Wordpress .htaccess for hotlink protection does not show Woocommerce email images

.htaccess wordpress

To protect my Wordpress website images, I added a couple of lines to the .htaccess file in the upload folder.

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https://example.com/ [NC]


RewriteRule .? - [S=1]
RewriteRule .(gif|jpg|jpeg)$ - [NC,L,F]

Everything works correctly and users who try to visit the image link find a 403 message. However I noticed that the emails sent by Woocommerce are not showing the images, probably due to the rule I added. How can I do?


Solution 1:

It's quite probable that these (web)mail clients are suppressing the Referer header entirely, so you need to permit an empty Referer in your rule.

However, this will also permit users who directly "visit the image link". But this isn't "hotlink protection". Hotlinking is when the image is embedded in a third party website (on another domain) - and this should still be blocked (most of the time).

For example, modify your rule to allow an empty Referer header:

RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} ^https://example.com/ [NC]
RewriteRule .? - [S=1]
RewriteRule \.(gif|jpg|jpeg)$ - [NC,F]

(NB: You were missing a backslash-escape before the literal dot in the last rule. And the L flag is not required here, since the F flag implies L.)

However, it's also possible that webmail clients are generating a Referer related to (custom) domain hosting the webmail client. You will need to examine the HTTP request to determine what Referer is resulting from these requests. Unfortunately, due to the varied nature of webmail clients this could be difficult/impossible to reliably filter.

If possible, images used in emails should be stored in a different "unprotected" location.

Note that the Referer header is unreliable at best. Users can choose to suppress the Referer header in their browser. And websites can themselves suppress the Referer header in modern browsers using the referrer-policy (which would thwart your "hotlink protection" if you permit an empty Referer).

Related

Searching specific text then validate in Excel?
How to connect to Redis Cluster with ServiceStack client (without Sentinel)
Python exec and __name__
Python Numpy. Delete an element (or elements) in a 2D array if said element is located between a pair of specified elements
How to marge current line with previous line in txt file based on some condition in python?
C# program exits immediately if UseWPF/UseWindowsForms set to true
How to create a queue in RabbitMQ upon startup
Obtaining representation of a real Lie algebra from the complexification "by restriction"
Making an infinite generating function a finite one
Subsets sharing at most $i$ elements
Matrix Equality
Nimbers for misère games