Title: Hotlinking protection custom code – not working
Last modified: August 21, 2016
---
# Hotlinking protection custom code – not working
* Resolved [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/)
* Hi,
* Just trying to get image hotlinking protection enabled on my website and came
across the custom code on your main BPS website here:
[http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/](http://forum.ait-pro.com/forums/topic/hotlink-protection-do-not-block-google-bing-or-yahoo/)
* I’ve added the following code to the bottom box in the root htaccess custom code
page entitled “CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/
BLOCK IP/REDIRECT CODE: Add miscellaneous code here”.
* ```
# Prevent hotlinking of images (but allow search engines)
SetEnvIfNoCase Referer "^(http|https)://.*mywebsite.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite1.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite2.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite3.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist
# SetEnvIf Server_Addr "^123\.123\.123\.1$" whitelist
Order Allow,Deny
Allow from env=whitelist
```
* However this does not seem to be working – any ideas why this is please?
* I have the server address line commented out at the moment as I’m not sure whether
the final part of the numeric server address should just be the first digit (
is the $ a wildcard) or whether it should be the full 3 digital number.
* I used the the above format for the first ‘mywebsite’ address line as I have
both .com and .co.uk versions of the same domain so wanted to allow both. Is
that the correct way to do it?
* [http://wordpress.org/plugins/bulletproof-security/](http://wordpress.org/plugins/bulletproof-security/)
Viewing 15 replies - 1 through 15 (of 29 total)
1 [2](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/page/2/?output_format=md)
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305843)
* The Server Address is critical and the code will not work if it is commented
out. Your Server/Website IP address is static and will not change, unless you
moved to another Server.
* In this particular case/usage the caret ^ means the start of the condition/rule
and the dollar sign $ means the end of the condition/rule.
* If you wanted to use Regular Expressions code to match any number from 0 to 9
with 1 to 3 characters in the 4th octet of the IP address, but this is not necessary
to do because your Server IP address is static and will not change.
* `SetEnvIf Server_Addr "^99\.88\.77\.[0-9]{1,3}$" whitelist`
* if both the .com and .co.uk websites are sharing image files then using Regular
Expressions code .* match anything – works fine. If the sites are not sharing
image files then you would not need to do this.
* `SetEnvIfNoCase Referer "^(http|https)://.*mydomain.*" whitelist`
* Thread Starter [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305872)
* Hi. Many thanks for the explanation, think I understand better now. I have corrected
and updated the custom code entry in my .htaccess file through BPS, but the hotlinking
protection still does not seem to be working. Here’s what I have now:
* ```
# Prevent hotlinking of images (but allow search engines)
SetEnvIfNoCase Referer "^(http|https)://.*mywebsite.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite1.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite2.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite3.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist
Order Allow,Deny
Allow from env=whitelist
```
* Interestingly, when I checked this morning before updating the htaccess code
I found that some of the websites hotlinking to my images were showing broken
links. But strangely not all of them and some were still hotlinking my pictures.
* After updating the htaccess file to include the server address line the hotlinking
protection seems to have completely stopped working again, and all of the websites
are showing my images again.
* Should hotlinking protection using the above htaccess code take effect immediately,
or could there be a time lag? I have cleared my browser cache and also the website
caches (W3TC and Cloudflare) several times.
* Any further thoughts as to what I am doing wrong please? Many thanks,
James
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305874)
* Are you adding the Server IP address from the BPS System Info page? Does it say
something along the lines of “Proxy or X-Forwarded-for”? What probably needs
to happen is you will need to add additional IP addresses for CloudFlare, which
are X-Forwarded-for, similar to what needs to be done when using the Brute Force
Login Protection code in the link below.
* Scroll down in that Forum Topic until you get to the CloudFlare, Proxy, CDN,
VPN help section.
* ```
SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
```
* [http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/](http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/)
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305875)
* The other thing about CloudFlare is copies of your content are stored on CloudFlare
Servers so I wonder if maybe you cannot use HotLink Protection? I do not use
any Cloud services so I only know the basic concepts about what Cloud services
do. Maybe check with the CloudFlare folks regarding something like this.
* Thread Starter [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305879)
* Many thanks,
* I have been experimenting with the htaccess code for the past few hours this
morning with Cloudflare turned off and have a working solution as follows:
* ```
# The main domain\.tld for the wesbite
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.com(/|$)" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.co.uk(/|$)" whitelist
# Allow empty referrers
# SetEnvIf Referer "^$" whitelist
# List of any another domains that should be able to access the files
SetEnvIfNoCase Referer "^http://(www\.)?friendswebsite\.com(/|$)" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?friendswebsite\.net(/|$)" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?friendswebsite\.co.uk(/|$)" whitelist
# Allow search engines to access images
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist
# Specify image file types to protect from hotlinking
Order Allow,Deny
Allow from env=whitelist
```
* Any comments or corrections relating to the above code? I’ve left out the server
address so far as I have started from a basic code and built up to try and narrow
down the problem. Why exactly is this required if the website addresses are given?
I’ll add this back in later, if needed:
* ```
# My server address
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist
```
* The website address is as per the BPS System Info tab and there is no mention
of a proxy or X-forwarded, so I don’t think that is the issue.
* This seems to be working fine, although how would you be able to test that Google
etc can still get to your images? It is allowing access from ‘mywebsite’ and ‘
friendswebsites’, but blocking fine for anywhere else.
* Now your comment about CloudFlare just got me thinking… Maybe that is the problem
so I’ll now try turning it back on and see what happens. Of course if the other
websites are using images served by CloudFlare then bandwidth usage is not an
issue, which just leaves the copyright concern.
* I’ll let you know how I get on once CloudFlare is active again.
* James 🙂
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305881)
* Empty Referers usually means Spammers and typically you would block empty referers
and not whitelist them/Spammers.
* ```
# The main domain\.tld for the wesbite
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.com(/|$)" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.co.uk(/|$)" whitelist
```
* The $ sign is used incorrectly above. I think you are trying to allow for either
a forward slash or no forward slash. .* means match anything so it would match
a forward slash or no forward slash.
* You need to whitelist your Server to allow the Server to do things with image
files on both the frontend of the site and more importantly in the backend admin/
Dashboard of the site.
* Thread Starter [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305882)
* Ok, so I’ve turned Cloudflare back on and the above code still seems to be working.
CloudFlare does have its on image hotlinking protection function, but there is
no option to allow friendly websites to hotlink (other than having a seperate
folder where hotlinkable images are stored) so I have this turned off.
* I have now added in the servers numerical address and tweaked the ‘mywebsite’
using .* rather than the $ as you suggested. I guess the .co.uk and .com addresses
could be combined, but having them on seperate lines seems to be working so I
think I’ll leave it at that. So I now have:
* ```
# The main domain\.tld for the wesbite
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.com.*" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.co.uk.*" whitelist
# My server address
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist
# Allow empty referrers
# SetEnvIf Referer "^$" whitelist
# List of any another domains that should be able to access the files
SetEnvIfNoCase Referer "^http://(www\.)?friendswebsite\.com.*" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?friendswebsite\.net.*" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?friendswebsite\.co.uk.*" whitelist
# Allow search engines to access images
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist
# Specify image file types to protect from hotlinking
Order Allow,Deny
Allow from env=whitelist
```
* Final test now to double check that this hasn’t broken anything!
* Thread Starter [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305883)
* Ok, so I think I have finally cracked it! There is definitely a problem with
the numerical server address line:
* ```
# My server address
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist
```
* I have the custom code exactly as pasted directly above in my htaccess, but it
only works if the server address line is commented out. If this line is active
then the hotlinking protection doesn’t work and my images show up on all of the
unauthorised websites I’ve found. But if I comment this one line out then it
all works just fine and the images are only shown on ‘mywebsite’ and ‘friendswebsite’.
* I have turned this line on and off several times and the images appear or are
blocked from the unauthorised websites accordingly, so this line is 100% definitely
the problem! Images on authorised websites seem to appear fine either way.
* Without this line the code seems to work perfectly, so what could be the issue
do you think?
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305884)
* Then that means that the Server IP address is not correct because whatever your
real Server IP address is, it is being blocked since it is not really being whitelisted.
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305885)
* By commenting out the incorrect Server IP address this would work on the frontend
of your website and you do not even need to whitelist your Server IP address
on the frontend of your website. The problem will occur on the backend of your
website – you will not be able to see image files in the WordPress Media library
and will see Red X’s instead of image files if you do not whitelist your correct
Server IP address.
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305886)
* If your Server has a Proxy Server then maybe you are not seeing an additional
IP address that needs to be whitelisted or maybe there are additional CloudFlare
IP addresses that need to be whitelisted.
* Thread Starter [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305887)
* The example on [this webpage](http://serverfault.com/questions/290159/how-do-i-setenv-only-for-a-specific-ip-in-apache)
seems to suggest that the speech marks around the server address are not required:
* ```
# My server address
SetEnvIf Server_Addr ^123\.123\.123\.191$
```
* Does that make sense?
* No wait, what’s this I’ve just read:
* > See the SetEnvIf directive, which defines environment variables based on attributes
> of the request, such as Remote_Addr (the IP address of the client making the
> request) or Server_Addr (the IP address of the server on which the request
> was received)..
* **So why are we using Server_Addr on this line, shouldn’t we be using Remote_Addr
instead?**
* If Server_Addr is the address of the server on which the request was received,
then we are whitelisting every request that is **recieved** by our server! Surely
we only want to whitelist requests that are **made** by our server in this instance.
* Is this the problem and should the line actually read:
* ```
# My server address
SetEnvIf Remote_Addr ^123\.123\.123\.191$
```
* James
* Thread Starter [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305888)
* > By commenting out the incorrect Server IP address this would work on the frontend
> of your website and you do not even need to whitelist your Server IP address
> on the frontend of your website. The problem will occur on the backend of your
> website – you will not be able to see image files in the WordPress Media library
> and will see Red X’s instead of image files if you do not whitelist your correct
> Server IP address.
* None of this happens for me with the above line commented out. I have checked
through the backend, media library, even add images in a post and all the images
are displaying just fine, no red X’s anywhere! But wouldn’t all such backend
requests still have the domain name as the referrer and be covered by the ‘mywebsite’
lines anyway?
* Plugin Author [AITpro](https://wordpress.org/support/users/aitpro/)
* (@aitpro)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305891)
* You can choose not to use the double quotes and the rule will still work, but
to be 100% code correct in a technical sense then you would use the double quotes.
* Server_Addr = the IP address of the server under which the current script is
executing.
Remote_Addr = the IP address from which the user is viewing the current
page.
* Server_Addr is correct and Remote_Addr is incorrect. You are whitelisting your
Server so that your Server can perform tasks that it needs to perform.
* I assume that there is some DNS issue on this site that is not obvious so use
this online DNS checking tool and check the advanced tab after you have run the
tool for your domain.
[http://dnscheck.pingdom.com/](http://dnscheck.pingdom.com/)
* Thread Starter [James](https://wordpress.org/support/users/en7jos/)
* (@en7jos)
* [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/#post-4305897)
* I’ve just ran the DNS test as you suggested, thanks for that tip. Probably easier
to just show you the results than try to explain them:
[http://dnscheck.pingdom.com/?domain=matchlessclueless.com×tamp=1384248972&view=1](http://dnscheck.pingdom.com/?domain=matchlessclueless.com×tamp=1384248972&view=1)
* All 6 sections under the basic view tab say: “Everything is fine. All tests successful
in this part, no errors or warnings.”
* Under the ‘Delegation’ section in the advanced view there are a few lines that
say: “DNS lookup error (SERVFAIL).”
* Not exactly sure what this means, so you think this could be the problem perhaps?
I ran the test both with and without CloudFlare active and this doesn’t make
any difference. I’m guessing there is some problem with how the CloudFlare DNS
records are setup, but not sure exactly what so I’ve raised a support ticket
and will wait to hear what they say.
* Hope to be getting the bottom of this shortly. Thanks for you help, much appreciated!
🙂
Viewing 15 replies - 1 through 15 (of 29 total)
1 [2](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/page/2/?output_format=md)
The topic ‘Hotlinking protection custom code – not working’ is closed to new replies.
* 
* [BulletProof Security](https://wordpress.org/plugins/bulletproof-security/)
* [Support Threads](https://wordpress.org/support/plugin/bulletproof-security/)
* [Active Topics](https://wordpress.org/support/plugin/bulletproof-security/active/)
* [Unresolved Topics](https://wordpress.org/support/plugin/bulletproof-security/unresolved/)
* [Reviews](https://wordpress.org/support/plugin/bulletproof-security/reviews/)
## Tags
* [Hotlinking](https://wordpress.org/support/topic-tag/hotlinking/)
* [htaccess](https://wordpress.org/support/topic-tag/htaccess/)
* [protection](https://wordpress.org/support/topic-tag/protection/)
* 29 replies
* 2 participants
* Last reply from: [AITpro](https://wordpress.org/support/users/aitpro/)
* Last activity: [12 years, 5 months ago](https://wordpress.org/support/topic/hotlinking-protection-custom-code-not-working/page/2/#post-4305973)
* Status: resolved