cPanel Hotlink Protection: Stop Bandwidth Theft From Images
If your server's bandwidth graph is spiking but your traffic looks flat, someone else's website might be loading your images directly from your account. That's hotlinking, and cPanel has a built-in tool to stop it in a few clicks.
What Hotlinking Actually Is
Hotlinking happens when another site embeds an <img> tag (or a CSS background, or a downloadable PDF) pointing straight at a file on your server instead of hosting a copy themselves. Every visitor who loads that page pulls the file from your hosting account, using your disk I/O and your bandwidth allocation - not theirs.
It's usually not malicious. A blogger grabs your product photo, a forum post links your infographic, or a scraper republishes your content wholesale and never bothers to re-upload the images. But the effect on you is the same either way: your account does the work, and you get nothing for it.
How to Tell You're Being Hotlinked
A few signs point straight at it:
- Bandwidth usage way above your visitor count. Check cPanel → Metrics → Bandwidth and compare it against Metrics → Visitors. A huge gap between the two is a red flag.
- Unfamiliar referrers in your access logs. In cPanel → Metrics → Raw Access, download a recent log and grep for image requests coming from domains you don't recognize.
- A specific image or PDF getting far more hits than any page on your site. That's usually the file someone else embedded.
Via SSH, this one-liner pulls the top referring domains for image requests from an Apache access log:
awk '{print $11}' access.log | grep -Eo 'https?://[^/]+' | sort | uniq -c | sort -rn | head -20
If a domain you've never heard of shows up dozens or hundreds of times, that's your hotlinker.
The Fix: Turn On Hotlink Protection in cPanel
cPanel's Hotlink Protection tool writes a set of rewrite rules into your .htaccess file that check the Referer header on every image/media request and block anything that isn't coming from your own domain.
- Log in to cPanel and search for Hotlink Protection (under the Security section).
- Under URLs to allow access, list your own domain and any subdomains you actually use, e.g.
yourdomain.comandwww.yourdomain.com. - In Block direct access for the following extensions, add the file types you want protected - typically
jpg,jpeg,png,gif,webp,pdf. Don't addcssorjshere; you'll break your own site if a browser sends no referrer for a stylesheet request. - Decide what happens to blocked requests: either redirect them to a specific "stop hotlinking" image, or just let the request fail with a 403. A redirect to a small "this image is hosted elsewhere" graphic is usually more useful - it tells the hotlinker's audience exactly what happened, which tends to get the embed removed faster than a silent broken image.
- Check Allow direct requests (blank referrer) - this is the setting people skip and then get support tickets over. See the next section for why it matters.
- Click Submit.
cPanel adds a block like this to your public_html/.htaccess:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com/.* [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp|pdf)$ - [F,NC]
It's plain Apache mod_rewrite, so you can hand-edit it later if you need to add more allowed domains.
What Breaks If You Get This Wrong
Hotlink protection is one of those settings that's simple to turn on and easy to get slightly wrong. Watch for these:
- Blank referrers. Email clients, RSS readers, some mobile apps, and privacy-focused browser extensions strip the
Refererheader entirely. If you leave "Allow direct requests" unchecked, those users see broken images even though they're not hotlinking anyone. Always allow blank referrers. - CDNs and image optimizers. If you run Cloudflare, a page-speed plugin, or an external image CDN in front of your site, requests may arrive with a referrer from the CDN's own domain rather than yours. Add that domain to the allow list too, or the CDN itself gets blocked.
- Your own subdomains. A staging site at
staging.yourdomain.comor a separate blog atblog.yourdomain.comneeds to be listed explicitly - "allow yourdomain.com" doesn't automatically cover every subdomain in cPanel's implementation. - Search engine image previews. Google Images and social share previews (Facebook, Twitter/X, WhatsApp) fetch images with no meaningful referrer or one that won't match your domain. Because you're already allowing blank referrers, most of these work fine - but test a link preview after enabling protection to be sure.
No cPanel? Do It Manually via .htaccess
If you're on a VPS without cPanel, or you just prefer to manage the rule yourself, add this directly to your Apache .htaccess (or the equivalent <Directory> block in your vhost config):
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?cdn\.yourdomain\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp)$ /images/hotlink-blocked.png [L]
For Nginx, the equivalent lives in your server block:
location ~* \.(jpg|jpeg|png|gif|webp)$ {
valid_referers none blocked yourdomain.com *.yourdomain.com;
if ($invalid_referer) {
return 403;
}
}
Reload the config after editing (nginx -t && systemctl reload nginx) and test with a real browser before assuming it works - the Referer header behaves slightly differently across Apache and Nginx test tools.
Prevention: Make It Not Worth Hotlinking You
- Serve images from a CDN with its own hotlink protection. Cloudflare's free tier includes a "Block Hotlinking" toggle under Scrape Shield - it handles the referrer logic at the edge, before the request even reaches your server, which also saves you bandwidth on the blocked requests themselves.
- Watermark high-value images. Product photos and infographics you don't want reused elsewhere are far less attractive to hotlink once they carry a visible watermark.
- Check your Raw Access logs monthly. Catching a new hotlinker within a few weeks, rather than a few months, keeps the bandwidth hit small and gives you time to email the site owner before it becomes a real cost.
- Keep your allow list current. Every time you add a subdomain, CDN, or third-party embed (a review widget, a marketplace integration), add it to the hotlink allow list at the same time - not after something breaks.
Prevention Checklist
| Check | Where | Frequency |
|---|---|---|
| Bandwidth vs. visitor ratio | cPanel → Metrics | Monthly |
| Unfamiliar referrers on image requests | Raw Access logs | Monthly |
| Allow list includes all subdomains + CDN | Hotlink Protection settings | After any DNS/CDN change |
| Blank referrers still allowed | Hotlink Protection settings | Once, verify after enabling |
Frequently asked questions
Will hotlink protection block Google Images or social media previews?
Not if you allow blank referrers, which cPanel's tool lets you do with one checkbox. Most search engine crawlers and social share bots send no referrer or a non-matching one, and blank referrers are always let through. Test a link preview in Facebook or WhatsApp after enabling it to confirm your specific setup works.
Why are images broken on my own site after enabling hotlink protection?
Almost always one of two reasons: you forgot to add a subdomain (like a staging or blog subdomain) to the allow list, or you're running a CDN whose requests arrive with a different referrer than your main domain. Add the CDN's domain to the allow list and the images should come back immediately.
Does hotlink protection stop someone from copying my images entirely?
No - it only stops other sites from loading the file directly off your server. Someone can still right-click and save your image, then upload their own copy elsewhere. For that kind of protection you'd need watermarking or a DMCA takedown, not hotlink protection.
Can I hotlink-protect PDFs and videos, not just images?
Yes. In cPanel's Hotlink Protection tool, just add the extensions you want covered - pdf, mp4, mp3, whatever applies - in the extensions field. The same referrer-check logic applies to any file type you list.