How to enable Hotlink Protection in cPanel to protect images and bandwidth

Category: cPanel

Hotlink Protection helps stop other sites from embedding your images or files and spending your hosting bandwidth. Use it when you see unusual transfer usage, images loaded from outside domains, or copies of your content that point directly to your files.

Before you start

  • Write down every domain and subdomain that needs permission to show site images.
  • Include legitimate external services, such as a CDN or staging domain, if you use them.
  • Define which extensions you want to protect, for example jpg, jpeg, png, gif, webp, and svg.
  • Keep one test image ready to confirm that your site still loads correctly after the change.

Steps

  1. Log in to cPanel and search for Hotlink Protection from the tool search field. It is usually inside the security group.
  2. Click Enable if protection still appears disabled. cPanel confirms with Hotlink Protection Enabled! and shows the allowed referrers and protected extensions.
  3. Return to Hotlink Protection to review the configuration. In URLs to allow access, add your allowed domains with http:// and https:// when needed. Include the main domain, www, and subdomains that load legitimate images.
  4. In Block direct access for the following extensions (comma-separated), review the file extensions you want to protect. Keep only types that your site actually serves to avoid unexpected blocks.
  5. Decide if you will enable Allow direct requests. The full checkbox label is Allow direct requests (for example, when you enter the URL of an image in a browser). Keep it enabled if you want someone to open an image by pasting the direct URL in the browser; turn it off if you need to block direct access too.
  6. If you want to send blocked requests to another page, type the full URL in Redirect the request to the following URL. If you do not need a redirect, leave that field empty.
  7. Save with Submit and test the site again in a private window. Check a page with images and one direct image URL to confirm the expected behavior.

Final verification

  • Images from your own site load on the main domain and on www.
  • An external test page can no longer embed your protected images.
  • The allowed domain list includes your legitimate subdomains or CDN.
  • Bandwidth usage stops rising from unauthorized external referrers.

Common errors

  • Your images disappear on the site → you missed a domain variation, such as https://www.yourdomain.com → add that URL to the allowed list and save again.
  • The CDN stops showing images → you did not allow the CDN domain → add the CDN hostname in URLs to allow access.
  • A direct image still opens in the browser → Allow direct requests is enabled → turn that option off if you also want to block direct URLs.

Still need help?

If this guide didn’t solve your issue, our team can help you via ticket.

Open ticket Go to my account