Skip navigation

Website Hammered by Hotlinking, Spammers, and Free Loaders?

My main site recently was hammered by Hotlinking, Spammers, and Free Loaders. This can happen to any website, so we all need to learn how to keep an eye on potential abuse of our sites.

Hotlinking Images

Hotlinking is the technique of linking to images on your site for use offsite. That’s the simple description. It is the abusive use of your images on other websites. The images linked and used are not limited to just the pictures on your posts, but the graphics used within your site such as background graphics, the header, logos, any image on your site.

By linking to your image, they get to use your image, usually without permission, but they also get to use your bandwidth and server space. The link goes out from their site to your site where you have the image stored and the image then is used on their site. The costs associated with a website are a combination of space and bandwidth. When others use your stored images, they are using your storage space. When they link to your images, they are using your bandwidth, not theirs. So you are paying for their use of your images in more ways than one. Some of the most notorious hotlinkers are those who want to use your images without permission (but we haven’t really stolen it, have we?) and those without storage space of their own.

How do you know you have your images hotlinked? Your server should allow you access to your statistics and site reports. These are also called Logs, Access Logs, or Bandwidth Logs. You will need to start your detective work there.

There are several places to look for clues that your images are being hotlinked. Look for sections related to the files being accessed, often called the most accessed pages, urls, files, or file types. If these sections list specific files, you can see how often a file has been accessed. If an image is getting a lot of access time but the page on which you have the image isn’t, then be suspicious.

To put a stop to hotlinking on your site, start with your server options. Check with the server to see if they have a feature for preventing hotlinking. If not, then you can add your own prevention by editing the .htaccess file in your root directory.

For information on changing the .htaccess file, these helpful articles.

Spammers: Comment Spammers, Site Spammers, Email Spammers

Remember Spam, that nasty stuff created to serve the military as something-that-might-be-meat-in-a-can? Besides the fact that my father happens to like it, this is considered of the nastiest things on the planet made by man, so the term has migrated over to label the nastiest things found on the Internet.

Email spam was the first big nasty on the Internet. Unwanted email slinking into your inbox promoting all things greed, sex, and snake oil. Email addresses were generated by computers putting names and email services together randomly, as well as found and harvested from chats, forums, and websites.

To protect your email on your website, you can do a variety of things. One of the easiest is to obfuscate your email address when you use it manually. For example, my email address is:

While you see it on the screen as “right”, this is what it really looks like (spaces required to make this visible here):

& #108;& #111;& #x72;& #x65;& #108;& amp;
#x6C;& #x65;& #x40;& #x63;& #x61;& #109;& #101;
& #x72;& #x61;& #x6F;& #x6E;& #116;& #104;& #101;
& #x72;& #x6F;& #x61;& #100;& #46;& #x63;om

You can create your own from one of the links below and save it in a text file ready to paste into your site whenever you need it.

WordPress users have it even better. Using template tags on template files, the email address is pulled from the database, which helps to hide it from the email harvesters. You can also use WordPress plugins like Coffee2Code Obfuscate Email WordPress Plugin which will automatically rewrite your email address into character codes.

Here is more information on hiding your email address:

From email, the spammers have expanded to attack comments on interactive websites. Lucikly, WordPress and other blogging software programs are fighting back so there is often little you need to do. Comments that are “questionable” are automatically stopped or put into the Comment Moderation panel, awaiting your review and approval. Users of WordPressMU, like, are usually protected by Bad Behavior – Comment Spam WordPress Plugin and/or Spam Karma 2, two of the top comment spam fighting tools. If you are running the full version of WordPress, consider adding those anti-comment spam plugins to your site.

As a last warning, be wary of nice comments left on your site. These are often caught by the good spam catchers, but some slip through. They often say things like “I can tell you’ve put a lot of work into your site,” and “I’m going to tell my friends about this. Thanks!” Check the email address and link address to see if it is valid and a link to someone who really cares or a potential comment spammer. If it is questionable, delete it.

Remember, you are in charge of all the content on your site including comments. You choose what stays and what goes.

Free Loaders: Website Users and Abusers

A more difficult to track form of abuse of your website is freeloading, also known as silent spamming and referral spam. Silent spamming is when freeloaders take advantage of your website by registering as “members” on your site or tapping into your guest book which might not show up on your site or in your comment moderation, but their website is listed and search engines find it. It is considered a link by the search engines, and the more links to a site, the better the page ranking in search engines.

WordPress helps to combat this by using a nofollow tag in a link which instructs search engines not to follow a web page address link in comments.

Another method of silent spamming is called referral spam. If you publish your site statistics or referrals, or use one of the popular site statistic analyzing programs, like Webalizer, abusers can use their spiders and robots to access this information and use the referrer links in the statistics to link to other sites, using your site as a giant link spider launching point. This is also known as backlinking.

How do you know if you have been hit by one of these silent spammers and abusers? Again, check your site statistics. If you are suddenly getting a boost in traffic, and Slashdot hasn’t highlighted your site, then this unusual traffic could be a sign of referrer spam.

To my delight recently, I witnessed a big jump in traffic. To my dismay, it turned out that this increase in traffic and hits on my database was actually freeloaders and website abusers using referrals and other methods of taking advantage of my site and bandwidth. I dug into my site statistics and found under my top hosts stats, an amazing amount of traffic from only a few sites. Here is the list of the top hosts on my site. To avoid promoting them, I’ve censored part of their IP addresses.

IP Address Pages Hits Bandwidth
70.85.XXX.XXX 5319 5319 440.00 MB
216.195.XXX.XXX 5304 5304 435.96 MB
216.195.XXX.XXX 4711 4711 386.68 MB
64.124.XXX.XXX 878 878 35.79 MB
69.28.XXX.XXX 379 379 31.24 MB
65.19.XXX.XXX 359 359 24.08 MB

I don’t have to be a rocket scientist to see that there is a big gulf between 35 and 386 megabytes. That’s over a 10 times increase. The jump from 878 hits to 4,711 is also a definite clue that something abnormal is going on.

A check on these IP addresses lead to a marketing company and two porno sites. Not the kind of people I want to invest my hard earned money into supporting on my website.

To stop these site leeches and freeloaders, contact your server to find out what services they have available to deny access or ban IP addresses. You can also set up deny access commands in your .htaccess file. To track them, learn to read your site statistics and logs. For more information, see:

The Moral of the Story?

Evil doers and abusers are part of being human. Unfortunately, part of being human means being aware and informed on how the abusers work so you can do what you can to protect yourself.

Learn how to use your site statistics to monitor what is going on regularly. In an upcoming post, I’ll talk more about what you can learn, good and bad, about your site statistics, but for now, play Sherlock Holmes and keep an eye out for the bad guys who are abusing your site and stop them.

The only way the bad guys can be put out of business is if we stop them when they start, prevent them before they start, and make their income dry up completely.

Site Search Tags: , , , , , , , , , , , , , , , , , , , , , , , ,
Copyright Lorelle VanFossen, member of the 9Rules Network

Member of the 9Rules Blogging Network


  1. Posted November 8, 2005 at 3:29 am | Permalink

    None of the five links in the email address obfuscation section refer to CSS methods of obfuscation. See my link for one of them and so far I have seen five other different CSS methods in action, though instead of listing (spamming?) them here you’ll find them in a post at the “emailaddresses” forum.

  2. Posted November 8, 2005 at 8:18 am | Permalink

    The methods above do use obfuscation, including the use of character codes to replace text. Your method is interesting, but how does it really work? Do you wrap the results in a mailto link? The key to the above character entities techniques is that the email appears as text in the browser, and if you copy it from the browser screen to paste it in an email, it will continue to appear like a legitimate email address.

    Your method pastes in as code which makes the user work harder by having to type in the email from the browser into the email program, switching windows back and forth if the email address is complicated or has funny spellings like

    But it is certainly interesting. For the truly paranoid, it is a good option.

  3. Posted January 24, 2006 at 10:58 pm | Permalink

    That was really interesting because I just got my own website. I will have to look more into this.

  4. Bomu
    Posted August 25, 2006 at 7:22 pm | Permalink

    Great site, I love it. I have a friend who has a site and, he said he liked the site too.

    j/k ..But seriously, I’m having a big problem with people hotlinking my wmv and avi files, I’ve tried setting up an htaccess file to stop it but it doesn’t work – actually it works, but it stops my own site from using the wmv files. I know it can do it with images, but does htaccess work with wmv/mp3 files?

  5. Posted August 25, 2006 at 8:37 pm | Permalink

    Try a search for “.htaccess allow deny avi mpg” and see if you find a solution there. Maybe someone else will have the answer if what you have been doing with the .htaccess files hasn’t been working. I would assume that stopping the hotlinking of jpgs, gifs, and pngs would be the same as stopping avi files. I don’t work directly with them so I don’t have an answer on this one.

  6. Posted September 26, 2006 at 6:17 am | Permalink

    Someone challenged me to make the CSS mini text-logo obfuscation method clickable without using javascript. As my link shows, I did it, at least for IE and Firefox. For other browsers it links to an audio recording of the address being spoken.
    If you’re examining the source code – for Firefox I use an XBL binding which encloses the static link inside an anonymously generated mailto link from a separate example.xml file, and for IE I use a background url(mailto: CSS trick for styling the ACTIVE link (which is the same as if it has been clicked) from the separate example.css file.

  7. Posted November 20, 2006 at 4:01 am | Permalink

    Is there a WordPress plugin that can show hotlinking? That way all the admin stuff can be in one place.

    Thanks for the tips!

  8. Posted November 20, 2006 at 7:39 am | Permalink

    I didn’t find one, but you can search yourself. Your host server logs will tell you, and I didn’t find a WordPress Plugin that reads that information, though there might be one.

    You can also check out the WordPress Plugins in AntiLeech Splog Stopper: Fighting Back Against Content Thieves to see if they might work for that. Let me know if you find one.

  9. Posted July 23, 2007 at 11:06 am | Permalink

    Hi Lorelle- I just got back from Wordcamp. Thanks for your great presentation and your insights! I’m now looking at my blog with a more critical eye and this morning found some inbound links that may be a little iffy. Or not, I’m not sure. Could it be some sort of spam or just bad writing? Your post here and Matt Cutts’ presentation on Saturday have me on my guard. I have 2 new sites linking back to me and they look like blogpost aggregators. Kinda crappy design (but that’s so subjective), kinda ambiguous “who I am” info. Is there anywhere I can go where the Whitehat SEO experts and WordPress community experts meet, so I can get someone’s opinion on these inbound links?

  10. Posted July 23, 2007 at 8:09 pm | Permalink

    You don’t need to go anywhere. Check out the sites. If you don’t like them, remove their trackbacks. If they are linking to you and while you don’t like them, they aren’t stealing your blog content, ignore them. There is nothing you can do.

    If they are splogs, report them. If they are stealing your content, tell them to stop and then report them if they don’t. See What Do You Do When Someone Steals Your Content for more on that.

    And it was wonderful to meet you at the conference! It was amazing, wasn’t it!

  11. Posted September 9, 2007 at 12:31 am | Permalink

    Just made post on a Canadian spammer who is unabashed to say the least. He’s one of the top 200 of Spamhaus. You might a get a chuckle out of this one.

  12. Posted May 20, 2010 at 5:12 am | Permalink


    Have you been able to find any solution to stop the “one-line” comment spammers, like:

    “Hello, nice blog. I will visit again. Thanks”

    This type of spam looks so innocuous that spam plugins like wp spam free and akismet are unable to detect it. 😦

  13. Bug
    Posted December 31, 2011 at 3:56 am | Permalink

    The mini-logo link is a 404 now, my link has the updated version that can now generate a client-side contact form with the CSS-obfuscated email address as the captcha, now with CSS3 animation!

    • Posted January 2, 2012 at 12:05 am | Permalink

      I can’t find what you are talking about. I do not support CAPTCHAs no matter how new age they have become.

17 Trackbacks/Pingbacks

  1. […] lastest update of Bad Behavior, a WordPress Plugin that “gives the finger” to comment spam and abusers […]

  2. […] Then one day I got hit by about 25 viagra/casino spams. While these were caught by WordPress comment spam filters, they showed up in pink using ColdForged’s Paged Comment Editing Plugin. The monsters were in my spam catching database, eating up valuable space on my server. Well, not really but I was angry anyway. Remember, I’m paranoid about comment spam. After several months with only the occasional irritant, I was pissed, so I added the Bad Behavior Comment Spam Plugin. […]

  3. […] Website Hammered by Hotlinking, Spammers and Free Loaders […]

  4. Opal

    I am Petra, very interesting article that contained the information I was searching for in Google, thanks.

  5. […] Website Hammered by Hotlinking, Spammers, and Free Loaders? […]

  6. […] Website Hammered by Hotlinking, Spammers, and Free Loaders? […]

  7. […] To find out if your images have been stolen and used without permission, search Google Images to see if your image is listed and who is linking to it. Also check your server report to find out if someone is hotlinking, linking to an image on your site using your bandwidth. […]

  8. […] Website Hammered by Hotlinking, Spammers, and Free Loaders? […]

  9. […] codex gives a few suggestions on protecting your email address here. Lorelle on WordPress has a post here with links to resources (a bit dated, but still very […]

  10. […] Lorelle on WordPress if others are interested in this issue. She has some good information on hotlinking and how to find out if this is happening to you as well as good steps on on what to do if someone steals your […]

  11. […] 规则在这里给了几个保护你的电邮地址的建议. Lorelle on WordPress 有一个 包括材料链接在此发表 (有点旧,不过仍有用). 电邮表格 […]

  12. […] for your own protection and security. See Protection From Harvesters on the WordPress Codex and my article on protecting your email for more details and […]

  13. […] Website Hammered by Hotlinking, Spammers, and Free Loaders? « Lorelle on WordPress […]

  14. […] Website Hammered by Hotlinking, Spammers, and Free Loaders? « Lorelle on WordPress […]

  15. […] Website Hammered by Hotlinking, Spammers, and Free Loaders? […]

  16. […] Website Hammered by Hotlinking, Spammers, and Free Loaders? […]

  17. […] Lorelle on WordPress if others are interested in this issue. She has some good information on hotlinking and how to find out if this is happening to you as well as good steps on on what to do if someone steals your […]

Post a Comment

Required fields are marked *

%d bloggers like this: