Text only | Text with Images

Cobra Forum

Plesk Panel => Webserver => Topic started by: Suhitha on Dec 23, 2025, 01:08 AM

Title: How to prevent hotlinking graphics from the domain?
Post by: Suhitha on Dec 23, 2025, 01:08 AM
Applicable to:



Question

How to prevent hotlinking graphics from the domain?


Answer

Hotlink protection prevents other websites (not your own website example.com) from displaying, linking or embedding the images files that have their origin within the website files of your own website example.com.

This practice is called hotlinking, and it can quickly drain your bandwidth and make your website unavailable, only because other websites are using its content within their own code.

Due to this, it is recommended that you enable hotlinking protection for your the files of your website example.com by using one of the following methods:


                                      For WordPress domains:

If it is WordPress domain, that is required to be secured from hotlinking, it is possible to secure domain in WP Toolkit starting from 3.5.0 version.

1.Log into Plesk

2.Go to WordPress > example.com > Dashboard tab

3.Move the Enable hotlink protection slider to the right

(https://pix.cobrasoft.org/images/2025/12/23/mceclip0.png)


                                  For Plesk on Windows

Enable Hotlink Protection in Domains > example.com > Hotlink Protection. Refer to the Documentation on how to configure protection settings.


                                  For Plesk on Linux

Hotlink protection is yet to be implemented in Plesk for Linux. Take part in our product improvement by voting for this feature on Plesk Uservoice portal.

As workaround, hotlink protection can be enabled via the Apache module mod_rewrite by following these steps:

1.Log in Plesk;

2.Browse to Home > Domains > example.com > Apache & nginx Settings;

3.Add the following rewrite rules to Additional directives for HTTP/Additional directives for HTTPS fields (replace example and .com with your own domain):

Note: Mind part marked in bold that, in Additional directives for HTTPS, it must be changed to HTTPS.

Code Select
RewriteEngine on
RewriteCond % !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/)?.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|swf)$ - [NC,F]
If nginx support is enabled on the server, verify that Serve static files directly by nginx option is disabled on Home > Domains > example.com > Apache & nginx Settings page

(https://pix.cobrasoft.org/images/2025/12/23/mceclip0-1.png)

Then, add the following directives to Additional nginx directives field (replace example.com with your own domain):

Code Select
location ~ ^/(.*\.(jpe?g|png|gif))$ {
valid_referers none blocked example.com *.example.com;
if ($invalid_referer) {
return 403;
}
}
Text only | Text with Images