Hotlinking: Damaging Your Trust Factor & Stealing Resources

Hotlinking is the shady dark-web practice of linking to resources on your server. Scammers are stealing your bandwidth. Even worse your resources are used to spread malware killing your domain’s trust factor!

Google and Bing track your images and other hotlinked resources. Backlinks coming from spammy phishing domains and will earn your domain a penalty.

Hotlinked Resources Graph CloudFlare
422 Hotlinked resources blocked using CloudFlare scrape shield.

Here’s how to stop this bad element in it’s tracks! 😉

As a rule Google Analytics and even WordPress Jetpack stats will not show your resources that are being stolen. A good free way to see who’s linked to your domain is with Google search console – AKA Webmaster Tools.

Sign into your Google search console and select the domain you want to check. Click on search traffic > click on links to your site > next click on a domain linking in. Then click on one of your pages to see what url’s are hot-linking to your site.

33arvida Hotlinked Images
Malicious scripts from disavowed domain 33arvida domain used to plant pop-ups and malware.

If your seeing the above example on your domain take action immediately. Google allows webmasters to disavow spammy and malicious backlinks that will prevent a penalty being assessed. If your already penalized disavowing should eventually remove a penalty.

Here is the disavow backlinks process required by Google. Bing / Yahoo both allow disavowing of bad neighbors. Sign in to your Bing webmaster tools account. Select the domain > click on disavow links. Enter the offending domain.

Now lets block any domains that are hotlinking to our resources and hurting our domains SEO trust factor. There are probably more bad domains linking in that we’re seeing in search console.

There are two ways to block hotlinking. My preferred method is using CloudFlare to manage my domain’s dns and security. If you’re already using CloudFlare sign into your account. Select the domain to manage > navigate to the far right of the options menu. Click on scrape shield and toggle on hotlinking protection.

If your not using CloudFlare – that i highly recommend! You’re other option is by .htaccess blocking. has a script generator that works well.  Be sure to whitelist any domains (Facebook Twitter ETC) your social sharing articles to. This does not always work out well as there are subdomains etc that will need whitelisting.

CloudFlare already whitelists many popular social networks and sharing services like Hootsuite etc. So in my humble opinion CloudFlare is the best option and is FREE! 🙂

After toggling hotlink protection on in CloudFlare wait 24 hours and check your domains analytics. Chances are you will see a slew of blocked hotlink attempts like my example above.

Give those thieves and scammers the boot! Any questions comment below.

Oh well.. As usual.. Just my two cents worth! 😎

I'm a former Auto Dealer and Mechanic born in the 50s. In 1991 Doc's Place Bulletin Board System was born on the Fidonet Network. Since the net went public I've been studying and mastering it becoming a tech-savvy hobbyist webmaster. my opinion about many worthy subjects and maintain a large conservative archive!

Notify of

Inline Feedbacks
View all comments