The cPanel "Hotlink Protection" is set up very simply. You will need to modify it manually to do anything useful. The general pattern for a hotlink entry in .htaccess is:
The RewriteConds form the whitelist of sites permitted to access the protected files. Be sure to add your site, including any subdomains and add-on domains. In the above examples, domains both with and without "www." are covered. Any domain listed in the whitelist is exempted from the following test(s).

The comes the RewriteRule(s). They are applied to any site (domain) not in the whitelist. In this case, it's specifying 5 kinds of image file extensions (case insensitive... NC flag used) that are forbidden to be accessed. In your case, you could remove "jpg" from the list and add "zip" if you want. You are free to give more complex matching patterns ("regular expressions") so that only specific directories would be covered, or different file extensions. You can give multiple RewriteRules if you want to (such as a rule too complex to write in a single regular expression). Each will be applied separately.

If your needs are very complex, with different whitelists for different kinds of files, you could repeat the whole set of RewriteCond and RewriteRules, customizing each for the different situations (which domains allowed, and what directories and/or files to forbid access to for any domain not allowed).

Try this:

It ought to be pretty close to that... might need some tweaking. If someone adds some junk after .zip or .html or .shtml, I don't know if it will catch that. If not, you're probably safe removing the $ in the RewriteRules.

If page access is being blocked by the hotlink protection code, that would suggest that the files are being requested by some domain other than moshpittragedy.com or www.moshpittragedy.com. Do you have any subdomains or add-on domains involved? If so, they need to be listed in the whitelist. Did you cut and paste the code I gave into your .htaccess, or did you retype it? If retyped, have you double checked that you made no typing errors and you didn't change anything? Is there anything after the .html (or .shtml) extension, such as #label or a URL Query String? Are you using SEO where the .html files are being redirected to .php?

What setting? Which control panel (cPanel, Plesk, LPCP)? If you click the "Hotlink Protection" button in cPanel, it will add code to the .htaccess file similar to what I showed in my first post. Look at your entire .htaccess file and make sure it doesn't have anything left over from using the control panel.

I leave the price at $0.00 and click Proceed. I get to the download page and click DOWNLOAD. Next, a dialog pops up asking me if I want to save or open this zip file. I didn't proceed beyond that -- are you saying you don't get to this point?

What browser are you using? Have you tried it on a different browser (say, Firefox3.5 instead of IE8)? Did you remove all traces of the other redirect code? If you want to post your .htaccess here, or PM it to me, I could look at that file. Be sure to remove any account names or other sensitive information. Do you have .htaccess file(s) in any other directory? They might be blocking your access. Have you cleared your browser cache to be sure that you're getting a fresh copy from the server?

-- Charlie Brown

I don't understand. Is this an add-on domain? public_html/ is the highest directory that you can have an .htaccess file in.

Is this only for the 0.00 price, or does it fail the same way for other prices? Do you have a </form> tag at the end of your form? I don't see why the form itself would behave any differently, so it must be within /order.php -- does it treat a price of 0 differently from other prices? When you say, when I try to link from an info page (info-arrestum.shtml") to a download page (dl-arrestum.html), is this a regular <a href= link, or something else?

Please post (or PM to me) all your .htaccess files (and tell me where they are located), after removing any sensitive information such as account names. Is moshpittragedy.com your primary domain or an add-on?

Sorry for not getting back to you sooner, but I've been trying to figure out what's going on. First of all, you say you cut and pasted the ./htaccess code I gave you, and didn't "fix" anything, right? All the old hotlink code you showed above is gone, right? You're not seeing any evidence of moshpit-tragedy.com or windsorpunk.com, and you've checked that all your links in your various pages no longer use those names anywhere, right? I'm a bit worried when you say that you see these domain names popping up once in a while. There are no subdomains or add-ons involved, just moshpittragedy.com or www.moshpittragedy.com? (I'm not going to even ask where a name like that came from! I know more or less what a mosh pit is, and what a tragedy is...)

Now, if I understand what you're saying, the problem is that *.html files on your own site are being blocked? You've mentioned .php files -- are any of them blocked, or is it just .html? Can you give an example of a link on your own site that's being blocked (the full URL that you see on the browser status line)?

I don't use frames or iframes myself, but I'm wondering if they do something odd to the HTTP_REFERER address? Just for fun, add RewriteCond  %{HTTP_REFERER}  !^$ just ahead of the existing RewriteCond lines (both of them). Maybe the iframes are making it look like the request is coming in directly from the browser command line, rather than from your site?


If that doesn't do it, I'm all out of ideas (unless you have additional information).