Support » Plugin: All In One WP Security & Firewall » How do I activate DISABLE HOTLINKING of images

  • Resolved tristanhaskins

    (@tristanhaskins)


    Hi. My website is regularly used for image hotlinking to SPAM sites etc. I read this plugin can resolve that “Ability to prevent image hotlinking. Use this to prevent others from hotlinking your images.” but I cannot find it in any settings?

    Thanks in advance for any help
    Tristan

Viewing 14 replies - 1 through 14 (of 14 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi,

    Click on WP Security -> Firewall -> Prevent Hotlinks to activate the option Prevent Image Hotlinking.

    Thank you

    • This reply was modified 1 year, 2 months ago by mbrsolution.
    Thread Starter tristanhaskins

    (@tristanhaskins)

    Thank you. I have now installed that an activated the HOTLINK PREVENTION feature.

    To test it I copied the URL of an image from https://chronodivers.com (mysite1) and created a new page on mysite2 (https://anotherguitar.co.uk) with an image UR from mysite1.

    So this page > https://anotherguitar.co.uk/39183-2/ (on mysite2)

    is using an image from mysite1 …

    Shouldn’t the HOTLINK PREVENTION stop this happening?

    A realworld example of where my images are being inappropriately used is here (beware popups) > https://terpsi.web.app/gwf-d1000b-1jf.html – if you search for “chronodivers” on the page you will see an image hotlinked from mysite1

    Thanks for looking in to this

    Regards

    Tristan

    Thread Starter tristanhaskins

    (@tristanhaskins)

    PS – I also tested the functionality here https://altlab.com/hotlinkchecker.php with a test image https://chronodivers.com/wp-content/uploads/2021/03/40mm-BLIGER-sterile-white-dial-GMT-sapphire-glass-720×380.jpg

    The image WAS hotlinked?

    Thanks for your time

    Tristan

    Thread Starter tristanhaskins

    (@tristanhaskins)

    Sorry – bad example… I deleted that image …

    Here’s another https://chronodivers.com/wp-content/uploads/2021/03/Oris-Divers-Sixty-Five-Oris-X-Momotaro-Special-Mens-720×380.jpg that when loaded in the HOTLINK checker still manages to LOAD the image ?

    Thanks for looking in to this

    Cheers

    Trista

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, is the image from mysite1 hosted in the same server as mysite2?

    Regards

    Thread Starter tristanhaskins

    (@tristanhaskins)

    Hello. Yes it is – that could be the reason why my test example is not failing ๐Ÿ™‚ thanks.

    However – what about the third party test tools:

    https://www.free-webhosts.com/hotlinking-checker.php
    https://altlab.com/hotlinkchecker.php

    If I enter a random image not previously browsed or in my cache – they succesfully display the image?

    eg

    https://chronodivers.com/wp-content/uploads/2021/03/OMEGA-SEAMASTER-PROFESSIONAL-300m-FULL-SIZE-41mm.jpg

    I have also set up a TEST page on another website – this one has a different server IP addresss

    https://baileyelec.co.uk/hotlink-prevention-test/

    Thanks again for all your help so far.

    Tristan

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, I tried testing the image from your test post and adding it to my site. It did not work. Can you check your .htaccess file and make sure the correct entry is added from the hotlink settings as per the following example. Remember that the URL address will be different.

    # BEGIN All In One WP Security
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_START
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://localhost/tipstricks [NC]
    RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
    </IfModule>
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_END
    # END All In One WP Security

    Also what type of server is your site hosted in?

    Thank you

    • This reply was modified 1 year, 2 months ago by mbrsolution.
    Thread Starter tristanhaskins

    (@tristanhaskins)

    Hi

    Just to be certain – here is the complete .HTACCESS contents

    # BEGIN All In One WP Security
    #AIOWPS_BASIC_HTACCESS_RULES_START
    <Files .htaccess>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    ServerSignature Off
    LimitRequestBody 10485760
    <Files wp-config.php>
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    </IfModule>
    </Files>
    #AIOWPS_BASIC_HTACCESS_RULES_END
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_START
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
    RewriteCond %{HTTP_REFERER} !^http(s)?://chronodivers\.com [NC]
    RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
    </IfModule>
    #AIOWPS_PREVENT_IMAGE_HOTLINKS_END
    # END All In One WP Security

    # HTTPS forced by SG-Optimizer
    <IfModule mod_rewrite.c>

    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    </IfModule>
    # END HTTPS

    # BEGIN WordPress
    # The directives (lines) between “BEGIN WordPress” and “END WordPress” are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    # AMPFORWPLBROWSERCSTART Browser Caching

    # END Caching AMPFORWPLBROWSERCEND
    AddHandler application/x-httpd-recommended-php .php .php5 .php4 .php3

    # SGO Unset Vary
    Header unset Vary
    # SGO Unset Vary END

    Regarding my server – this is what I could determine from a site report

    Google LLC 1600 Amphitheatre Parkway Mountain View CA US 94043 35.214.81.164 Linux nginx 14-Mar-2021

    Thanks again for your help

    Tristan

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, the .htaccess file entries look correct to me. This might be a site or server configuration that is causing this issue. You might have to reach out to your host support staff and ask them to help you investigate this issue.

    Let me know what they say.

    Thank you

    Thread Starter tristanhaskins

    (@tristanhaskins)

    Hi again

    Thanks for all your help so far. I will definitely reach out to SITEGROUND tech support team and see what they say. Once I have an answer I will of course share it here so you have some answers too.

    Best regards

    Tristan

    Thread Starter tristanhaskins

    (@tristanhaskins)

    FIXED – thanks everyone ๐Ÿ™‚

    This is what SiteGround said (and did)

    “For custom .htaccess rules to take effect the NGINX static cache for the website needs to be turned off, I have done this on your behalf and now these rules should take effect.

    If the issue persists you would need to get in touch with the support team of the plugin you are using and discuss this further with them.

    Contact us if any specific server side changes (which are not related to your application) would need to be performed.”

    It is now working on both the test tools I tried and also my TEST page > https://baileyelec.co.uk/hotlink-prevention-test/

    THANK YOU very much for all your help.

    Stay safe

    Tristan

    Thread Starter tristanhaskins

    (@tristanhaskins)

    For anyone else on SITEGROUND. Install this PLUGIN, turn PREVENT HOTLINKING on from FIREWALL settings. Then go to your SiteGround admin area and follow these steps:

    “Site Tools —> Speed —> Caching —> The button next to the domain name under the NGINX Direct Delivery category

    Once the button is greyed out and not blue this means that the NGINX static cache has been disabled – you would need to disable it for each website on that server individually.”

    Regards

    Tristan

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Thank you Tristan for sharing your solution ๐Ÿ™‚

    I am sure this will help others with the same issue as you while hosting their site in SiteGround.

    Enjoy the plugin.

    Thank you too, Tristan. I was completely stuck.

    The images kept showing up even after protection had been implemented successfully. But on SiteGround, using the SG Optimizer plugin to purge the cache was crucial for me to see that it was working.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘How do I activate DISABLE HOTLINKING of images’ is closed to new replies.