Hotlinking happens when another website embeds your images, videos, or other files directly from your server using your file URL rather than hosting those files themselves. To a visitor on the other site, the image looks like it belongs to that page. But every time that image loads, the request comes back to your server - consuming your bandwidth and your hosting resources, with no benefit to you.
For most small sites, hotlinking is a minor nuisance. For sites that host large image libraries, audio files, or downloads, it can meaningfully inflate bandwidth usage and slow down your site for your own visitors.
Why It Matters
Bandwidth costs. Shared hosting plans typically include a generous bandwidth allocation, but heavy hotlinking can push you toward overages. If a popular forum or social media post embeds your images and drives thousands of requests, you bear the cost.
Server load. Every hotlinked file request is a request your server handles - including any processing overhead. High-traffic hotlinking can slow page load times for your legitimate visitors.
Control over your content. Hotlinking lets other sites use your work without your permission. Even if the bandwidth cost is minimal, you may simply not want your images appearing on sites you have not approved.
Enabling Hotlink Protection in cPanel
cPanel includes a built-in Hotlink Protection tool that handles this with minimal configuration.
- Log into cPanel and search for "Hotlink Protection" in the search bar, or find it under the Security section
- Click Enable if it is not already active
- In the URLs to Allow Access section, add all the domains that should be permitted to load your files. At minimum include:
http://yourdomain.cahttps://yourdomain.cahttp://www.yourdomain.cahttps://www.yourdomain.ca- Any subdomains you run (e.g.,
https://shop.yourdomain.ca)
- In the Block direct access for the following extensions field, list the file types you want to protect. The defaults typically include jpg, jpeg, gif, png, bmp. Add mp3, mp4, pdf, or other file types you want to protect.
- Optionally, set a Redirect URL - when someone tries to hotlink your image, they see this URL instead. You can set it to a watermarked version of the image, a page explaining why the image is not available, or even a competitor's site if you are feeling mischievous.
- Click Submit
cPanel writes the appropriate .htaccess rules automatically.
The .htaccess Approach
If you prefer to configure this manually or need more control, you can add hotlink protection rules directly to your .htaccess file in public_html. This approach is useful if you need exceptions that the cPanel tool does not easily accommodate.
A basic .htaccess hotlink protection block looks like this:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.ca/ [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp|pdf|mp3)$ - [F,L]
This allows requests with no referer (which includes most direct access and some aggregators), allows requests from your own domain, and returns a 403 Forbidden response for anything else trying to load those file types.
Important Exceptions to Allow
Social media crawlers typically do not send a referer header when fetching images for link previews, so they will usually pass through hotlink protection without issue. But some platforms do send referers - if you notice your link previews stop working after enabling hotlink protection, you may need to add those platform domains to your allowlist.
Your own subdomains. If you have staging.yourdomain.ca or shop.yourdomain.ca, add those to the allowed URLs list. Forgetting this is a common mistake that breaks images on your own subsites.
CDN domains. If you use a CDN like Cloudflare, ensure the CDN's domain or IP ranges are not blocked. Cloudflare proxies requests so the referer behaviour may differ from direct traffic.
Hotlink protection is a set-it-and-forget-it configuration for most sites. Five minutes in cPanel is all it takes.
