How to Set Up Hotlink Protection in cPanel

Overview

cPanel hotlink protection stops other websites from directly embedding your files — images, videos, PDFs, audio files — using your server’s bandwidth without your permission. When a site hotlinks to one of your files, every time someone loads that page, your server delivers the file and absorbs the transfer cost. You pay for their traffic.

This is a common problem on shared hosting plans where bandwidth limits are tighter, but it hits VPS and dedicated server users too, especially if a viral post links directly to a large asset on your site. I’ve seen image-heavy WordPress sites burn through gigabytes in a weekend because a forum post embedded their product photos.

This article walks through enabling hotlink protection via cPanel’s built-in tool, customising which file types are protected, and what to do when the protection breaks something it shouldn’t.

Prerequisites

• Active cPanel account (cPanel version 96 or later — the UI layout described here applies to Paper Lantern and Jupiter themes)
• At least one domain or subdomain hosted on the account
• Files publicly accessible via HTTP/HTTPS (hotlink protection works at the web server level, so the files must be served by Apache or LiteSpeed)
• If you’re on a managed WordPress plan or a server with a custom firewall, confirm that .htaccess overrides are enabled — hotlink protection writes rules to .htaccess and won’t work if AllowOverride is set to None

Step-by-Step: Enabling Hotlink Protection in cPanel

1. Log in to cPanel. Your login URL is typically https://yourdomain.com:2083 or https://yourdomain.com/cpanel. Enter your cPanel username and password.
2. Open Hotlink Protection. In the cPanel dashboard, scroll to the Security section and click Hotlink Protection. If you’re faster with search, type “hotlink” in the top search bar — it’ll surface immediately.
3. Enable the feature. If hotlink protection is currently off, you’ll see an Enable button at the top of the page. Click it. The page will reload and show the configuration form.
4. Review the URLs allowed to access your files. The URLs to Allow Access field lists domains that are permitted to embed your files. By default, cPanel pre-populates this with your own domain and www variant. For example:
   Copied to clipboard

   http://yourdomain.com
   https://yourdomain.com
   http://www.yourdomain.com
   https://www.yourdomain.com

   Add any other domains that legitimately link to your assets — CDN origins, staging domains, partner sites. Put each URL on a separate line.

   📝 Note: If you use a CDN like Cloudflare or BunnyCDN, add the CDN’s pull domain here, not just your main domain. If you don’t, the CDN’s origin fetch will get blocked and your cached assets will break.

5. Set the file extensions to protect. The Block direct access for the following extensions field controls which file types are covered. The default list is usually:
   Copied to clipboard

   jpg,jpeg,gif,png,bmp,mp3,mp4,avi,mov,mpg,mpeg,doc,docx,pdf

   Add or remove extensions based on what you’re actually serving. If you host downloadable ZIPs or SVG icons that you don’t want embedded elsewhere, add zip,svg to the list. If you don’t serve MP4s, leaving it in doesn’t hurt.

   ⚠ Warning: Don’t add html, htm, php, or js to this list. Blocking those extensions will almost certainly break your site for legitimate visitors because browsers and scripts make direct requests to those files constantly.

6. Configure what blocked requests see. Under Redirect the request to the following URL, you can either leave it blank (which returns a 403 Forbidden error) or point it to a replacement image. A common approach is to create a small “bandwidth thief” placeholder image and put its URL here:
   Copied to clipboard

   https://yourdomain.com/hotlink-blocked.png

   This way, any page hotlinking your images will show your placeholder instead of a broken image icon. I’d recommend this over a bare 403 — it’s more visible to the person who set up the hotlink, and it doesn’t look broken to their visitors.

7. Allow direct requests (optional but useful). The checkbox labelled Allow direct requests controls whether someone can access your files by typing the URL directly into a browser address bar. Leave this checked unless you specifically need to prevent direct downloads. Unchecking it means even you’ll get blocked if you try to open an image URL directly.
8. Save the configuration. Click Submit. cPanel writes the hotlink protection rules directly to the .htaccess file in your public web root (public_html/.htaccess).

What cPanel actually writes to .htaccess

It’s worth knowing what’s happening under the hood. After you save, open public_html/.htaccess and you’ll see a block like this:

## Hotlink protection
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www.)?yourdomain.com [NC]
RewriteRule .(jpg|jpeg|gif|png|bmp|mp3|mp4)$ https://yourdomain.com/hotlink-blocked.png [R,L]
## End hotlink protection

If you’re comfortable with Apache’s mod_rewrite, you can edit this block manually instead of using the cPanel UI. Just keep the comment markers intact — cPanel uses them to identify and update the block next time you save through the interface.

📝 Note: Our Shared Hosting plans all run Apache with AllowOverride All enabled, so .htaccess rules like these work out of the box without any server-level config changes.

Common Issues & Troubleshooting

My own site’s images are broken after enabling hotlink protection

This almost always means your site is loading assets from a URL that isn’t in the allowed list. Common culprits: a www vs non-www mismatch, an HTTPS URL when you only added HTTP (or vice versa), or a subdomain like cdn.yourdomain.com that wasn’t included. Go back to Hotlink Protection in cPanel, add the missing URL variant, and save again.

Hotlink protection is enabled but images are still loading on other sites

Check whether the external site is actually hotlinking or has downloaded and re-uploaded your image. Hotlink protection can only block requests that send a Referer header pointing to the offending site. If they’ve copied the file to their own server, there’s nothing to block. Also check that your .htaccess file is being read — on some configurations, especially Nginx-only stacks, .htaccess isn’t parsed at all. This is rare on cPanel servers (which use Apache), but worth confirming with your host if you’re on a custom VPS setup.

The redirect URL is showing a broken image icon instead of my placeholder

If you set a redirect URL and it’s still showing broken, the placeholder image itself is probably getting caught by the hotlink rule. This is a classic circular reference problem. The fix: make sure the placeholder image’s URL is either on a different domain or that direct requests are allowed (the Allow direct requests checkbox is ticked). Alternatively, return a 403 instead of redirecting — remove the redirect URL entirely and let the server return a proper error code.

WordPress media library images stopped loading in the admin panel

The WordPress admin loads images using requests that may not send a Referer header matching your domain, especially if you’re accessing the admin over HTTPS while the allowed URL list only has HTTP entries. Add both HTTP and HTTPS versions of your domain (and www and non-www) to the allowed list. If the problem persists after that, check whether a page builder or plugin is loading media from a different subdomain.

Changes aren’t taking effect after clicking Submit

cPanel writes the rules to public_html/.htaccess. If that file has restricted permissions or is owned by a different system user, the write may silently fail. Check the file’s permissions via File Manager — it should be 644. Also check whether another plugin or tool (like a WordPress security plugin) has locked the .htaccess file. Some plugins mark it read-only to prevent tampering, which also prevents cPanel from updating it.

FAQ