WP Toolkit Image Hotlink Protection

Knowledgebase Article

WP Toolkit Image Hotlink Protection

WP Toolkit includes an optional Hotlink Protection feature for WordPress sites. On our platforms this is disabled by default, but you can enable and tune it any time in cPanel.

This article explains what the feature does, when it’s useful, what it doesn’t affect, and how to modify or disable it if you ever run into sharing or preview issues.

Navigation

What hotlink protection does

When hotlink protection is enabled, your server checks where image requests come from.

If an image is being requested from your own website, it loads normally.
If an image is being requested from another website, the request can be blocked or replaced with a placeholder image.

This prevents third-party sites from embedding your images directly and using your bandwidth.

In short: hotlink protection stops other sites “borrowing” your hosted images without permission.

Why you might want to enable it

Hotlink protection can be useful if:

Your images are being embedded on other websites without consent.
You’ve seen unexpected bandwidth spikes caused by external sites linking to your images.
You run a content-heavy site (e.g., galleries, posters, downloads) and want to reduce leeching.
You want to discourage image scraping or reposting.

For most sites, it’s an optional security/bandwidth safeguard rather than something you must run.

What it doesn’t affect

Hotlink protection only applies to requests that look like they’re coming from external websites.

It won’t interfere with:

Normal visitors browsing your site.
Images loading within your WordPress pages.
Search engines that don’t send an external referrer (in most cases).
Your own domains that you explicitly allow.

So if enabled correctly, your site should still display images normally for your audience.

How WP Toolkit hotlink protection works on our servers

WP Toolkit applies hotlink rules at the server configuration level, rather than changing files inside your site.

That means:

You may not see any hotlink rules in your WordPress .htaccess.
The settings live inside WP Toolkit and are enforced by the server.

This is normal behaviour and helps keep WordPress files clean.

How to enable, disable, or adjust it

Log into cPanel.
Open WP Toolkit by clicking "WordPress Management"
Find your WordPress site and open its management panel.
Locate Hotlink Protection.

From there you can:

Enable hotlink protection
Disable hotlink protection
Whitelist domains that are allowed to fetch your images

Whitelisting (allowing trusted external domains)

If you enable hotlink protection, you may want to allow certain external services to show your images. Examples include:

Social platforms and preview tools
Marketing schedulers
Partner websites
Your other domains

You can add these domains to the whitelist in WP Toolkit so they can load images normally while everyone else is blocked. Just click the configuration icon next to Hotlink protection.

Tip: Keep whitelists narrow and specific to avoid undoing the protection.

Occasionally, sharing tools or social platforms fetch images using their own domain as a referrer. If they’re not whitelisted, they may show a placeholder that includes a warning that the image was hotlinked:

If you see this only when sharing, it usually means WP Toolkit hotlink protection has been enabled and the platform’s domain isn’t on your whitelist.

What to do

You have two options:

Whitelist the platform
Add the platform’s domain in WP Toolkit hotlink settings.
Common ones include services like Buffer, LinkedIn, Microsoft SharePoint, and similar preview tools.
Disable hotlink protection
If social sharing/previews are central to your site and you don’t need hotlink blocking, turning it off is the simplest fix.

After any change, clear your WordPress cache (if you use one) and try sharing again.