2

I am running Wordpress blog and one "gentleman" is stealing my posts. I've decided to make his life difficult and I would like to prevent hotlinking images from my blog.

I used htaccesstools com/hotlink-protection/ to generate .htaccess part for hotlink prevention.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?marusiak.pl [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?wojcieh.net [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ https://wojcieh.net/wp-content/uploads/2017/06/fuck-you-stealer.gif [NC,R,L]

I created test blog to see if I can hotlink my images https://stagingwpblog.wordpress.com/2017/03/13/test-blog-post/ and image is still being displayed.

What am I doing wrong here?

Jenny D
  • 27,358
  • 21
  • 74
  • 110
wojcieh
  • 158
  • 7

2 Answers2

1

Since you are redirecting to the "alternative image" you need to include an exception so that requests to your "alternative image" are not also redirected, thus creating a redirect loop (which times out and puts an additional strain on your server!).

For example:

RewriteEngine on
RewriteCond %{REQUEST_URI} !thou-shalt-not-steal\.gif$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?marusiak.pl [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?wojcieh.net [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ https://wojcieh.net/wp-content/uploads/2017/06/thou-shalt-not-steal.gif [NC,R,L]

However, if you must return an image (and not simply 403 the request) then it would be preferable to internally rewrite the request, rather than redirecting. This way, your server doesn't get the additional request and the "alternative image" remains incognito (harder to steal!). For example:

RewriteEngine on
RewriteCond %{REQUEST_URI} !thou-shalt-not-steal\.gif$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?marusiak\.pl [NC]
RewriteCond %{HTTP_REFERER} !^https://wojcieh\.net [NC]
RewriteRule \.(jpe?g|png|gif)$ /wp-content/uploads/2017/06/thou-shalt-not-steal.gif [NC,L]

NB: You only need to set a condition for the canonical hosts.

Aside: That tool you used at htaccesstools.com does include an additional note:

NOTE: Make sure the image is not hotlink protected or your server can go into an endless loop.

...which is what was happening with your code. But they don't provide the necessary code/directive to do this, so the generated code by itself will not work out of the box.

MrWhite
  • 11,643
  • 4
  • 25
  • 40
0

It's easy. Your test site download image from https://i1.wp.com/wojcieh.net/wp-content/uploads/2016/02/vcenter-server-6.-upgrade-logo.png, not from your site, that's why your .htaccess not working.

Alexander Tolkachev
  • 4,513
  • 3
  • 14
  • 23
  • Yes you are right. However, real use case. This fcker is stealing my images https://vcenter.ir/%D9%86%D8%AD%D9%88%D9%87-%D8%AA%D8%B9%D9%88%DB%8C%D8%B6-ssl-certificate-%D8%AF%D8%B1-vmware-esxi-6/. Although I enabled this in .htaccess it isn't working. – wojcieh May 23 '17 at 15:13
  • 1
    @wojcieh I checked your link, everything is working like it should see http://imgur.com/a/0KyBq – Alexander Tolkachev May 23 '17 at 15:27
  • What a refreshing war on the blogosphere! Is `hello.jpg` from Christmas Island already out of fashion? – Esa Jokinen May 23 '17 at 19:43
  • @EsaJokinen It is not the first content this guy stole from me and other bloggers. – wojcieh Jun 06 '17 at 14:50