NOT your website domain then forbid/block that Referrer.

    When a visitor visits your website then your website is the Referrer so the visitor will see all of your image files. When another website tries to hotlink to your image files then they are trying to serve those image files on their website domain and their website would be the Referrer/referring website. Since the image files are on your website then the site that is trying to hotlink your images needs to connect to your website to get/display your image files. When they do connect then this .htaccess rule blocks the images from loading/being hotlinked on the website that is trying to hotlink your image files. That is how this rule works.

    And the RewriteRule has a .* which means match anything (full path to the image file/name of the image file) and then of course you specify what file types by file extension that are Forbidden/blocked.

    RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ - [F]
  6. AITpro
    Member
    Plugin Author

    Posted 1 year ago #

    Question was answered - resolving thread.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic