Hotlinking is when another website embeds your images or files using your URL, consuming your bandwidth every time someone visits their site. Here's how to block it in Plesk.

For WordPress sites (WP Toolkit method)

If your domain runs WordPress and you have WP Toolkit 3.5.0+, this is the easiest approach:

  1. Log in to Plesk and click WordPress in the left sidebar.
  2. Find your WordPress installation and click on it.
  3. On the dashboard tab, toggle Enable hotlink protection to on.

That's it — WP Toolkit handles everything automatically.

For all other sites (Apache & nginx method)

On Plesk for Linux, there's no built-in hotlink protection GUI for non-WordPress sites. You'll add Apache rewrite rules instead.

  1. Log in to Plesk. Go to Websites & Domains, find your domain, and click Apache & nginx Settings.
  2. Scroll to Additional directives for HTTP and paste (replace example.com with your domain): 
    RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com(/)?.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|svg|webp|mp4)$ - [NC,F]
  3. In Additional directives for HTTPS, paste the same rules but change http to https: 
    RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?example\.com(/)?.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|svg|webp|mp4)$ - [NC,F]
  4. If nginx serves static files, either turn off Serve static files directly by nginx on this page, or add this to Additional nginx directives: 
    location ~* \.(gif|jpe?g|png|svg|webp|mp4)$ {
    valid_referers none blocked example.com *.example.com;
    if ($invalid_referer) {
        return 403;
    }
}
  5. Click OK to save.

Important notes

  • The !^$ rule allows empty referers — don't remove it. Some browsers, privacy tools, and search crawlers don't send a referer. Blocking them can break Google image indexing.
  • Add any file types you want to protect: gif, jpg, png, svg, webp, mp4, pdf, zip.
  • If you use a CDN (like Cloudflare), add its domain as an allowed referer or it will block your own CDN-served content.

Troubleshooting

  • Images broken on your own site: Check that your domain is included correctly in the RewriteCond lines.
  • Rules not working: Make sure Serve static files directly by nginx is off, or use the nginx directives instead.
  • 403 errors on all images: A typo in the domain name will block everything. Double-check spelling.
Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Install a Free SSL Certificate with Let's Encrypt in Plesk

Plesk makes it easy to secure your website with a free SSL/TLS certificate from Let's Encrypt....
How to Enable Two-Factor Authentication in Plesk

Two-factor authentication (2FA) adds an extra layer of security to your Plesk account. After...
How to Force HTTPS and Redirect HTTP to HTTPS in Plesk

After installing an SSL certificate, you should ensure that all visitors access your website...
How to Upload a Custom SSL Certificate in Plesk

If you have purchased an SSL certificate from a certificate authority (e.g., Comodo, DigiCert,...
How to Protect Your Plesk Login with IP Access Restrictions

If you want to limit who can access your Plesk login page, you can restrict access by IP address....