Securing webservers is a whole books worth. There are many steps you can take,
IP / network restricted access.
Firewalls.
Secure FTP.
Etc.

One is to use your .htaccess file to deny access to anyone trying to access your folders directly. As detailed here in a previous similar question:

How to protect folders in public_html from visitors

Naming your images with random characters will not make them secure as far as I know. If you display the images on a webpage, the user can still right click on them and ‘save’. It doesn’t matter what you call them. If they gain access to the folder with them in, they can just list them and get all the names…

For me, the best way is to stop unauthorised access to the folder that contains them.

I hope this helps.

I have a web project where I store users photos. These photo are on disk not in a db to avoid performance issues. When a user upload a photo it gets validated and I add to its name a unique id with the php function uniqid with more characters. Exemple : “IMG_0001.5edee3c9e293b1.25237113.png”. Since my website folder structure isn’t secret (duh its a web server) and i’m storing user data within these directory, anyone with the right url can access it. I was wondering if this method is secure enough. Is using a uniqid really secure ? Since its pseudo-random can anyone use like system time to guess the name of the picture using common image name plus a uniqid based on the system time and get user photos even thought I didn’t give them the url ? If this is the case does anyone have a solution to store them securely on disk ?

Thanks