URGENT: Page Rule Setting Missing (Disable Hotlinking)

It’s been over 2 years that both free and paying clients of Cloudflare have requested the addition of a new page rule setting: Disable Hotlinking.

All you have to do is search through this forum to get a list of all past requests, not to mention the high number of individual tickets submitted to Cloudflare for a fix.

Currently, we can only achieve the above with the page rule setting Disable Security. This fixes one issue, but creates many more.

Cloudflare support keeps saying “yeah, we’ve added that to our list of future enhancements,” but 2+ years later, nothing, zilch, nada.

The option to use the folder “hotlink-ok” or some other fancy method does not cut it. They are all cumbersome.

Common Cloudflare, what are you waiting for?

I use a Firewall Rule to block hotlinking. It’s free.

(http.request.method eq "GET" and http.request.uri.path contains "wp-content" and not http.referer contains "example.org" and http.referer ne "" and not http.host contains "subdomain")

This blocks hotlinking to my WP-content directory where my uploaded images are if the referrer is not my domain or if the referrer is blank. But allows hotlinking to a subdomain of mine.


Thanks for the reply. Do you work for Cloudflare?

Also, can you be more specific about the rule? (how to use it).

For example, do we replace “example.org” with our website URL and “subdomain” with our affected subdirectory or folder where we want to allow hotlinking (example, “folderimages”)

Thank you!

Firewall rules apply to the entire zone (example.org) unless otherwise specified. If you have a subdomain in the zone you don’t want affected, use that “subdomain” option. Otherwise, leave it off.

If you want to block hotlinking to everything except the “wp-content” example, you can adjust the rule.

Just copy/paste my firewall expression into the Firewall Expression Builder and you can use the UI above it to adjust the settings.


Thank you. Will give it a spin.

Don’t mean to appear rude but, on behalf on many, my original request to Cloudflare stands.

Please stay safe. Cheers!

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.