How Hotlink Protection Broke My Site

Hotlink protection mistake

Hotlink protection sounds awesome. It stops people linking to your assets without permission and it blocks them from slowing your server down by making unnecessary calls on it.

I thought it sounded great, something every sensible blogger should have. One of those settings techie people knew about but that I hadn’t come across yet.

At least, that’s what I thought before I switched it on. Read on for the story of how hotlink protection broke my site and why you should be careful using this option for your own blog

What are hotlinks?

A hotlink is the link between your server and a file held on someone else’s server. It’s easier to explain with an example. As mostly for blogging we’re talking about images, I’ll use a jpg file as an example.

Site A has a great jpg image that you think would be perfect to illustrate your latest blog post. You find the link to the image – let’s say it’s

You embed that image in your blog post. Let’s not even go down the route of copyright and the ethics of taking images from other people’s sites right now. If you’re distracted by that, let’s assume the image is CC0 licensed and you can use it.

Your website now has the image on it. Lovely.jpg is not stored on your server. Any time someone lands on your blog post, your server calls up Site A’s server, gets the picture and shows it to your reader.

You can hotlink to anything on any other site: images, pdf files, videos.

Hotlinks are not the same as hyperlinks. ‘Hyperlink’ refers to linking to something on the same site.

Why might you want hotlink protection?

So if it saves you space on your server because you don’t have to host the asset yourself, what’s so bad about hotlinking?

You are now Site A. If other people are using your images and other creatives, and hosting them on their site, it’s costing you bandwidth. What happens if their massively popular site gets millions of hits: all those hits are costing your server.

If you are looking to improve site speed, hotlink protection is one consideration. You can stop all that extra load on your servers, so they go back to doing their job of serving your own audience, not someone else’s.

Plus, it’s not cool that people might be ripping off your hardwork and making it available direct to their readers. Say, for example, you prepared a great lead magnet and had it behind an email sign up. Their site links directly to the pdf. You don’t get the sign ups.

What is hotlink protection?

Hotlink protection is a way to stop other people linking to your stuff in this way. Of course they can still link to an article.

(And they can still download your image and upload it to their site, if they are a copyright thief).

It protects your assets and your servers from being used by other sites who perhaps have less ethics than you.

Hotlink protection is something I read about when I was researching site speed improvements.

How do you turn on hotlink protection?

I wanted to use hotlink protection because I was looking at ways to make small easy gains for site speed. I was struggling to improve my WordPress blog’s site performance, so I figured I’d try anything and everything that would give me a slight edge.

So I switched hotlink protection on.

It’s really easy. I had the option in Cpanel. I logged in, went to the Cpanel menu, selected hotlinks and toggled the option on.

hotlink protection
Hotlink protection is an option from your Cpanel menu

What happened when I turned hotlink protection on

I noticed no changes when I turned hotlink protection on. I made a few site speed improvements at the same time and I assumed that the gains I got were due to all of those changes, including now having hotlink protection.

Pat me on the back for doing something to protect my site, my freebies and make my site faster!!

Except it wasn’t a good move.

I started noticing that when I shared posts on Facebook, LinkedIn and Twitter, I got a grey box instead of the carefully selected and perfectly sized for the platform post images.

the grey box of doom
The grey box of doom. This is what iit looked like when I scraped my content through the Facebook debugger

I wrote this off as a glitch, my slow internet, something I would look at later. As my VA does most of my social media scheduling I didn’t come across the problem often. A few weeks passed.

Then I published a sponsored post.

The post sponsor wanted to share the article on LinkedIn. He sent me a screenshot of the grey box and asked if I was aware of the issue.

Suddenly, fixing this bug was top of my list of things to do. No one wants an unhappy blog sponsor.

I raised a ticket with Cloudflare – I thought that might be causing the issue.

I researched WP Rocket and plugin conflicts.

I talked to a WordPress guru, and posted in my Slack channel.

I got on email support with my server host, who said they could fix it. They didn’t.

I wasted hours on trying to solve this problem and nothing was working. What I couldn’t understand is that it was affecting both my websites. So it had to be something server side, that I had done, that affected both my blogs.

I wasn’t happy with the response from the technical people I spoke to. One said it was a plugin conflict. This couldn’t be true because those plugins were only in use on one blog. Another said it was an issue with the social media channels. I failed to believe that all three channels had a technical issue that was affecting only my sites, all the time.

I spent ages using the Facebook debugger to try to uncover the errors in the og tags. But the tags were there, rendering properly. It was just the images that weren’t.

I took off Cloudflare, which in hindsight was a mistake as it was a time-consuming exercise and had nothing to do with the problem.

Being Cloudflare-free made no difference.

So I went back to basics and looked at everything I had changed in Cpanel. And then I saw hotlink protection on the dashboard.

Of course! If you are blocking other sites from accessing your resources, of course they aren’t going to be able to see your images.

I had a massive lightbulb moment. This must be it.

How do you turn off hotlink protection?

Back in Cpanel, I toggled off hotlink protection. It’s easy to do. Simply click the option to turn it off. The effect is instant. No more hotlink blocks.

I ran a sample post through the debugger and it was all fine. That was a late night, but it’s not an exaggeration to say that I was so pleased to have finally found the route of this problem.

The next day I emailed my sponsor and he was able to share the sponsored post. This whole debacle had probably lasted two weeks. That’s a long time to be wracking your brain for solutions and being frustrated at people who you think should be able to help but can’t.

Extra learning: Once hotlink protection was off, all the posts I had shared in the past while I was testing lost the grey boxes. The fix worked historically and my social feeds looked normal again.

Use hotlink protection wisely

Hotlink protection might work for you. There are granular options so you can block access to specific types of resources. You might want to stop people accessing your pdf files, for example, but keep access to images on for the purposes of making sure social networks can grab the right pictures.

For now, I have chosen to leave hotlink protection off.

If you don’t know what you are doing with it, and you haven’t got any evidence to suggest another site is stealing your resources, I recommend you leave your hotlink settings alone and learn from my mistake!

Thinking about using hotlink protection on your blog? Pin this article for later so you can refer back:

Hotlink protection pin image
Pin and follow: