HTML TemplatesFlash TemplatesWordPress ThemesDrupal Themese107 ThemesFree Joomla TemplatesXOOPS ThemesphpBB StylesFree SMF ThemesMagento ThemesOpenCart ThemesosCommerce TemplatesPrestaShop TemplatesVirtueMart TemplatesZen Cart TemplatesTumblr Themes
Website Templates | Coupons | Blog | News | Reviews | Tutorials | Login

Protect your Website from Leeching with htaccess

Update 3:

They're back online with a new domain name. This time they moved the images and CSS to their own server. Something needs to be done to take them offline again:

Update 2:

Within less than 24 hours the domain registrar canceled and the leechers deleted all the files from their hosting. 403 victory! It is a somewhat hollow victory. I was hoping they wouldn't find out about it for at least a few days. Anyhow, I did take before and after screenshots for posterity.

Before <--> After | Before <--> After

Update 1:

After "adjusting" the header image being displayed on the leecher's site, the domain they were using to forward to the hosting account on their school's server no longer works. Looks like the domain registrar shutdown their account. But you can still access their site directly for the time being: I just wish I could have a hidden camera to see the reaction when they load the adjusted site for the first time.

Somebody ripped off the new Themebot layout!

As you may have read earlier, the layout for Themebot was updated recently. I was checking my Google analytics this evening and saw a noticeable amount of traffic coming from a site I didn't recognize. The referring URL is: Free iPods eh? Decided to pay them a visit. Hmm, something looks familiar.

It is interesting that the site redirects to this other URL:

Do you want a free iPod? Are you ready to sell your soul? Are you ready to get ripped off? It never ceases to amaze me how many ways people think of to rip other people off on the internet. This idiot is trying to rip people off with the lure of a free iPod while stealing Themebot's bandwidth and design. They used HTTrack Website Copier to scrape the content from the server. All of the images for the layout as well as the favicon and CSS are being leeched directly from the server. Even the Google tracking code for Themebot is being used!

Anyways, before I turn on the hotlink protection, I thought I'd write an article about this since it is kind of amusing. I took some screen shots to add to the article for after I turn the tap off. If you are able add hotlink protection on your server it is a good idea. Somebody might be stealing your bandwidth and you don't even know it. I'm glad my good friend in Nauru was stupid enough to leave the Google tracking code in, otherwise nothing would have shown up in the analytics. (Actually, as more content appears on the site, this is clearly a student in the UK who chose a .nr domain and is forwarding the domain to his hosting at school. Brilliant choice of domain suffix!) I wonder how many other sites have been leeching?

What is annoying is that they were too lazy to even move the files to their own server and are stealing bandwidth. I'll let it ride for a little while and take it as a compliment that the new layout was good enough to leech.

How to hotlink protect your site and prevent leeching

If you have a *nix server (linux,unix etc.) you can use your .htaccess file to prevent other web sites from leeching images, files and bandwidth from your server. Some hosting providers have a function in the control panel to turn on "hotlink protection". If your web host does not have this feature, it is fairly simple to do it yourself by manually adding some code to the .htaccess file. Regardless, make sure to create a backup of your existing .htaccess file before making any changes in your host control panel or manually.

The first thing to check in your .htaccess file is that RewriteEngine is on. Then, add the rules to prevent the leeching. Here is an example of the code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteRule .*\.(.*)$ [R,NC]

Obviously you would change the references of to whatever your domain is. Also you want to take into account whether your site is using www or not for the URLs. If you aren't redirecting to either with www or without www, that is a whole other article.

So now that you have added the code to your .htaccess file, it will prevent other sites from stealing your files and bandwidth. The images will simply be broken, not appear or can be replaced. Also, the code can redirect people from the leeching site back to your site if they have been using the links for your file downloads.

Try it out.

Alternative hotlink elimination methods

There is more than one way to choke a leech. The following screen shots demonstrate what is known as the FBM technique. This is a surefire way to get hotlinking leechers to shut their site down quick. Warning, the screen shots are graphic in nature and may contain images not suitable for younger viewers.

Before <--> After | Before <--> After

If you have used any creative techniques to deal with hotlink leechers and have screen shots to share, please post a comment.


I would like to prevent downloading/recording of mp3 files that are streamed.

The proposed lines in .htaccess, will they do the job?

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteRule .*\.(.*)$ [R,NC]

Thanks in advance.


- posted 15 years 4 months ago by: rooman

The .htaccess rules in this article are for preventing other sites from hotlinking to the files on your site. Even if you implement these rules, people will still be able to download the mp3 files directly from your site if they are hosted in a public directory and the visitor knows the URL that leads to the files.

Are you wanting to prevent visitors from downloading the mp3 files on your site altogether so that they can only be listened to in streaming format?

- posted 15 years 4 months ago by: Themebot

Exactly, streaming but not downloadable.
I know that it's posssible to use specific leeching software but, expensive dedicated streaming servers are a little too expensive and also overkill for the amount of data concerned.
The problem concerns an orchestra who will authorise streaming of pieces recorded with personal collaboration but, only if download not posssible.

You are probably going to ask how much time and money can be spent to counter leeching? I reply, what is possible and at what expense?

If a simple solution that blocks 80% of users is possible, then for me that's probably okay. There is no commercial risk value involved here.

- posted 15 years 4 months ago by: rooman

Probably the simplest way to do this is to use a Content Management System for the site with a module that streams audio. You would need to do some research to find a module that allows you to place the audio files in a private directory (only accessible to the server) and then have the module stream from that directory. I think Drupal, Joomla and WordPress offer modules / plugins with this capability and I'm sure there are other CMS that can do this. Of course, there is a learning curve with any CMS. If you are already familiar with one, check around for some modules or plugins that can do this. Best of luck!

- posted 15 years 4 months ago by: Themebot

At the bottom of the code for the .htaccess file there is this line which redirects hotlinked files and images:

RewriteRule .*\.(.*)$ [R,NC]

If you are feeling creative, the URL can be adjusted to replace all hotlinked images with another image of your choice. First, you would need to setup another domain in your hosting or use an existing domain that does not have hotlink protection active. Then replace the URL with the URL to the image. For example:

RewriteRule .*\.(.*)$ [R,NC]

You could have a lot of fun with this one :D

- posted 15 years 7 months ago by: Themebot

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p>,<br>
R U Human?
Fill in the blank.
About | Contact | FAQ | Privacy Policy | Terms of Use

© 2006-2023 ├╝berbytes LLC