You need to fix the <FilesMatch> pattern, because with the wildcard you're using there, access to *all* resources on you site will be denied unless the referrer is google.com or your own site.

Also, be aware that anyone typing-in your URL or clicking on a link created by JavaScript will not send a referrer. Therefore, you need to allow blank referrers as well.

Jim

Actually, that's what I want- only my website and google can hotlink images. However, my fear is that can google.images bots and referrals still access my images. I want those bots to access my images so that my images will still appear on images search result. Thanks.

OK, so it doesn't bother you that your code will block everyone else (such as 'users') from fetching any pages on your site? This negates any advantage of being listed in search engines, or of having the site on-line for that matter.

I'm just hoping that you put that code into an image subdirectory, and didn't mention that fact here. Otherwise, the answer to you original question is, "No, that code will completely block access to everything on your site, except for accesses by googlebot and referrals from your own domain. But those own-domain referrals will never happen, because it will be impossible to initially enter your domain with that code in place."

If you have not seen that behavior, be sure to completely-flush your browser cache before starting a test run.

You should always flush your cache before testing any change to your server config, and flush it again after changing any aspect of the request that your code tests for. For example, flush cache, check that image displays on your own pages, flush cache, check that image does not appear on hotlinking page. If you don't flush your cache, then your browser will show the image in both cases, because you've allowed the image to be cached from the successful on-site request, and without a cache flush, the browser will use that cached image, and display it on the hotlinking page as well.

Jim

I am sorry Jim, I forgot to tell everyone that the .htaccess containing this code will be put on the image directory and not on the root directory.

In that case, we can go into more detail. :)

Referrers should always be all-lowercase, and I'd be very suspicious of one that wasn't.

All literal periods in regular-expressions patterns should be escaped.

If you want to protect all files, then there is no need for the FilesMatch container.

You also will want to allow blank referrers, because a good number of legitimate requests will not come with a Referer header due to browser and/or "security software" settings, and the settings of caching proxies in the client's ISP network, e.g. AOL and Earthlink.

While allowing blank referrers opens a "hole" in the hotlink protection, it is one we must accept in order to prevent blocking many legitimate client requests.

Taking all that into account:

SetEnvIf Referer "^http://(www.)?mydomain\.com" spam_ref=1
SetEnvIf Referer "^$" spam_ref=3
SetEnvIf Referer "^http://(www.)?google\.com" spam_ref=2
#
Order deny,allow
Deny from all
Allow from env=spam_ref

A style comment: I'm not sure why you chose the variable name "spam_ref" but I found it confusing. If the variable is set to a non-zero value, then that means the referrer is a good referrer, not a bad/spammer referrer. So, an "element of style" in coding is to select clear, descriptive variable names, both for yourself in the future, and for anyone who might inherit the site or use your code later. So, something like "RefererAllowed" might be more meaningful/accurate.

Jim

Thanks Jim for this. By the way, sorry for the choice of variables. As you noticed, I'm new in .htaccess scripting, I just recycled this code from what I researched in the internet and trying to do the specific job that I need.