So you've enabled cpanel's hotlink protection, but those bandwidth theives are still attacking your dynamically generated images. And while we've seen protecting the entire .php extension fix this issue, we have seen cases where it causes problems with the site.
If you need to hotlink protect a single file, you'll want to add the following to the end of your .htaccess. Or if you're having trouble, rename your old .htaccess and start with a blank one for testing, and you can add the other .htaccess info back in once you've secured this issue.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule image.php$ - [F]
Obviously, you'll want to change yourdomain.com to your actual domain. If there are other domains (parked domains for example or froogle) that should have access, add more lines for those domains as well, using the same syntax.
Then you'll change image.php to the actual name of your php file that generates images. Note that in most cart systems, storing images in the database as php actually can cause your site to load more slowly, since the system has to do a database query for each image. If you can store the images in the file system, we recommend it :).