Note: The “Prevent Direct Images Access” setting is available in picu Pro from version 2.5.0+.
By default, WordPress stores all uploaded files – including images uploaded to picu – in a publicly accessible folder on your server. This is standard WordPress behavior, but it means anyone who knows or can guess the direct URL of an image can view or download it, even without accessing the collection.
Prevent Direct Image Access changes this. When enabled, picu routes all image requests through a secure proxy. Instead of loading images directly, every image request is verified by picu first. If the visitor is not legitimately accessing the collection, the image is not served.
What this protects against
- Clients sharing direct image links with people who haven’t been given access to the collection
- Hotlinking – embedding your images on other websites directly from your server
- Casual downloading by copying image URLs from the browser
What this does not protect against
- Screenshots
- Visitors saving images via right-click (use the Disable Right Click setting for this)
- Someone sharing their collection access with others
How it works
When a visitor opens a collection, picu sets a secure cookie in their browser. When images are requested, picu verifies the cookie before serving the file. If no valid cookie is present, the request is rejected.
Server requirements
On Apache and LiteSpeed servers, picu automatically configures the necessary file protection when you enable the setting.
On nginx, additional manual configuration is required. See nginx setup instructions →
Enabling the feature
Go to picu → Settings → Security and enable Prevent Direct Image Access.
