[HOW-TO] Prevent Hotlink in Drupal 6 + Apache

Category:

As far as I can remember, to prevent hotlink in Drupal is not that easy. If you search website to look for prevent hotlink, you will find a lot of them to use with .htaccess file. But those are not for Drupal. You can't just use it in Drupal .htaccess file, that won't work. However, I have a set of code that work great. Actually, I have this code long time ago but I can't remember where I got it from. Thanks for the guy that provide it. Too bad that I didn't save link at that time.

So, now, here is what we have to do :

Create .htaccess file under "files" directory : (Here, I use old Drupal structure. So, my files directory is just one level down from root web folder.)

nano -w /home/admin/public_html/files/.htaccess

Paste code below into it.

.htaccess file under files directory

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
# Prevent Hotlink
SetEnvIfNoCase Referer "^$"  local_ref=1
# Next authorized domains
SetEnvIfNoCase Referer "^http://(www\.)?bing\.com" local_ref=1
SetEnvIfNoCase Referer "^http://(www\.)?google\.com" local_ref=1
SetEnvIfNoCase Referer "^http://(www\.)?facebook\.com" local_ref=1
# File extensions that you want to protect
<FilesMatch "\.(bmp|jpe?g|gif|png)">
 Order Allow,Deny
 Allow from env=local_ref
</FilesMatch>

You can allow some websites to do hotlink to your website. Example above, I allow bing.com, google.com and facebook.com to be able to hotlink from my website.

Comments

Tried using this for my drupal and testing here >> http://www.free-webhosts.com/hotlinking-checker.php if it's working, but the images are still displaying. Hence this code is not working.

This is what I have:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
# Prevent Hotlink
SetEnvIfNoCase Referer "^$" local_ref=1
# Next authorized domains
SetEnvIfNoCase Referer "^http://(www\.)?gallery.speedymirror\.com" local_ref=1
SetEnvIfNoCase Referer "^http://(www\.)?gallery.goldlilys-media\.com" local_ref=1
# File extensions that you want to protect
<FilesMatch "\.(bmp|jpe?g|gif|png)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

Is this wrong?

I'm not sure what is wrong but it's working for me. I just tested it with the link you provided. No image shows.



One thing though, My "files" directory is located at "/public_html/files" but with newer Drupal, that "files" directory location is changed to "/public_html/sites/default/files". With that path, I never tried if it work or not.

Just tested with another website with the path "/public_html/sites/default/files". It is working as it should be. What I did is just copied the code I provided and paste them into .htaccess file. (Drupal 6.21) So, my question now is if you put that .htaccess file in the correct location?

Because of the input format, the filematch tags are disappearing but that's part of the code, exactly same as yours

Tested it again. Actually if you visit that exact image from your site and it's cache on the browser then test it out, it shows up. I cleared all my cache and when I tested again, it works. Sorry about the trouble. I was getting impatient because I looked at the other threads for preventing hotlinking on drupal and each one breaks imagecache. Yours was the only one that didn't. Thank you so much. FYI: you should really disable the preview on comments, have to fill in captcha each time and kind of long winded.

Glad it works for you :) Also, I just set Preview as an optional per your suggestion. Thanks :)

Hi, I tried your code for ppt and pdf files in my files directory. It had the effect of letting anonymous users still hotlink to the file, but authenticated users could not download file attachments. This is the opposite of what I was trying to achieve. Any ideas?

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.