Translations:Manual:Image authorization/41/en

But even better will be to also move the web server writable 'images' directory outside of the document root, renaming it to something unguessable (e.g. the MD5 hash of &lt;whatever&gt;) and streaming the images via 'img_auth.php', so that the real directory name never ever shows up.