Hotlink protection prevents other websites from directly embedding your images, videos, or other files on their pages. Without protection, other sites can link directly to your files, consuming your bandwidth without your permission.
Please note: Screens and options may vary slightly depending on your cPanel version and hosting plan.
When You Would Use This
Enable this if you notice other sites linking directly to your images or files, or as a preventive measure to protect your bandwidth allocation.
Enabling Hotlink Protection
- Log in to your cPanel account.
- In the Security section, click Hotlink Protection.
- Click Enable.
- Configure the settings:
- URLs to allow access — Add your own domain(s) and any other sites you want to permit (e.g. search engines). Your domain is pre-filled. - Block direct access for the following extensions — Enter the file extensions to protect (e.g. jpg, jpeg, gif, png, bmp, webp). - Allow direct requests — If ticked, visitors who type the file URL directly into their browser can still access it. If unticked, the file is only accessible when linked from an allowed URL. - Redirect the request to the following URL — Optionally redirect hotlink attempts to a specific image or page (e.g. a "hotlinking not permitted" image).
- Click Submit.
How It Works
Hotlink protection uses .htaccess rules to check the HTTP Referer header. If a request for a protected file comes from a domain not on your allowed list, it's either blocked or redirected.
Tips
- Add
www.yourdomain.comandyourdomain.comseparately to the allowed list — they're treated as different referrers. - Consider allowing search engine crawlers (Google, Bing) by adding their domains to the allowed list, so your images still appear in image search results.
- Hotlink protection relies on the Referer header, which can be spoofed. It's a deterrent, not absolute protection.
- If images suddenly stop displaying on your own site after enabling hotlink protection, check that all your domains and subdomains are in the allowed list.
What Next?
- Setting Up Leech Protection — Protect password-protected areas from credential sharing.
- Blocking IP Addresses — Block specific visitors entirely.
