Scrape Shield Hotlink Protection Not Working on CloudFlare Hosted Domains


Recently discovered many image hosting domains were hotlinking to my images. Toggling on hotlink protection stopped many as shown in my cf analytics. However today going through Google search console > linked domains i found many that are using CloudFlare dns and my images are visible on the cf sites linked pages. Why is hotlink protection not working?

There are a slew of look alike image sites using cf that look similar template / style wise. It’s nothing but image spam stealing webmasters resources. These domains could also earn a scraped domain a penalty by Google.


Do you have an example of it not working?


Yep… one domain is

This is one of my images hotlinked. Domain is hosted through cf.


Have not received a response since submitting the above domain. Is this issue being looked into.

Thanks :slight_smile:


Enabled htaccess hotlinking protection for the time being. Also added a referrer block coming from an iframe in my themes functions.php file. Apparently any website managed by cloudflare is whitelisted rendering scrape shield ineffective. It would be nice to blacklist a bad domain.


And which is your website?



The problem in this case might be, they include your images with a referrer policy. This most likely prevents Cloudflare (or anybody else for that matter) from determining that the resource was hotlinked and makes it look like a genuine request from your site (without referrer).

Question about Cloudflare hotlink protection?

Thanks Sandro. Noticed 6 more domains hotlinking vi search console referring urls. Another cf managed example is here:

I don’t see any Adsense or other revenue generating methods so why even bother to set up a website like this? This example is not hidden behind an iframe revealing it’s source. Other than disavow is there any way to stop it sucking up my resources?


Assuming Cloudflare wont “fix” that in the next few days, your best option might be to disable that setting in Cloudflare and handle it yourself in your server configuration. You would need to require a legitimate referrer in this case however and could not accept a blank one. That could be for certain legitimate requests a problem.

Wouldnt Cloudflare cache the images anyhow, so those requests shouldnt hit your server, should they? :confused:


They could be cached indeed. More important is spammy referrers that could drag down a site in the serps. Disavowed 6 more this morning. Hotlink is on via cPanel but not allowing a url via browser with no referrer blocks Apple Mac users.

This is one of my domains. I see the referrer policy in the snippet.


What do you mean by it blocks them? When they try to open that particular URL in a tab or when they try to view it as part of your page? The former would be one of the types of legitimate requests I was referring to earlier but that would apply to all browsers on all operating systems and not only Apple.


That’s what cPanel hotlink protection says.

Not only have they nipped the image - they also stole the post title and url. I believe the whole attempt is to outrank the original website in search.

I’m a hobbyist and fairly savvy in security. But this situation is a new adventure for me. I have enabled plugin and set Xframe to same origin. And referrer policy to same-origin. Maybe that will help.


Xframe will help in some cases, but not for hot linking. And your referrer policy would help if Cloudflare’s hotlink protection blocked blank referrers. Come to think of it, this blank referrer exception is probably why you can type in an image URL and have it still delivered.

Country Blocking CF Managed Accounts

I assume that setting will do exactly what was mentioned earlier and - when ticked - also accept blank referrers. You wouldnt want that.

This wont help much in this case, as this will only govern if referrers are sent on your site. It doesnt do anything regarding embedded resources.

closed #16

This topic was automatically closed after 14 days. New replies are no longer allowed.