I had set up an .htaccess file for my site, and tested it by hotlinking an image and a movie from another web host. Both were blocked. Tonight, I discovered someone had hotlinked a music file from my site, and it's playing away on their site! I'm so frustrated!

This is the code I have:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?rosewhip.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?rosewhip.net$ [NC]
RewriteRule .*\.(gif|jpg|bmp|png|wmv|wma|mp3)$ http://www.rosewhip.net/hotlink/hotlink.jpg [R,NC]

What did I do wrong? The song is a WMA file. Are those not protected or something? The person just used an 'embed src' tag, does that override it somehow? Is there any way I can fix this?

Try this (it's not much different than what you had):
RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?rosewhip\.net.*$ [NC]
RewriteRule \.(gif|jpg|bmp|png|wmv|wma|mp3)$ http://www.rosewhip.net/hotlink/hotlink.jpg [R,NC,L]

Maybe the browser isn't sending a referer header and that's why it's not working.

The song is a WMA file. Are those not protected or something?
They are protected. (The red in the above code.)

The person just used an 'embed src' tag, does that override it somehow?
No. The HTTP request is the same whatever html tag/link you use.

I got the person to take down the song by asking, but I tested the media files on my other web host after I put in the code you gave me. It's protecting everything except the WMAs, MP3s, and WAVs. I'm not sure what a referer header is or how to fix that, but is that why it wouldn't be working on the sound files?

When I asked the support at my web host about it, they said:

"htaccess uses mod rewrite to protect files from hotlinking, and can
only protect images."

Why would it be protecting my WMV movies, then?

And is there any way to protect my other media files if htaccess will really not work?

The Referer header is the browser telling the server the page with person came from or the page that the file is embeded in.

Does it work if you comment out (put a # infront of) this line?
#RewriteCond %{HTTP_REFERER} !^$

"htaccess uses mod rewrite to protect files from hotlinking, and can only protect images."
I don't believe that. It's got nothing to do with the type of file as far as i know, it just has to match the filename (that's just plain text).

And is there any way to protect my other media files if htaccess will really not work?
You could probably use a serverside script (PHP, ASP, ASP.NET, PERL, JAVA...) to test the Referer and only send the file if it's requested from your pages. Do you have any serverside languages avaliable on your host? If you do, you could ask in the forum for that language on this site.

Ah! Commenting out that line makes it work! *dances happily* Thank you so much! In fact, when the music or movie tries to load, the hotlink picture shows up in the player instead... that makes me giddy.

In the case that I need to ask for hotlink protection in PHP or whatnot, I'll have this thread under my posts for reference. Thanks again!

A funny trick you can pull when someone hotlinks a image from your site.
Is too take the image and edit it in paint, and put something like

"This site is owned ha! ha!" then put it back on your server directory where the same image was with the same name.

Then on there site that edited image will show then the owner of that site will know that he/she was caught hotlinking... :cool:

By commenting out that line ("RewriteCond %{HTTP_REFERER} !^$") you can stop people actually on your site seeing the images if they are not sending the Referer header. It is a bad idea to have it commented out.