I’ve written a new WordPress plugin to help protect uploaded images from being accessed just by guessing the URL.
Many cameras and smartphones number their images in a predictable format. For example, iPhones use the format
IMG_0001.jpg. If you include
IMG_0345.jpg in a blog post, an unsavory third party could start regularly trying to access
IMG_0346.jpg, attempting to view the image before you publish a post containing it.
Or, maybe you have a private blog that you only allow family members to read. Not all “private blog” plugins are able to require authentication to load images from
/wp-content/, so the same unsavory third party could just start guessing URLs like
/wp-content/uploads/2016/05/IMG_0001.jpg, hoping to eventually get a hit. 9,999 requests would enumerate every possible image from an iPhone for each month, almost definitely allowing an unauthorized person access to your photos.
The Unpredictable Image Filenames plugin for WordPress renames image files to a sufficiently unguessable name when you upload them. For example,
IMG_0345.jpg could end up as
IMG_0346.jpg could be renamed
A67C9CF9-0BB5-4FB4-AD03-DCB294F853EC.jpg. Try and guess that!
You can install Unpredictable Image Filenames from your WordPress admin plugins screen, download it from the .org plugins directory, or view the source on GitHub.