WordPress.org

Support

Support » Plugins and Hacks » Don’t want images searchable

Don’t want images searchable

  • Hi!
    I’ve looked for this question, but haven’t found it asked.

    Basically what I want to accomplish is to have my images protected so that no one can find it by entering the exact URL to that image. I have used “members only” “private plus,” and “registered users only” plugins. No one can access the images directory if they enter, say, “http://www.fakesite.com/Imagedirectory,” but if they enter “http://www.fakesite.com/Imagedirectory/photo.jpg,” it shows up. I have tried this myself by logging out, clearing out my cache/cookies, and every time I enter the URL to the image itself, it comes up.

    I’m sure there’s an easy solution to this – suggestions?

Viewing 10 replies - 1 through 10 (of 10 total)
  • whooami

    @whooami

    Member

    there isnt an easy solution, because what you want isn’t really feasible.

    …but if they enter “http://www.fakesite.com/Imagedirectory/photo.jpg,

    In a nutshell, thats how the internet works.

    you could write a convoluted script that loaded images using some random hash and checked referers, and only let you show it if the referer was coming from a particular page, but since lots of people block referers…

    you could load all your images inside a flash object, and try to obscufate the path to the actual images. Anyone with a method for decompiling your object(s) and some basic actionscript knowledge can bypass that though..

    you could password protect the directory all your images are in, but that would break your own links to them.

    Everything placed in a web accessible directory, has a corresponding url attached to it that makes it able to be called up in a browser.

    That’s one of the items mentioned in this article:

    http://www.hongkiat.com/blog/40-most-wanted-wordpress-tricks-and-hacks/

    whooami

    @whooami

    Member

    hotlinking isnt what the OP is describing.

    there isnt an easy solution, because what you want isn’t really feasible.

    …but if they enter “http://www.fakesite.com/Imagedirectory/photo.jpg,

    In a nutshell, thats how the internet works.

    you could write a convoluted script that loaded images using some random hash and checked referers, and only let you show it if the referer was coming from a particular page, but since lots of people block referers…

    you could load all your images inside a flash object, and try to obscufate the path to the actual images. Anyone with a method for decompiling your object(s) and some basic actionscript knowledge can bypass that though..

    you could password protect the directory all your images are in, but that would break your own links to them.

    Everything placed in a web accessible directory, has a corresponding url attached to it that makes it able to be called up in a browser.

    I had hoped that unless you were a registered/logged-in user the image would not show up, especially considering my images are in the wp-content folder. Is there not a way to block anyone but registered users from seeing the image?

    There are other options… Apache has a few types of authorization mechanisms. mod_auth_* Obviously you have indexing turned off for the directory. You can also protect it using simple authentication… the credentials which could be provided to the browser on login. I believe WordPress uses a cookie authentication, but I don’t know if there’s a corresponding .htaccess directive to apply it to files in a directory.

    Or you could block access to anything in the directory (or even keep it outside the public tree), and instead use a helper php function which (after authentication just like any of the other php files) reads the jpeg from the filesystem and outputs it to the browser. That would impose some additional server load, of course. All your image links would need to be http://fakesite.com/getprotectedimage.php?directory/secretjpeg.jpg
    or with rewritten URLs you could make it look like http://fakesite.com/protectedimages/directory/secretjpeg.jpg

    I don’t really know if there is a plugin that already does anything like this… but you can probably find tons of example code that outputs JPEGs, it’s pretty simple. But if you can do it with Apache checking the authorization, that would be cleaner and less resource intensive.

    not sure where my very latest post went, but it went something like this:

    Thanks so much everyone for your suggestions – it is truly appreciated. I am still confused, however, as to why someone who has not registered with my site is still able to view an image that is stored within a directory (wp-content) that has been set up to be viewed only by logged in, registered viewers. If anyone could shed light on this for me I would be most appreciative!

    Anita.

    Moderator Samuel Wood (Otto)

    @otto42

    WordPress.org Tech Dude

    Because you’re checking that they are registered to WordPress when they view the site itself. You’re not checking that they are registered to WordPress when they pull an image from the webserver.

    There are multiple types of authentication, and you’re confusing them.

    I wonder if I passworded the photos directory which was the same password for registered readers to log into the site – would that work?

    whooami

    @whooami

    Member

    no it wouldnt, not nicely, at least, because you would not be using the same authentication scheme — they would have to “login” twice.

    Youre wasting energy on this, honestly.

    There are TWO graceful methods of doing what you want: you embed whatever youre trying to keep ppl out inside a flash object (which just so you know wont stop everyone — you CAN decompile flash, and you can still take screenshots or you use another script to handle the loading of the images.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Don’t want images searchable’ is closed to new replies.