Translations:Manual:Image authorization/38/en

Even if you don't want to restrict access to your images you might want to make use of the img_auth.php mechanism: to avoid publicly accessible directories, where the web server has write permissions. Though a web server writable directory is not insecure in itself, it is the first half of a successful attack to your web server. The second half then would be some exploitable (php) script, be it MW or, most likely, some other script. If the attacker can exploit the broken script to upload or generate another script intented to help him with further attacks/spamming etc, the attacker still needs a place to store that script in, writable by the web server ... and has it available and well known in the 'images' directory of MW standard installations.