If you run a website with images, videos, or downloadable files, you’ve probably noticed bandwidth creeping up even when your actual traffic seems steady. One common culprit: other sites linking directly to your media files. This practice, known as hotlinking, drains your server resources and can slow down your site for legitimate visitors. Fortunately, cPanel’s Hotlink Protection feature makes it easy to stop this cold.
In this guide, you’ll learn exactly what hotlinking is, how to enable Hotlink Protection in cPanel, how to configure allowed domains and file extensions, and what to do if legitimate sites get blocked. By the end, you’ll have a simple but effective line of defense running that saves bandwidth and keeps your content behind your intended audience.
What Is Hotlinking and Why Should You Block It?
Hotlinking — also called inline linking or leeching — happens when another website embeds an image, video, or other file hosted on your server by linking directly to its URL. The visitor sees the media on the offending site, but the file is served from your server, consuming your bandwidth.
Common Hotlinking Scenarios
- Bloggers copying your infographic and embedding the image URL from your server
- Forums using your product photos in discussion threads
- Aggregator sites pulling your videos to display as their own
- Direct download links to your PDFs or software being shared on third-party pages
Why It’s a Problem
- Wasted bandwidth: Every hotlinked request eats into your monthly hosting allocation. If the hotlinker gets popular, your bill can spike unexpectedly.
- Slow performance: Your server spends resources serving files to people who never visit your site, leaving less capacity for your real audience.
- SEO risk: If Google indexes the hotlinking site’s page with your image, you can lose credit for your original content.
- Loss of control: You can’t update or remove a hotlinked file without breaking other sites — but why should that be your problem?
cPanel’s Hotlink Protection works by checking the HTTP Referer header of each request. If the referrer isn’t on your allowed list, the request is blocked and can optionally redirect to a different image or return a 403 Forbidden response.
How to Enable Hotlink Protection in cPanel
The setup process takes under two minutes and requires only a few decisions about what to protect and who to allow.
Step 1: Log into cPanel
Open your browser and navigate to your cPanel URL (typically https://yourdomain.com/cpanel or https://yourhost:2083). Enter your cPanel username and password.
Step 2: Find Hotlink Protection
In the Security section of the cPanel dashboard, click the Hotlink Protection icon. If you don’t see it immediately, use the search bar at the top of the cPanel interface and type “hotlink.”
Step 3: Configure the Protection Rules
You’ll see a form with several fields. Here’s what each one means and how to fill it out:
URLs to allow access:
List the domains that can embed your files. This should always include your own domain and any subdomains you use.
Example entries:
http://www.yourdomain.com
https://www.yourdomain.com
http://yourdomain.com
https://yourdomain.com
Add any additional domains you trust — for example, partner sites or social media platforms where you intentionally share content and want inline embeds to work.
Block direct access for these extensions:
cPanel pre-populates this with common media file types. The default list covers the essentials:
jpg|jpeg|gif|png|bmp|css|js|ico|webp|svg
If you host downloadable files such as PDFs, ZIP archives, or videos, consider adding their extensions too:
pdf|zip|rar|mp4|webm|mp3|wav|doc|docx
Redirect to this URL: (Optional)
When a hotlinked request is blocked, you can serve an alternative image instead of a broken link. This is useful for adding a “Don’t Steal Our Content” watermark or linking back to your site. If you leave this blank, blocked requests return a 403 Forbidden error.
Allow direct requests:
Check this box if you want visitors who type the file URL directly into their browser to be able to view or download it. Uncheck it if you want to block all direct-access requests and only allow embeds from your listed domains.
Allow empty referrer:
Some browsers and privacy tools (or local file opens) send no Referer header at all. Check this box to let those requests through. If you uncheck it, even legitimate users who open an image in a new tab from within your site may see a blocked result, depending on how the browser handles referrer headers.
Step 4: Enable Protection
Once you’ve filled out the form, click the Enable button. cPanel will confirm with a success message, and the protection goes active immediately — no need to wait or restart Apache.
Understanding How Referrer Checking Works
Hotlink Protection relies on the HTTP Referer header, which tells your server where a request came from. When a site embeds your image, the visitor’s browser sends a request to your server with a referrer value set to the embedding site’s URL.
Limitations to Know
- Spoofable: The
Refererheader can be faked. Dedicated leechers can set up scripts that send a fake referrer matching your allowed domain. Hotlink Protection is a deterrent for casual hotlinkers, not a full security solution. - Privacy tools block referrers: Browser extensions, strict privacy modes, and some corporate proxies strip the referrer header. If you disable “Allow empty referrer,” these users will see broken media on your own site.
- CDNs and proxies: If you use a CDN like Cloudflare, the referrer your server sees may be the CDN’s IP rather than the original visitor. Test thoroughly if you have a CDN active.
Testing and Troubleshooting Hotlink Protection
After enabling protection, you should verify it’s working and handle any unexpected issues.
How to Test
- From your own site: Open a page that includes an image. It should load normally.
- From an external site: Create a simple HTML page on a different server (or use a tool like HTTP Referer Test Tools) that embeds your image URL via an
<img>tag. The image should fail to load or show your redirect image. - Direct URL access: Paste the full image URL directly into your browser address bar. The result depends on your “Allow direct requests” setting.
Common Issues and Fixes
Legitimate sites get blocked:
If a partner or client says their images aren’t loading, add their domain to the allowed URLs list and re-enable protection.
Your own images break on your site:
Most likely you forgot to include both https and http versions of your domain (and the www variant). Also check whether you need the “Allow empty referrer” option enabled.
Images load but the redirect isn’t showing:
Double-check the redirect URL you entered. It must be a full, publicly accessible URL pointing to an image file. If the redirect image itself is protected, you’ll see a 403 instead of your custom image.
Bandwidth still high after enabling:
Hotlink Protection only affects the file extensions you listed. If your bandwidth is still high, check for hotlinked files with different extensions (e.g., JSON, XML, or .ttf fonts) that aren’t in your extension list.
Beyond cPanel: Additional Anti-Hotlinking Measures
For stronger protection against persistent leechers, combine cPanel’s built-in feature with these additional methods:
.htaccess Rules
You can add the same referrer-blocking logic directly to your .htaccess file with mod_rewrite rules. This gives you finer-grained control, such as blocking specific domains while allowing all others:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [NC,F,L]CDN-Level Protection
Cloudflare and other CDNs offer their own hotlink protection that blocks requests before they reach your server. Cloudflare’s Scrape Shield includes a Hotlink Protection toggle in the dashboard — it works the same way but at the edge level, saving even more bandwidth.
Image Watermarking
For high-value visual content, consider serving watermarked images through a PHP script or a plugin. Even if someone hotlinks a watermarked image, they get a version that promotes your brand rather than your original asset.
Key Takeaways
- Hotlink Protection in cPanel blocks other websites from embedding your images, videos, and other media files on their pages, saving bandwidth and protecting your content.
- Enable it from the Security section in cPanel — it takes roughly two minutes with no server restarts required.
- Always include all URL variants of your own domain (
http/https,www/non-www) in the allowed URLs list. - The “Allow empty referrer” setting is worth enabling if your visitors use privacy-focused browsers or tools that strip referrer headers.
- For stronger protection, combine cPanel Hotlink Protection with .htaccess rules, a CDN-level scrape shield, or image watermarking.
- Test from both your own site and an external embedding page to confirm the protection is working as expected.