Prevent Hotlinking Tutorial Author - Man1c M0g (http://forums.biorust.com/member.php?s=&action=getinfo&userid=1)

If you are one of the many thousands of webmasters who pay for your web hosting, you will no doubt have come across a rather evil practice known as hotlinking.  Quite simply, a hotlinker will use HTML to directly link to objects on your server, thus allowing him/her to use your bandwidth, but without the inconvenience of ever having to pay for it.  If you own a website with a lot of images or files on it, for example, this can be very costly as it sucks away your bandwidth without giving you a single visitor to your actual HTML site in return. Now, however, you can fight back with a little bit of server-side wizardry.

To stop hotlinkers in their tracks, all you need is a server running Apache with .htaccess files enabled, and a little known module installed called mod_rewrite. All of these things are very common in modern web hosting setups, and can be installed pretty easily if they are not there initially anyway.   With all these pieces in place, simply create a file called .htaccess (if you use notepad, beware it doesn't add a .txt extension onto the end) that contains the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ - [F]

Be sure to replace yourdomain.com with your own domainname and save the file.  Now upload the file to the main directory of your website, or the specific subdirectory you want to protect.  Remember that the settings in this file will affect any directory you put it into and all subdirectories branching off from it, but not any parent directories.  Also make sure you upload this file in ASCII and not binary, and CHMOD it to 644 or you'll run into problems. If you don't know how to CHMOD, just download a decent FTP program like CuteFTP, right click on the file, and select 'change file attributes' or somesuch - that does the same (essentially it just allows the file to be readable by the server but not by any joe public with a browser).

The aforementioned code will just display a broken link if anything but a webpage on your domain refers to it. If you want to be a bit more evil, however, and display an alternate image of your choice instead, use this code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/diehotlinker.jpg [R,L]

Just do the same as before and replace yourdomain.com and diehotlinker.jpg with your own settings. Now just upload your new evil image and kiss goodbye to those annoying hotlinkers.  Just make sure you configure it correctly before you do anything too nasty though, or you might send your own legitimate visitors some unpleasant images. They might never forgive you for sending them something from www.goatse.cx... :p