Stop Hotlinking Images on Blogger: 5 Foolproof Ways to Save Your Bandwidth
There is a specific kind of annoyance that only a content creator understands. It’s that moment you realize someone isn't just stealing your work—they are making you pay for the privilege of them stealing it. I remember the first time I looked at my analytics and saw a massive spike in "requests," but my actual traffic was flatlining. Some scraper site had lifted my high-res tutorials and was pulling the images directly from my server. They got the content; I got the bandwidth bill and a sluggish site. It felt like someone had tapped into my garden hose to fill their swimming pool while I was trying to do the dishes.
If you are running a blog on Blogger (Blogspot), you are already dealing with a platform that—while sturdy—doesn't always give you the granular "nerd knobs" to flick when things go sideways. You can’t just hop into a .htaccess file and write a few lines of code. But if you have connected your Blogger domain to Cloudflare, you’ve essentially given your site a superhero cape. Cloudflare’s ScrapeShield and WAF rules are the bouncers at the door, making sure only the right people get in and nobody walks out with the furniture.
In this guide, we’re going to walk through the exact steps to stop hotlinking images on Blogger using Cloudflare. We’ll talk about why "Hotlink Protection" is sometimes a blunt instrument and how to use more surgical "Custom Rules" to keep your site fast and your assets protected. We’re going to do this without breaking your RSS feeds or making your images disappear from Pinterest—because there is nothing worse than fixing a leak by turning off the water entirely.
Understanding the Real Cost of Hotlinking
Hotlinking is the digital equivalent of "leeching." When another website displays an image hosted on your server by using your direct image URL, their visitors see the image, but your server does the heavy lifting of delivering it. Every time their page loads, your bandwidth gets dinged. For Blogger users, this can lead to slower load times for your actual readers because your "pipe" is clogged with external requests.
Beyond just the technical "lag," there’s a branding issue. If you’ve spent hours creating custom infographics or photography, you want that traffic coming to your domain. You want them reading your insights, clicking your CTAs, and remembering your brand. When someone hotlinks, they strip away the context. They get the value; you get the overhead. It’s a bad deal all around.
However, we have to be careful. In our rush to stop the thieves, we don't want to block the "good" bots. Search engines like Google need to crawl your images to show them in Image Search. Social media platforms like Facebook and Pinterest need to be able to "see" your images to create those pretty preview cards when someone shares your post. Precision is the name of the game here.
Is This Guide for You? (The Filter)
Not every Blogger site needs aggressive hotlink protection. If you’re running a personal diary that only your aunt reads, this might be overkill. But for specific groups, this is non-negotiable insurance.
- Professional Photographers & Artists: If your assets are your product, you can't have them floating around without credit.
- Affiliate Marketers: You need your pages to load at lightning speed to convert. Every millisecond wasted on a leecher is money lost.
- High-Traffic Tutorial Sites: Technical diagrams are high-value targets for scrapers.
If you don't use a custom domain with Cloudflare yet, you'll need to set that up first. Blogger's default blogspot.com domain doesn't allow you to get between the user and the server in the way Cloudflare does. Once you have your DNS pointed to Cloudflare, the following steps become your digital shield.
Method 1: The One-Click ScrapeShield Fix
Cloudflare knows that hotlinking is a plague. That's why they built a literal "On" switch for it. This is the "Method 1" because it's the easiest, though it can sometimes be a bit too aggressive for users who want complex exceptions.
To enable this, log in to your Cloudflare dashboard and select your site. In the left-hand sidebar, look for ScrapeShield. Inside, you will see a toggle for Hotlink Protection. Flick it to "On."
What happens next? Cloudflare will now check the "Referer" header of any request for an image (extensions like .jpg, .jpeg, .gif, .png, etc.). If the request is coming from a site that isn't yours, Cloudflare blocks it. It’s simple, it’s effective, and for 80% of users, it’s all you need. However, keep an eye on your social media shares. Sometimes this can interfere with how images appear on platforms if they don't send the right headers. If you notice your Pinterest pins are looking blank, you'll want to move to Method 2.
Method 2: Using WAF Rules for Precision Control
This is where the real "Professional Operator" moves happen. If you want to stop hotlinking images on Blogger but you still want your friends on Twitter to see your thumbnails, you need Custom Rules in the WAF (Web Application Firewall).
Go to Security > WAF > Custom Rules and click "Create rule." You want to build a logic that says: "If someone is trying to access my images, and they aren't coming from my domain, AND they aren't a known search engine, then block them."
The beauty of this is the "Known Bots" toggle. Cloudflare maintains a massive list of "good" bots (Google, Bing, LinkedIn, etc.). By adding a rule that allows "Known Bots," you ensure your SEO doesn't take a hit while you're slamming the door on the scrapers. You can also manually "Allow" specific domains like pinterest.com or facebook.com if you find the default protection is too tight.
The Logic Setup
When building your rule, use the "Expression Preview." It should look something like this in plain English: (http.host eq "yourblog.com" and not http.referer contains "yourblog.com" and not cf.client.bot). This ensures that only your site and legitimate search engines can serve those images to the public.
The "Oops" Moment: Common Setup Mistakes
I’ve seen a lot of people set up hotlink protection and then panic three hours later because their blog looks "broken." Usually, it’s because of one of three things. First, forgetting about RSS readers. If you have a newsletter or use Feedly, those services often pull images directly. If your hotlink protection is too strict, your newsletter subscribers will just see broken image icons. Not exactly the professional look we're going for.
Second is the HTTPS/HTTP mismatch. If your blog is running on HTTPS but your hotlink rule is looking for a referer starting with "http://", it might fail to recognize your own site as a valid source. Always use "contains" or "matches" for your domain name rather than a full URL string to avoid these protocol headaches.
Finally, there's the Caching trap. Cloudflare caches images. If an image was hotlinked and cached before you turned on protection, it might still show up for a while. After you flip the switch, it’s a good idea to go to Caching > Configuration and "Purge Everything." It gives you a clean slate to test your new defenses.
The Strategy: When to Block and When to Allow
Not all hotlinking is theft; sometimes it's free PR. If a major news outlet features your chart and hotlinks it, do you really want to block them? Probably not. You want that credit. In those cases, some people use "Watermarking" instead of blocking. While Cloudflare doesn't natively watermark on the fly for free accounts, it’s a strategic alternative to consider.
A simple way to decide is to look at your traffic sources. If you see a lot of "Direct" traffic to image files from domains you don't recognize, it's time to get aggressive. If the hotlinking is coming from forums where people are discussing your content and linking back to you, that’s actually a win. You have to weigh the bandwidth cost against the "brand awareness" benefit.
Infographic: The Hotlink Protection Decision Matrix
Check Cloudflare Analytics for top "Image" requests. Identify "top referrers" that aren't your site.
Use ScrapeShield for broad protection. Use WAF Rules if you need social media exceptions.
Purge cache and check your site on mobile, Pinterest, and an RSS reader to ensure no "friendly" breakage.
| Feature | ScrapeShield | WAF Custom Rules |
|---|---|---|
| Ease of Use | High (Toggle) | Medium (Logic-based) |
| Granularity | Low | High |
| Bot Friendly? | Generally Yes | Configurable |
Official Documentation & Resources
Don't just take my word for it. The technical specs change, and it's always smart to have the official manuals bookmarked for when you're doing a deep dive into your site's security settings.
Expert FAQ: Hotlinking Decoded
What happens to my Blogger images in Google Search if I enable protection?
As long as you use Cloudflare's built-in Hotlink Protection or include "Known Bots" in your WAF rules, your SEO will be fine. Google's crawler is recognized by Cloudflare and bypassed by these security measures, allowing your images to stay indexed in Google Image Search.
Can I allow specific websites to hotlink my images while blocking others?
Yes, but you’ll need to use Method 2 (WAF Custom Rules). You can add an "Allow" list for specific hostnames or referers. This is perfect if you have a partner site or a second blog where you want to share assets without re-uploading them.
Does hotlink protection slow down my site for regular visitors?
Actually, it usually speeds it up. Since Cloudflare sits at the "Edge," it performs this check before the request ever reaches your content. By blocking unauthorized requests early, you free up resources for your legitimate readers, resulting in a snappier experience.
Will this stop people from downloading my images?
No. Hotlink protection prevents other websites from displaying your images on their pages. It does not stop a user from right-clicking and saving an image to their computer. Those are two different security issues; one is about bandwidth, the other is about copyright.
Is there a way to show a "Warning Image" instead of a broken icon?
Cloudflare’s basic protection usually returns a 403 Forbidden. While advanced users can set up "Workers" to serve a replacement image (like a graphic that says "Visit MySite.com to see this image"), it requires a bit of coding. For most Blogger users, a clean block is more effective.
What if my images are hosted on Google Photos or a third-party CDN?
If your images aren't being served through your Cloudflare-managed domain (e.g., they use a direct https://www.google.com/search?q=googleusercontent.com link), Cloudflare cannot protect them. Hotlink protection only works for assets that pass through Cloudflare’s "Orange Clouded" DNS records.
Does this work for videos or PDFs too?
Yes. You can customize your WAF rules to include file extensions like .mp4, .pdf, or .zip. If people are "leeching" your downloadable lead magnets or video assets, the same logic applies—block the referer, save the bandwidth.
Conclusion: Take Back Your Bandwidth
The internet is a bit of a Wild West, and while Blogger is a fantastic "set it and forget it" platform, it does leave you exposed to bandwidth leeches if you aren't careful. By putting Cloudflare in front of your blog, you aren't just adding speed—you're adding a layer of professional intelligence that respects your hard work.
If you have ten minutes today, I highly recommend at least toggling the ScrapeShield setting. It is the lowest-effort, highest-impact thing you can do to protect your site's performance. If you're a power user, dive into those WAF rules. Your site will be faster, your analytics will be cleaner, and you'll sleep a little better knowing you aren't paying for someone else's content scrapers.
Ready to secure your site? Log in to your Cloudflare dashboard now and start with the ScrapeShield toggle. If you run into issues with your social media previews, don't forget to check those WAF exceptions. Your content is yours—keep it that way.
