Configuring Website Image Hotlink Protection Properly

I was working with a client the other day (Memorial day) who had trouble when trying to post links to Facebook and they were never able to select images for the posts when they shared their blog link.  I did some thorough investigation and found the site was locked down with a security feature called “Hotlink Protection”.


Now, this is a feature of some hosting providers but some WordPress plugins can also make the same changes to your .htaccess file.  These changes involve locking down your website so that no other site can source or call the images from your site unless they are the originating site hosting the image.

This means nobody can poach or share your images in their own site, so the image could never display on another site that tried to host your image from your site (think of the img src code with the URL linking to your site instead of the site hosting the image).

The problem is that Facebook and other social media platforms often have to load your image so that they can display the thumbnail.  So by enabling Hotlink Protection you are also blocking social media sites like Google Plus, Facebook…etc from setting a thumbnail based on any images in your article.

Now, if you want you can actually configure your hotlink protection to let Social Media access your images but not other sites, this is easier done through your hosting provider cpanel or with a good WordPress plugin that lets you specify custom URl’s which can access your images.


The only problem is that often the sourcing site may not be so obvious, such as Facebook having many alias DNS names and such and you may have to experiment and add a variety of DNS names to make sure you have it working properly.

In doing some research, I found that just adding these 2 DNS names to your “URL’s to allow access” should solve the image hotlink posting to Facebook problem for image thumbnails.

Now, if you find that other sites poach or duplicate your content, image hotlink protection can at least prevent them from calling images and resources on your site but you have to remember about the potential unintended site effects of configuring hotlink protection.

Manually Configure Hotlink Protection

If you want to manually create hotlink protection lines for your .htaccess file, then this online tool is the BEST one I have found.  Just remember to add the Facebook and any other Social Media URL’s to the allowed URL’s and add the lines to your .htaccess file manually when you generate the file.

This will produce output lines like this for your .htaccess file  (note use your own domain, not

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?
RewriteRule .(jpg|jpeg|png|gif)$ –

Who is using hotlink protection to help secure the images on their websites?

Hotlink Protection WordPress Plugin

If you don’t want to manually create the lines and edit your .htaccess file you can always use a WordPress plugin to perform Hotlink protection.  This plugin I found should do the trick, but I tend to prefer doing things manually over a plugin if I could.

-Dragon Blogger

Share Feedback We Want to Hear From You