Harassed by “License Proof” Bots? Here’s What’s Going On
If you’ve ever received an email demanding that you “prove your image is licensed” — even when you know you got it from a legitimate source like Canva or Shutterstock — you’re not alone.
Over the past few years, so-called copyright enforcement bots have been crawling websites, grabbing image URLs, and sending automated notices. Some are genuine rights-management systems, but many are run by copyright trolls — companies or individuals who mass-email site owners hoping to scare them into paying unnecessary “settlement” fees.
Why does this happen?
- Bots scrape millions of sites without verifying if the image was legitimately purchased.
- They target images that might belong to stock libraries, even if you have the license.
- Older images (bought years ago) are common targets because trolls assume you’ve lost your receipt.
The Canva Connection
If your images came from Canva, you already have a license at the time of download (especially with Pro). Canva does not retroactively revoke standard licenses — so if an email appears to be from them asking for extra payment, it’s suspicious.
How to handle these demands
- Don’t panic — automated emails are not court orders.
- Verify the sender — genuine notices will come from official domains, not Gmail or random URLs.
- Gather your proof — find your original download receipts or license confirmation.
- Don’t click links in the email until you confirm it’s legitimate.
- Consider blocking scrapers — use .htaccess rules or a CDN firewall to deter bots that target your site.
Block the bots
Legitimate copyright protection is fine — but shady bots sending blanket “prove it” demands are becoming a nuisance. Protect your assets, keep your licenses, and don’t let trolls intimidate you into paying for something you already own.
# =========================================
# Block image-licensing scrapers & hotlinkers
# Apache 2.4+ | Drop-in .htaccess
# Replace yourdomain\.com (escape the dot!)
# =========================================
<IfModule mod_rewrite.c>
RewriteEngine On
# ------- SCOPE: Images in /wp-content/uploads
# (A+B) Kill empty/fake UAs or generic scraper UAs hitting images,
# unless they're whitelisted (C).
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/ [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_USER_AGENT} ^\s*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$ [OR]
RewriteCond %{HTTP_USER_AGENT} (bot|spider|crawl|crawler|checker|scanner|scrape|scraper|analy[sz]er|httpclient|headless|fetch|seo) [NC]
RewriteCond %{HTTP_USER_AGENT} !googlebot|googlebot-image|bingbot|bingpreview|duckduckbot|yandex|baiduspider|applebot [NC]
RewriteCond %{HTTP_USER_AGENT} !facebookexternalhit|twitterbot|slackbot|linkedinbot|discordbot|pinterestbot [NC]
RewriteRule \.(?:jpe?g|png|gif|webp|avif|svg)$ - [F,L]
# (D) Block HEAD requests to images (limit to uploads to avoid false positives)
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/ [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_METHOD} HEAD
RewriteRule \.(?:jpe?g|png|gif|webp|avif|svg)$ - [F,L]
# (E) Hotlink protection (allow your site/CDN & empty referrers)
RewriteCond %{REQUEST_URI} ^/wp-content/uploads/ [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?yourdomain\.com/ [NC]
# If you use a CDN, uncomment and edit the next line:
# RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?cdn\.yourdomain\.com/ [NC]
RewriteRule \.(?:jpe?g|png|gif|webp|avif|svg)$ - [F,L]
# (F) Block common CLI/scan tools site-wide
RewriteCond %{HTTP_USER_AGENT} (curl|wget|python-requests|Go-http-client|HTTrack|libwww|apachebench|nikto|sqlmap) [NC]
RewriteRule ^ - [F,L]
</IfModule>
# (G) Referrer blacklist (works even if rewrite is skipped earlier)
<IfModule mod_setenvif.c>
SetEnvIfNoCase Referer "semalt|sitechecker|crawler|scanner" bad_ref=1
</IfModule>
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not env bad_ref
</RequireAll>
</IfModule>How to Use This .htaccess Snippet to Block Image-Licensing Scrapers
The .htaccess snippet above helps block common image-scraping bots, stop hotlinking, and filter out obvious bad actors — while allowing search engines and social media previews to keep working.
Step 1: Backup First
Before changing .htaccess, download a copy from your server so you can restore it if something goes wrong.
Step 2: Edit Your .htaccess File
- Connect to your site via FTP or your hosting control panel’s file manager.
- Find .htaccess in your site’s root folder (where wp-config.php is for WordPress).
- Open it in a plain text editor.
Step 3: Paste the Snippet
- Scroll to the very top or bottom of the file.
- Paste the snippet exactly as given.
- Replace every yourdomain\.com with your actual domain name (escape the dot with a backslash).
- Example: mywebsite.com → mywebsite\.com
- If you use a CDN (like Cloudflare, BunnyCDN), uncomment the CDN line and replace it with your CDN subdomain.
Step 4: Save and Upload
Save the file and upload it back to your server, overwriting the old .htaccess.
Step 5: Test Your Site
- Visit your site and check that images still load normally.
- Test a Google search preview or share a page on Facebook/Twitter to confirm previews still work.
Step 6: Monitor Logs
After a few days, check your server access logs to see the difference. You should notice fewer suspicious bots hitting your /wp-content/uploads/ folder.
Tip:
This snippet blocks the most common scrapers and referrer spam, but determined bots can spoof their identity. Pair this with a CDN firewall (like Cloudflare Bot Fight Mode) for stronger protection.