Re: How can I prevent image hotlinking on my e-commerce site?

Did you find any solution?

Hi @Mdre20 

Thank you for adding your feedback to this thread. While I have shared the desire for this function to be a built in feature with our developers, it is not something we directly support at this time. 

There are third party apps and tools you can use to prevent hotlinking of your content in the app store, you can take a look at some of those here: Shopify App Store - Prevent Right Click.

@Shayright click is not the issue and never is because you cannot actually block right click, you can only give the illusion of no right click to people. Sites that have right click "disabled" literally slow me down by 2 seconds before I click a button that blocks the "disable" script. Bots don't load these scripts and all they are doing is grabbing the link url, not downloading the image anyway. Hot linking is a server side issue. What you are saying is that the only actual "fix" is to host ALL IMAGES ON SOMEONE ELSE'S SERVER. FIX IT SHOPIFY.

OMG Shopify is begging us to leave this site.  My website is under attack from scammer sites hotlinking my images and redirecting to sites that use further hotlinks to ostensibly sell counterfeits of my work, and Google is happy to serve up these thieving scammers to about 10% of my search results.  WHAT THE HECK?????????  Shopify and Google couldn't care less about us or our customers.

I have to do something, and I really don't want to take the time to move to wordpress, that would be weeks of unpaid work.  Has anyone moved their images to another server in order to combat this problem?  If so, how do we allow Google access to our images, but not let them get served up by scammers via hotlinking?  The problem is becoming an epidemic.

The only way this simple problem will be fixed is if we call and complain weekly or more frequently. It is a joke how they even allow this. Other systems literally have a checkbox to disable image hotlinking.

Thanks for answering Steve.  I'm so disappointed in Shopify, leaving us hang out to dry like this.

Not a right click issue. This problem is out of control. 97% of my images are being used for backlinks. According to Semrush my domain is TOXIC with over 57.8K backlinks. I can disavow with Google, but it'll take an eternity for them to actually do that, and in the meantime I already received 106 new ones just today and counting. Shopify needs to do something about this, and fast. No images show up anymore in Google organically, it was the way customers found my website/store organically. Now all the images are gone because the website has more than likely been penalized, and the few that are still out there have links to them - but not to my store.

And why can we only upload a .CSV file and not a jpeg or png to show what's going on?

Gosh I'm so sorry to hear that this awful hotlinking disaster is ruining your business.  It's all one group of criminals doing it, you can see similar patterns in the URLs of the bogus pages placed on legitimate websites that get redirected to the scammer sites.  Google favors these scammers in search results for some unfathomable reason.  Once you click on an images search result that is a scammer hotlinking site, a dozen more appear beneath it, all manner of domains.    Honestly right now it feels as if the world is conspiring to make the criminals win and honest people lose.  I'm so discouraged.  So disappointed in Shopify for not providing hotlink disable, such an important security tool.  And in Google for promoting the criminal sites in search results so that when our hard-won buyers search for our websites, they get our images alright, but they link to scammer sites.  And we can't have them removed from search because we would be reporting our own hotlinked images.  Every day it gets worse.  I wish I'd never come here.  It's a pretty effective racket going on.

I'm preparing to move all my images off Shopify because of this unbelievable absence of support on what has become an important security issue.  Any suggestions?  Cloudflare?  Amazon S3?  Or move the whole site to Wordpress?

I haven't found a way to stop them, but they are using my IP to drive traffic to their websites through my images. I've been reporting this to Google, but the situation seems to be getting worse. In fact, Google has even removed some of my images in the process. They are killing my store. Is this only happening to Shopify or is it the same with other platforms?

These people are highly skilled and would find a way around that. It's simple - you just need to inspect the image page, and the URL is located there. Right-clicking is just a shortcut and would only stop someone who doesn't have coding skills. I mean the ones I am trying to stop. The first domain name is a decoy and doesn't send you to their site; they hotlink it to another one after you click on the image. I don't even know how they're doing it because it is completely against Google's policy. They are somehow changing the metadata where it shows my information to get the traffic and then they redirect it under the false domain that a bot generates. It's beyond my skills to track! But this has really hurt my store and in the end, if it doesn't get fixed, I will have to shut down, and that is a total loss to Shopify because I am not the only one being affected by this. I have seen thousands complaining about it and having a really hard time even trying to explain what is happening or what they are seeing. I know I have even messed up just in this post because I am not skilled enough to explain it properly on the coding side of what they are doing. And if you run ads while this is happening none of the traffic will go to your site and I think that is their end goal here by using Shopify stores.

It is still not a right click issue. It is a server side issue. The proper fix is a .htaccess line of code that blocks the hot linking. Shopify does not care. We are looking to move all our sites off shopify. All of these easy to fix problems are going on ignored.

Even if it was a right click issue, the right click block can be disabled in a matter of seconds. It only stops the most computer illiterate people.

Hi Amanda,

The problem has dramatically lessened on Google search results.  I did start reporting the listings on the bogus ecommerce pages that were redirected to by the legit pages on real websites that seemed to have been hacked and had pages added to them with keywords and copy lifted from the website that was being victimized.  There are still some google search results from this enormous scam that was going on, but much much less now, thank God.  Geez I'd have to do an infographic to explain what they were doing, it was so convoluted.  One thing helped a lot was renaming my image files, and shopify does not make it easy.  I spent a lot of time to find apps that would simplify that process but there were no free ones, and I eventually decided that it was just as easy to do it myself.

So the process of renaming image files is to copy the URL of the image that is being infringed (minus everything in the URL before the https://www.your-website.com/cdn/shop/files, everything after is called the Handle), then go to Content>Files, and search for the Handle.  You can't reach the Content>Files page from the product page, so have it open in two tabs on your browser.  Download the image from your product page, and then delete the image from the Content>Files page.  You can play around with what is easiest for you between these two pages.  It's best to have both pages open in two tabs because you can lose track of where that image needs to be.  Then rename the image in your computer's files, and upload it again to your product page with it's new file name (and try to remember to add back your alt-text).  It will then be automatically added to your Content>Files with it's new file (handle) name.  The old/deleted image file URL will now show an error message.  I always keep the infringed image URL open during this procedure so I can test it by refreshing the page.

I know it sounds complicated,  but this is the easiest method I've found to rename image files on Shopify, and I am no computer expert. Once you get used to it, with three tabs open, it's actually easy (one for the product page, one for the Content>Files page, and one for the live URL of the image you are removing from the hacker's bogus infringement site).

I should REALLY do a blog post for DMCA takedown procedures, and for image renaming on Shopify.

Wishing you the best.  I don't expect that criminal activity will lessen with all that is happening in the world today, but there are still some measures that work for us small creative people who just want to get paid from our efforts. 

Best,

Sally

Hi Sally, Thanks for your reply it's really helpful, I'm going to go through your process.  Do you redirect the image so that google knows where the new image is ?

I have been reporting some of the websites but it is so time consuming, then they get taken down and then the website is re-directed to another website and you have to go through the same process again.  We had the whole website cloned the other week.

I would have thought Shopify could do something about all this, but they don't seem to be very helpful.

Thanks

Amanda

Hi Amanda, I'm so glad it was helpful!  I assume that doing a redirect in Google (something I've never done) would put your renamed image right back on the scammers page that is "selling" counterfeits of your item (if that's the problem you're having) and so would defeat the purpose of renaming the file.  I could be wrong though.

Yeah doing the takedowns can be a full-time, unpaid job if you really want to remove the bulk of infringements from the internet.  It can be so demoralizing if you let it.

For the cloned website, were you able to get it down by reporting it to the web host?  For repeat infringers, I always mention that to the webhost in the takedown email.  Webhosts mostly don't want infringement on their servers but of course it's always different and hosts in some countries will not comply.  Wix takes down the whole site for copycat "artists"!  I wish there was a way to educate the public about infringement.

Best Wishes,  Sally

The hotlinking problem by scam/fraud websites HAD dramatically lessened this year, but it's back now.  ONLY Google gives the scammer websites good search placement, as far as I can see.  I have no idea why Google serves up search results that show one URL, but then redirect to bogus thieving websites that pretend to be selling products with hotlinked images.  Why do they get away with this?  The only think I can figure is that they're stealing credit cards.  None of the listing pages even make sense.

We really need a way to block hotlinking.  I could spend all day every day battling infringement and still not get them all.  It's so demoralizing.

The last time I tried cloudflare a few years ago, it did not work. It might have changed a bit (hopefully). If I remember correctly it was having an issue with the shopify cdn. If it works, let us know so we can switch over too.

I was able to set it up easily enough and link it directly through my Namecheap interface. However, testing a blocking rule now with a friend in the US and it does not appear to be working. I'll continue troubleshooting and update once I know more. 

Shopify uses a Shopify cdn as well as our domain cdn.  You can see them in Content>Files.  I think some images have both URLs but I'm not sure.  I think older images were all on a Shopfy cdn URL.

Yep, you're right. I can see all my images are on Shopify's CDN so this is somewhat of a dead-end. Although, if I can get Cloudflare to block certain countries then hopefully that will give some level of invisibility. Not ideal, but it's a start. 
Looks like I have to wait 24 hours for Cloudflare to verify my ownership of the domain before it will work (hopefully). I have set up blocking for a few countries, and set an allow rule for Google crawlers. I'll recheck all the settings tomorrow and test again.

It's such an awful mess. I just started using "Boostmark" for geoblocking, and it's doing a great job.  Once in awhile something slips through. I don't think geoblocking extends to the cdn/hotlinking problem though. Meaning that those hotlinked images probably show up in blocked countries.  I have many more forms of infringement than just the hotlinking problem, and my business is ruined anyway.  So why keep serving it up to countries I can't ship to?  I spend all my time fighting infringement.  Almost all traffic to my website is for thievery.  Something's gotta give.

Hi, interested to know if this worked to stop hotlinking of images, we have been having the problem for the last 6 months, more and more link everyday, so far not found a solution.  Thanks

I have set up blocking to the US and several other countries in Cloudflare and I'm certainly seeing a lot of bots coming up in the blocked reports, mostly legitimate Google crawlers which I need to whitelist. However, as far as Clourflare's effectiveness is concerned, I'm not convinced it's actually doing anything other than wasting my time. I am still capturing recorded sessions in MS Clarity from the US still (one appears to show the user going into the inspect tool on one of my images). Testing with friends in the US and they can still see the site as well. 

This is just to prevent site access, so even it it does work, my understanding is I will still have zero control over the already stolen image files.  But if I can remove site access then I may help prevent further imposters stealing my files. There may be another way to do this within Cloudflare but if I can't set simple geoblocking to work then I am not holding out hope that anything else will be effective.

I'll revisit the rules I set up and will keep monitoring and will see if I can get it to work, it may be user error at this stage since I am new to this.

The Cloudflare interface looks fantastic and there's so many options to try. However, if it's not working as intended then I will get to the point where it's not worth paying further attention to it.

As a reminder, Shopify, this is a situation you can easily fix and your lack of support is not good enough. You need to do better and support your customers. 

I wish you the best with this horrible situation Brett. I'm trying to figure out what to do next.  My shopify website is a liability at this point.  I would be better off right now if I shut it down.

I can't do it.  I can't move to Wordpress for the hotlink protections.  I'll have to continue renaming image files and taking the seo hit.  COME ON Shopify, give us the fix!!!!!  Please!

Update: I've been monitoring a rule I set up in Cloudflare to block specific countries, and I am seeing a drop in visits from those countries, but some are still getting through. Changing the rule from country is "from" to country is "in" seems to be working better.
I can definitively rule out hotlink protection as a solution (we knew this wouldn't work) as the files are hosted on Shopify's CDN servers, and controlled by Shopify's Cloudflare. Since I cannot see some of the stolen files in Google Image search (but can find the hotlinked pages on the 2 websites I found so far), I'm thinking I'll have to rename every file periodically, and use it to update my ALT text at the same time. It's a complete waste of time but I can't see any other solution at this point.

I have asked in a few communities, nothing really helpful has come from it. I think a lot of store owners don't check their images and don't know about this issue as a result. 

I'll keep digging around but I am half a mind to just ignore it, get a VA to do the renaming and ALT txt updates, and focus on developing the store. It's a massive waste of time otherwise.

Shopify: You need to do something about this. It's not good enough to let bad actors steal your customers IP and give no actionable steps to resolve it. 

Update: I managed to get Cloudflare to work, and I have tested Geo-blocking with multiple people in different countries. It's working perfectly now. Users that click from a blocked country get a "you have been blocked" page, which is not exactly friendly. You can customise a page with a paid version but I'm ok with the generic page for now.

The issue most people encounter (myself included) is in the DNS settings. After setting it up you will still have an A record set to DNS Only, this means that traffic still goes to Shopify first and not CF, making it ineffective. To fix this, you need to delete the A record, create a CNAME record to shops.myshopify.com and set it to "Proxied". You will need to reach out to CF community to enable this. It's called Orange-to-Orange (O2O), more info can be found here.  
From what I understand, CF is more effective than apps like Blockify because it blocks traffic at the network level, stopping it before it reaches Shopify. This avoids reliance on JavaScript or Liquid code which is what the apps do, making it less vulnerable to circumvention via VPNs or proxies. Again, I am learning as I go here but this is what I understand so far.
My page load speed has increased dramatically too, it's ridiculously fast now.

Hotlink protection will not work since it's hosted on Shopify's CDN network. But preventing access to certain countries is a step towards making my site less visible, and hopefully prevent new scammers from stealing my images. 
Next, I'll look into ways to identify existing hotlinking, and if there's a way to prevent it. I am at a complete loss at the moment but I'll continue to ask in forums and expert groups. A significant number of my images are no longer searchable in Google image search, and I fear I am now taking an SEO hit due to de-indexing of these images. 

Shopify, feel free to chime and help here. 

I wish Shopify WOULD chime in.  But to be fair, Shopify is not the only problem.  I've been on a number of online venues to sell my art, and they all hold on to images and use them to promote their businesses, even when one no longer sells there.   All are now victims of hotlinking by this cabal of scammer/thieves.  There are new scammer sites every day.  It's crazy that they get any Google exposure at all with the redirecting and the obvious scam nature of the websites, but it's way less now than last year.  I believe there has to be a concerted effort of some kind to stop this bizarre assault by the bad actors.  All venues online need to have a way to thwart hotlinking.  There is no innocent reason to hotlink.   I guess the bandwidth issue isn't egregious enough to get the big venues to do anything about it.  So it's a user problem, not enough of a venue problem to get anything done about it.

Thanks for these updates Ivanm.

....it would be fabulous if Shopify took the lead on this issue.  They could advertise that they are the only online selling platform that protects it's users from malicious image hotlinking by scammers.

I think I've stumbled upon a way to rename image files without haven't to download/rename/upload and delete the old files.  There is no point apparently in complaining about the ridiculous exposure we all have to criminal activity since on one seems to care.

The last 6 months hotlinking images has got ridiculous, I'm going in and downloading, renaming and uploading images, but it is so time consuming.

That is only a temporary fix and will hurt in the long run. The offending sites use a bot to scrape the photos. They are constantly crawling sites. You are effectively playing whack a mole by changing the names.

Yes realised, as soon as you rename more come and link to the new image.  It's never ending.  We're getting it everyday, 5 or 6 images, has been constantly for 6 months.  Wish Shopify would do something to help!!

That's really interesting, I'm going to have a look into Cloudflare too.  Everyday our images are hotlinked, it's really disheartening.

Cloudflare seems to be doing the job with Orange-to-Orange (O2O) enabled, and the site is fully proxied through Cloudflare. 
These are the rules I applied:

https://webagencyhero.com/cloudflare-waf-rules-v3/

I'm still testing and monitoring so I can't be 100% certain just yet, but it is certainly showing hotlink attempts and when I proxy test to one of the offending sites that is hotlinking my images, it does get blocked. 

The other thing I am noticing is the insane amount of crawlers that were running rampant through my store, around 500 attempts every 24 hours get blocked now. These were slowing down my site more than the hotlinking issue.

That's great, is cloudflare easy to set up with Shopify, for a non-techy person, don't want to mess anything up.

Sort of, I opened a ChatGPT thread to do it which was quite helpful. You just have to be a bit careful since ChatGPT can make mistakes, but it was good to use as a guide and think through each step. There's a ton of walkthroughs on YouTube as well. Amazingly, not one of them mentions enabling Orange-to-Orange (O2O) which is done by posting in the Cloudflare community (you'll see others making the same request). I hope this helps!

Thanks Ivanm, I'm trying to configure Cloudflare. I'm in over my head.  I'm waiting for the nameservers to propagate. Fingers crossed I don't ruin anything.

If you have any suggestions such as how-to videos for non-programmers, that would be great.

Also I learned that Shopify now lets us rename our image files without having to download/upload.  We can do it in the Content>Files section, or in the Product page.  It does take time for the old images to disappear from the internet (overnight).  So far all the ones I did yesterday are gone.  This process is now much much faster.  Yes I know it's a hopeless task, but it's the only thing I could do during all of this mess.

Nope...renaming does NOT delete the original file. It no longer appears in our content>files pages, but it is still available to hotlinkers. If you do rename an image file and you want to delete the original file, you have to delete the file that you replaced it with.  Apologies if anyone took my bad advice above, I was mistaken.

I've set up cloudflare, seems to be working fine.  How did you get the Orange-to-Orange enabled, can't seem to work it out, dns records won't let me turn it on.  Thanks