How to Protect Your Images from Bandwidth Thieves

PHP Script to guard your images from being used on other sites at your expense.

How to Protect Your Images from Bandwidth Thieves

by Christopher Heng,

A few visitors to have asked me how they could prevent their images from being used on other sites. They were particularly concerned that some sites were linking directly to their images on their web server using IMG tags. As such, not only were those images being used without the owner's permissions, they were also making the owner pay for their bandwidth!

How to Detect The Bandwidth Thieves

The simplest way to detect such linkages to your images is to check your web server logs for referrals to the images on your website. That is, sift through the logs to find out which are the sites that send visitors to the images on your website.

Trace the referrers in the logs to the actual referring website and check the offending web page. If you find your graphics displayed on their page, check the HTML source for that page and find out where the graphic files are hosted. If the IMG tag points to your website, it means they are using your bandwidth for their website.

How to Protect Your Images: System Requirements

One way to protect your images from being linked directly from your site is to deliver them from a PHP script. Note that there is no way to protect your images from being copied by others and uploaded to their website; if they can view it, they can copy it. The method that I'm outlining here will only protect your bandwidth from being used by some other site.

You will need PHP access for this script to work. If your web host does not currently provide this, take a look at the list commercial web hosts for one that does. Most, if not all, of them support PHP by default.

Note: If your web host runs the Apache web server, I strongly recommend that you use the solution given in my article on How to Prevent Image Bandwidth Theft with .htaccess instead. It is vastly more efficient (since it doesn't need a PHP program to run on your server for each image) and flexible (you can easily extend it to protect videos and other types of files).

The CHImageGuard PHP Script

Copy the PHP code given below into an ASCII text file and save it as "chimage.php".

More information about how to configure and use the script can be found after the script.

Note the script begins from the "<?php" line (inclusive of that line) and ends on the "?>" line (inclusive of that line). Do not add any text before or after those markers ("<?php" and "?>") or you will run into numerous error messages when you use the script.

Note the script ended on the "?>" line above. Copy only up to (and including) the line with the "?>". Do not retype the script — cut and paste it.

Installing and Configuring the Script

To install the script, just upload it (in ASCII text mode) to your main directory.

To configure it, change the following lines at the beginning of the script.

  1. $imagedir

    Point $imagedir to the actual directory where you placed your image files. This must be the full path. So if you placed your files in "/users/yourname/images/", change the line to

    $imagedir = "/users/yourname/images/" ;

    Remember to end the line with a semi-colon. Please see my tips on where to put your images later in this article before you do anything.

  2. $validprefixes

    $validprefixes allows you to indicate all the hosts from which you will be calling your images. For example, if your domain is "" but it can also be referred to as "", change the lines to:

    $validprefixes = array {
    } ;

    Note carefully the punctuation marks that I used and do not modify them. If you need to add more hosts, simply add it before the first host line (in this example, you would add it before "") and make sure each additional line ends with a comma.

    If your site can only be accessed from one URL, use the following format:

    $validprefixes = array {
    } ;

    Notice that there are no commas in the second example.

    Remember that these are hostnames, not URLs. It doesn't matter which page on "" your image is loaded from. All that matters is that if the URL begins with "", you should put "" in the list of valid prefixes above.

  3. $homepage

    Set $homepage to the URL of your main page. Visitors who directly use your script from their browser will be directed there.

  4. $email

    If you wish to be informed when some other site link to your images illegitimately, remove the preceding "//" from the line with $email. Set $email to point to your email address.

Using the Script

  1. Upload your images

    Put your images in a secret directory somewhere.

    The best place is actually in a directory that cannot be normally accessed by your web server but that can be accessed by your PHP script. For example, some web servers are configured so that you have to put your files in a "htdocs" or "public_html" directory before it will be visible on your website. Whenever you want to upload your files, you have to change to that directory to do it. If that is the case, DON'T change to that directory but make another subdirectory in the same level as "htdocs" or "public_html", called for example "images", and dump your images there.

    If you do not have access to subdirectories outside your web directories, make a subdirectory with some obscure name that people are less likely to guess, and dump your files there. Don't use names like "images" or the like or people can work around your PHP script with ease.

  2. Modifying Your Web Pages

    Modify your HTML files to refer to the CHImageGuard script. Instead of referring your images as "mymugshot.gif" in your IMAGE tag, load them as

    <image src="chimage.php?image=mymugshot.gif">

    Note that it really does not matter that anyone can see the name of your image file - they can't access it directly since it's hidden in some unknown subdirectory that only the PHP script knows about.

    If you want to use a JPEG file named "award.jpg", just put it in your new image directory and call it with the IMAGE SRC tag with

    <image src="chimage.php?image=award.jpg">

    The PHP script can handle GIF, JPG and PNG image files. Don't bother to try to use any other type of file — the built-in function it uses to detect the file type may not be able to determine its type correctly.

What Happens When A Bandwidth Thief Tries to Use Your Images

After you do the above, if some other site tries to copy your image URL to their IMAGE tag, they will find that the image will not display on their site. In place of the image, the visitor's web browser will display a broken link image. If you have enabled the email warning system (disabled by default), you will also receive an email with information about which site tried to use which image from your site.

Your images should load fine on pages on your site. However, please read my cautionary note later in this article.

How It Works

When someone visits a web page, the browser will request for the individual images on the website. Each time it makes a request for an image it will also inform the web server the URL of the page that linked to that image.

The script works by checking that the page requesting the image is actually in the list of hosts you listed in $validprefixes. If it is, it will send the image to the web server. Otherwise it will inform the web server that the image could not be found.

Potential Problems

  1. PHP Settings

    It is possible that on some web hosts, your PHP script may not be able to access directories outside your web server directories. In such a case, you'll just have to put your images in a subdirectory within your web directories. Just be sure to name it with some unlikely name (a gibberish sequence of characters and numbers might be one possibility).

  2. Buggy Browsers/Anonymous referrers

    Since CHImageGuard depends on the browser to tell it which page is linking to the images, it would not work correctly under the following conditions:

    • if the browser has a bug that makes it provide the wrong information
    • if the visitor uses a browser that allows him/her to change such information
    • if the visitor works through a proxy or firewall that changes or modifies such information (such as some anonymous proxies)

    There are possibly other situations where the information on the referring page is suppressed or wrong.

    I wrote the script in such a way that if the information on the referring page is simply suppressed, the script will still deliver the image on the chance that the visitor is viewing your website through an anonymous proxy or a privacy-enabled browser. This means that if the visitor is viewing the bandwidth pirate's website with such a browser, he will still be able to view the image stolen from your site as well. My rationale is that it is better to lose that small amount of bandwidth than to have broken link images appear on your own pages.

    However, if the referring page information is present but does not point to one of your valid hostnames, the script will issue a Not Found error for the image, even if the visitor is at your website and is using a browser that camouflages such information. The visitor will then only see a broken link image in place of the actual image.

    Note that this is an issue with the browser or proxy. Please do not report it as a bug in CHImageGuard. There is no known way of fixing it at the script level at this point in time. It affects all scripts of this nature, whether PHP, Perl, JavaScript, etc. It also affects other types of programs that rely on the browser furnishing accurate referral data, such as web statistics programs. It rarely occurs on my websites but, of course, your mileage may vary.

Changing the Output

Some people prefer to use a special image that is displayed when the image is linked from another site. This might be an image proclaiming "This image was stolen", or one that advertises their own site such as "You can get even better products/services at". You can easily do that if you like, but remember the following:

Having said that, if you insist on issuing a different image for the thief's site, change the lines

if (isset($email)) {
  mail( $email, "Bandwidth Theft Alert",
  "WARNING:\n\n$referrer\ntried to access\n$image\n",
  "From: CHImageGuard <$email>" );


if (isset($email)) {
  mail( $email, "Bandwidth Theft Alert",
  "WARNING:\n\n$referrer\ntried to access\n$image\n",
  "From: CHImageGuard <$email>" );
header( "Content-type: image/gif" );
@readfile( "/your/replacement/image/filepath.gif" );

(assuming of course that you are using a GIF file here). You will of course have to put the correct full path to your GIF file as argument to the readfile function.


Feel free to use the script on as many websites as you like. However, please do not redistribute the script. You can find the full terms of the licence ("license" in US English) agreement in the PHP script above.

Copyright 2000-2019 by Christopher Heng. All rights reserved.
Get more free tips and articles like this, on web design, promotion, revenue and scripting, from

thesitewizard™ News Feed (RSS Site Feed)  Subscribe to newsfeed

Do you find this article useful? You can learn of new articles and scripts that are published on by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at You can read more about how to subscribe to RSS site feeds from my RSS FAQ.

Do Not Reprint Without Permission

This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.

Related Pages

New Articles

How to Link to This Page

It will appear on your page as:

How to Protect Your Images from Bandwidth Thieves

Link to Us
Site Map

Getting Started
Web Design
Search Engines
Revenue Making
Web Hosting
Perl / CGI
.htaccess / Apache


Free webmasters and programmers resources, scripts and tutorials Free How-To Guides
Site Design Tips at
Find this site useful?
Please link to us.