I'm not sure what you call "hotlinking" but in version 6 we have fixed an issue where these "private" images could appear in the image index widgets.

Hi,
Hotlinking is the direct link to the image like www.domain.tld/blog/media/user/testimage.jpg . If I have a picture in a private/community/member post, it is possible for all ppl who have the link to the image to see it too - although it should be private.

If the images are in a public folder in the server (as they actually are), there is no way to control the accessibility more than adding an .htaccess file with deny from all to the media folder, but this action will break almost all the back-office images (and in the front-office in version 6), or at least all of them that are not accessed by the viewfile.php script.

Starting with that, the viewfile.php (or any other) can run a set of permissions check in order to control when to actually display the image.

I think it makes sense, but it's a massive implementation.

There is actually a configuration variable somewhere to tell b2evolution to go through viewfile.php for all images.

Once you do that you can move the media folder out of the web root or use `deny from all` as explained above.

I haven't tried this for years.

The most efficient way though is to use obscure folder names like `/media/user/jhG~A+n=uo76(jh_$hUuP/example.jpg` for example to store your images so that it's not possible to guess their urls.

Hi,
Obfuscation is not a solution. Never.