Protect PDF from hotlink

Hi! Been loking for the howto on this but I haven’t been able to find anything useful, so I post my question here hoping to find help. Thanks in advance!

I have a Wordpress site with a price list in PDF. I update that PDF document weekly, with the SAME NAME so it overwrites the old PDF. That way I don’t need to change the link in my site for clients to get the updated document.

My site is small, not much traffic. The major bandwidth consumption is from local clients getting my PDF pricelist (well I guess so). However the bandwidth is EXCESSIVE; my site has an average daily consumption of 150MB…, so every month, with about 10 days to go until the end of the month, my bandwidth reaches its 4GB limit and my website goes offline.

My PDF is just 190KB so there is no reason to think this is the guilty guy. For this reason I’m afraid my PDF pricelist is being hotlinked from other websites. In fact I checked it out in Google Images and it is hotlinked from a couple of webpages (perhaps more). And here comes my question:


Thanks again!


Cloudflares hotline protection does not work with pdf files.

An alternative solution would be to set a very long s-maxage or Edge Cache TTL on the asset, and cause Cloudflare to cache the file for a week or more. You can purge the asset from Cloudflare when it changes, so setting it to something very long should have no negative impact. There is a Cloudflare plugin for Wordpress which will purge on changes, so you could set Edge Cache TTL to something relatively large and let the plugin keep the cache ‘fresh’.

4GB seems remarkably small. Plenty of free WP hosting services offer 10GB, 30GB or unlimited bandwidth

1 Like

Thanks for your prompt answer, Michael!

Too sad to hear Cloudflare doesn’t offer protection for these kind of files. PDFs are so common as well as the other Cloudflare supported formats… :frowning:

I’m not too clear with what you say regarding to s-maxage/TTL, I will dig deeper into to know more about it and learn how to implement it, thanks for the advice! In the meantime, I already installed the Cloudflare plugin you suggested and am learning how to operate it. Thanks for that too!

Yup, I know a 4GB bandwidth is not pretty much, but that’s what I have for now so I must deal with it. Actually I don’t need more… when traffic is normal, monthly consumption average barely gets 2GB or less. So I will be happy if my bandwidth comes back to a normal average.

Thank you again and take care,


s-maxage of Edge Cache TTL is how long Cloudflare cache the file for. It’s a separate value to how long the end user caches the file for.

Mmm ok… If I understood well, that technique does not prevent from hotlinking but sets a time period for files to be available for end users until the PDF is deleted from cache, right?

…I would prefer a more aggressive technique, like for example writing a code in the .htaccess; however the attempts I’ve done so far don’t work.

I’ll keep searching, I’m sure I’ll find a solution with all of these valuable info. Thanks Michael!

You can try adding an anti-hotlink Worker. Code is at the bottom of the post. Assign it to a Route that matches the URL of the PDF file. Workers are $5/month and it’s extremely unlikely you’ll exceed the number of hits (10 million, I believe) that would push charges beyond the $5.

addEventListener('fetch', event => {

 * If the browser is requesting an image and 
 * the referer does not match your host
 * we redirect the request to your page
async function fetchAndApply(request) {
  // Fetch the response.
  let response = await fetch(request)

  // If it's an image, engage hotlink protection based on the
  // Referer header.
  let referer = request.headers.get('Referer')
  let contentType = response.headers.get('Content-Type') || ''
  if (referer && contentType.startsWith('application/pdf')) {
    // It's an image and there's a Referer. Verify that the
    // hostnames match.
    if (new URL(referer).hostname !==
        new URL(request.url).hostname) {
      // Hosts don't match. This is a hotlink. Redirect the
      // user to our homepage.
      return Response.redirect('/', 302)

  // Everything is fine, return the response normally.
  return response

I suppose suggesting a different host is right out?

Beyond bandwidth do you care? If not, you can implement a cache everything w/ Ignore Query String page rule for that path. Done and dusted.

Very interesting! I will definitely give it a try!

I have a free plan at Cloudflare, however I see it includes Workers (and other one called Workers KV), for free. Great!

Thanks Sdayman! :slight_smile:

Well no, actually I need to keep my account in the current host (biz matters). 4GB is enough for me, so what I need to solve is the Hotlink thing. It is the only thing I care about, the hotlink fight.

I will study carefully what you mention about the Cache & Rule. I’m not too expert and don’t know how to implement it, so I must go slow, haha!

Thanks for the advice, Cscharff! I appreciate it!


This topic was automatically closed after 30 days. New replies are no longer allowed.