Avoid “Hotlink Protection” feature in cPanel 11.25, 11.26

In cPanel 11.25 and 11.26 (not tested earlier versions) when you add “Hotlink Protection” in cPanel it will add the appropriate mod_rewrite code to all domains, subdomains, add-on domains. It looks similar to this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://test-cpanel.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://test-cpanel.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.test-cpanel.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.test-cpanel.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

It actually checks for the line “RewriteEngine on” and does not add it a second time into the .htaccess which is smart… The problem comes when you remove hotlink protection.

cPanel goes through all domains, subdomains, add-on domains once again this time and removes the code but it removes all instances of “RewriteEngine On” in every .htaccess. The problem that comes with this is that if you’re running something such as WordPress, vBulletin, IPB, or any other script that uses mod_rewrite, as most do, suddenly all of your rewrite rules no longer work.

I contacted cPanel about this issue and the technician confirmed that this was a bug and this is what I got back:

Originally Posted by cPanel Tech

This is a known issue, there is already an internal bug report for it. I do not have an ETA for fix, or work around available at this time though unfortunately.

I responded back asking a simple curious question:

Originally Posted by MikeDVB

Is this not something that would have been caught in edge?

Their response (same technician):

Originally Posted by cPanel Tech

Unfortunately, management forbids me from giving out that information. When it was reported, what has been done already, when it will hit production releases, are all bits of info I cannot give out.

I sincerely apologize.

Now don’t get me wrong … I fully understand why a large organization would take such a stance on issues with their software, but that doesn’t stop me from disagreeing with this stance.

Being fairly irritated with this issue (and others in the past) that I have reported and seen it take 6+ months to resolve I responded with this:

Originally Posted by MikeDVB

So you’re telling me that you can tell me there is a bug, but to save cPanel any potential bad PR management forbids giving out this sort of information… I hope that they realize keeping people in the dark tends to lead to more negative PR than simply being straightforward and honest about what is or is not going on.

It seems to me that there is some serious disconnect between cPanel developers and the end-user. There have been numerous “new features” that have been nothing but trouble over the last year that have all made me scratch my head thinking “Why did they think this was a good idea? Did they test this at all?” cPanel is the king of control panels at this time but if things keep going the way they are going eventually somebody is going to develop a control panel that actually performs the way it should, is tested properly, where the developers have some sort of link with the end users.

What really baffles me is that when an issue is reported it can easily take 6 months or longer for that issue to be resolved, and that’s if it ever gets resolved… I’d venture to guess that your response if you were “allowed” to tell me would be something along the lines of “It was caught during edge however it’s not yet been fixed,” at least from what little and hollow response you did give me.

Now don’t get me wrong – I’m not making any sort of threats or bashing cPanel (intentionally). These are just my views on the subject.

The tech did go ahead and pass my message on to management:

Originally Posted by cPanel Tech

This will be forwarded to management for review.

Please allow up to 48 hours for reply.

I won’t be holding my breath.

Point of the story: be careful with “Hotlink Protection.”


Leave a Reply

Your email address will not be published. Required fields are marked *