hide/protect original full-size images

I was hoping it would be possible to save original images to a separate directory to the resized images so that they could be safely hidden but this seems to be too difficult.

So I am now asking if there are any ways of protecting original full-size images from public but still allow them to view the re-sized images.

Read More

I’m not talking about hiding/protecting images on screen, moreover ways of giving original images unguessable url’s or some such scheme to stop them from possibly being downloaded.

ie.

uploads/my_image-200x200.jpg (given this url)

uploads/my_image.jpg (this url can be easily worked out)

Related posts

Leave a Reply

6 comments

  1. I was looking for a way to do this and found this page… then I thought of putting this in a .htaccess file in the WordPress uploads folder and it works for me so far… any good?

    <FilesMatch ".jpg$">
        order allow,deny
        deny from all
    </FilesMatch>
    
    <FilesMatch "-[0-9]+x[0-9]+.jpg$">
        order allow,deny
        allow from all
    </FilesMatch>
    

    The first part denies access to all .jpg files and the second part searches for files with a size appended to the filename and allows access to those… you could also add directives for any other .jpg files that need to be viewable but all my other graphics are .png files so it’s not a problem for me.

  2. There’s only one thing I know for sure – your images will be NEVER secure if you display their thumbnails based on the real URL.

    But I have a few ideas, the first one looks great and should work for you. Mixing them together will make accessing your images much more harder.

    Edit wp-includesmedia.php file.

    Line 435:

    $suffix = "{$dst_w}x{$dst_h}";
    
    $info = pathinfo($file);
    $dir = $info['dirname'];
    $ext = $info['extension'];
    $name = wp_basename($file, ".$ext");
    

    Playing with $suffix and $name could do the thing, give it a try.

    Eg. changing $sufix to “something” will output thumbnail names as:

    uploads/my_image-something.jpg

    Still easy to guess, but what will happen when you add something before “my_image”? Something random + random jpgs names = seems pretty secure to me 🙂

    Use TimThumb.

    It creates thumbnails “on the fly”, eg. you have http://www.domain.com/myimage.jpg and you want to display 200×200 thumbnail, so you just put timthumb.php wherever you want and then write something like:

    <img src="timthumb.php?src=www.domain.com/myimage.jpg&h=200&w=200&zc=1" alt=""> 
    

    It’s not perfect but always harder than plain link, especially when it comes to bot image harvesting.

    Use Watermark plugin.

    Probably the most “secure” option, especially when you create thumbnails before adding watermarks to the full size images.

  3. If you do not mind editing the WordPress core I found a few places that might be worth a look.

    Trolling through wp-admin/includes/media-upload.php lead me to media_handle_upload() (line #186) and image_resize() (line #405 of wp-includes/media.php).

    media_handle_upload() deals with the media form submission.

    image_resize() handles in the very least the name of a resized image (e.g. filename.jpg resized to filename-200×200.jpeg).

    I also found wp_create_thumbnail() (line #23 of wp-includes/wp-admin/image.php) which has a filter of ‘wp_create_thumbnail’ called after the above mentioned image_resize() if you wanted to try to go the pluggable route.