Hi,
Click on WP Security -> Firewall -> Prevent Hotlinks to activate the option Prevent Image Hotlinking.
Thank you
-
This reply was modified 1 year, 2 months ago by
mbrsolution.
Thank you. I have now installed that an activated the HOTLINK PREVENTION feature.
To test it I copied the URL of an image from https://chronodivers.com (mysite1) and created a new page on mysite2 (https://anotherguitar.co.uk) with an image UR from mysite1.
So this page > https://anotherguitar.co.uk/39183-2/ (on mysite2)
is using an image from mysite1 …
Shouldn’t the HOTLINK PREVENTION stop this happening?
A realworld example of where my images are being inappropriately used is here (beware popups) > https://terpsi.web.app/gwf-d1000b-1jf.html – if you search for “chronodivers” on the page you will see an image hotlinked from mysite1
Thanks for looking in to this
Regards
Tristan
Sorry – bad example… I deleted that image …
Here’s another https://chronodivers.com/wp-content/uploads/2021/03/Oris-Divers-Sixty-Five-Oris-X-Momotaro-Special-Mens-720×380.jpg that when loaded in the HOTLINK checker still manages to LOAD the image ?
Thanks for looking in to this
Cheers
Trista
Hi, is the image from mysite1 hosted in the same server as mysite2?
Regards
Hello. Yes it is – that could be the reason why my test example is not failing ๐ thanks.
However – what about the third party test tools:
https://www.free-webhosts.com/hotlinking-checker.php
https://altlab.com/hotlinkchecker.php
If I enter a random image not previously browsed or in my cache – they succesfully display the image?
eg
https://chronodivers.com/wp-content/uploads/2021/03/OMEGA-SEAMASTER-PROFESSIONAL-300m-FULL-SIZE-41mm.jpg
I have also set up a TEST page on another website – this one has a different server IP addresss
https://baileyelec.co.uk/hotlink-prevention-test/
Thanks again for all your help so far.
Tristan
Hi, I tried testing the image from your test post and adding it to my site. It did not work. Can you check your .htaccess file and make sure the correct entry is added from the hotlink settings as per the following example. Remember that the URL address will be different.
# BEGIN All In One WP Security
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://localhost/tipstricks [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
# END All In One WP Security
Also what type of server is your site hosted in?
Thank you
-
This reply was modified 1 year, 2 months ago by mbrsolution.
Hi
Just to be certain – here is the complete .HTACCESS contents
# BEGIN All In One WP Security
#AIOWPS_BASIC_HTACCESS_RULES_START
<Files .htaccess>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
ServerSignature Off
LimitRequestBody 10485760
<Files wp-config.php>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
#AIOWPS_BASIC_HTACCESS_RULES_END
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://chronodivers\.com [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
# END All In One WP Security
# HTTPS forced by SG-Optimizer
<IfModule mod_rewrite.c>
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# END HTTPS
# BEGIN WordPress
# The directives (lines) between “BEGIN WordPress” and “END WordPress” are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# AMPFORWPLBROWSERCSTART Browser Caching
# END Caching AMPFORWPLBROWSERCEND
AddHandler application/x-httpd-recommended-php .php .php5 .php4 .php3
# SGO Unset Vary
Header unset Vary
# SGO Unset Vary END
Regarding my server – this is what I could determine from a site report
Google LLC 1600 Amphitheatre Parkway Mountain View CA US 94043 35.214.81.164 Linux nginx 14-Mar-2021
Thanks again for your help
Tristan
Hi, the .htaccess file entries look correct to me. This might be a site or server configuration that is causing this issue. You might have to reach out to your host support staff and ask them to help you investigate this issue.
Let me know what they say.
Thank you
Hi again
Thanks for all your help so far. I will definitely reach out to SITEGROUND tech support team and see what they say. Once I have an answer I will of course share it here so you have some answers too.
Best regards
Tristan
FIXED – thanks everyone ๐
This is what SiteGround said (and did)
“For custom .htaccess rules to take effect the NGINX static cache for the website needs to be turned off, I have done this on your behalf and now these rules should take effect.
If the issue persists you would need to get in touch with the support team of the plugin you are using and discuss this further with them.
Contact us if any specific server side changes (which are not related to your application) would need to be performed.”
It is now working on both the test tools I tried and also my TEST page > https://baileyelec.co.uk/hotlink-prevention-test/
THANK YOU very much for all your help.
Stay safe
Tristan
For anyone else on SITEGROUND. Install this PLUGIN, turn PREVENT HOTLINKING on from FIREWALL settings. Then go to your SiteGround admin area and follow these steps:
“Site Tools —> Speed —> Caching —> The button next to the domain name under the NGINX Direct Delivery category
Once the button is greyed out and not blue this means that the NGINX static cache has been disabled – you would need to disable it for each website on that server individually.”
Regards
Tristan
Thank you Tristan for sharing your solution ๐
I am sure this will help others with the same issue as you while hosting their site in SiteGround.
Enjoy the plugin.
Thank you too, Tristan. I was completely stuck.
The images kept showing up even after protection had been implemented successfully. But on SiteGround, using the SG Optimizer plugin to purge the cache was crucial for me to see that it was working.
