Pantheon Community

Stopping people from hotlinking

Before Fastly and SSL became universally available via Pantheon, I had a client who I set up on CloudFlare. That seems redundant now and I’m looking at taking him off CloudFlare, but there’s one feature that’s recently become useful: CloudFlare’s hotlink blocking. An image pirating site was hotlinking to many of his photographic images, so we used hotlink blocking to stop that. Is there a way to mimic this type of blocking on Pantheon, perhaps via the wp-config.php in WordPress or some other means?

I would keep Cloudflare for the WAF rules alone. I have multiple clients with Pantheon/Cloudflare.

I know hotlinking can be disabled via .htaccess and nginx.conf files very easily, however as far as I know we cannot add custom server rules on Pantheon. Images are not loaded via PHP, so we cannot add a custom function to disable hotlinking in the theme or via a plugin.

I’m also curious if we could disable hotlinking with some sort of Pantheon setting instead of a 3rd party solution. Cloudflare seems like the easiest option.


I agree with Dan. We’re a duel Pantheon/Cloudflare shop.

Thanks. Do you find that dual CDNs and caching (fastly + cloudflare) is a problem? I’ve not found a way to disable CloudFlare’s CDN and caching for more than 3 hours so I can simply benefit from the hotlinking.

Layering both has never been a problem. Once you get your page rules and WAF rules in shape, you shouldn’t notice. I haven’t gone the extra mile to sync cache clearing between Pantheon and Cloudflare yet, but I tend to like the manual control. I’m happy to share my page rule settings with you to get you started if you’d like.

Thanks. For syncing, I’m using WP Rocket as configured for Pantheon (no caching, just minification and lazyload) and it has a setting to connect to CloudFlare for clearing the cache there as well. Going to see if that does the trick.