Protect Images and Pictures

Currently, in Paid-Publications and Password-Protected/Private Blogs, images are available for viewing, downloading and external linking without entering a password or paying for membership. I think it would be a good idea if this didn’t happen. :slightly_smiling_face:

This is documented on GitHub in issues 11627 and 7768. Please see 11627 for steps on how to reproduce this behavior.

According to post 94:

Private blogs are great for when you just want your friends and family to have access to your posts, you want to run an internal company blog to share information between team members, or you’re just in the pre-launch phase.

When you enable password protection for your blog all social and search engine optimisation features are disabled, and visitors must enter the password to be able view your content.

According to the Ghost Alternatives page, Ghost is good if:

I want secure, protected members-only content

Ghost provides 100% secure server-side content gating for members-only content, allowing you to publish to a limited audience. It is not possible to achieve this from most other platforms like Squarespace, Wix, Memberstack, SentryLogin, Piano and others — which are insecure and easily bypassed.

If you want secure, member-based publishing where you have full control and ownership of both your content and the platform itself, Ghost is a good choice.

Image protection would be valuable for the following use cases:

  • Internal company blogs where we want to share important images or diagrams, such as those containing roadmaps/plans, designs, and concepts
  • Private blogs where we only want friends or family to have access to our words and images
  • Paid publications that focus on written content but also have images that should be restricted to paying members
  • Paid publications that focus on Art as paid content but also has written content
  • Paid publications that focus on Photography as paid content but also has written content

An image is worth a thousand words. :framed_picture:

If we protect words, then perhaps we should protect images too. :smiley:

I love Ghost. Thanks for considering the idea. :slightly_smiling_face:


Hi @John, was there a reason this was moved from Ideas to Members (beta)? On GitHub issue 11627, Naz told me specifically to post about this in the Ideas category. :slightly_smiling_face:

Sure, because the request is about members beta, which is where requests about the members beta go. I’m sure Naz was just having a long day and meant to link there

1 Like

OK, great. That makes sense. Thanks for explaining :+1:

Hi I am a photographer and I am looking to build a member based publication predominately with images. This issue is one of the things I noticed after installing and playing around with Ghost. Ghost is fantastic :raised_hands: :raised_hands: :raised_hands: but being able to protect the pictures in a protected post is important for my use. Hopefully this will be considered and implemented in the near future. :pray: :+1:

Hi, found a potential workaround to protect the images.
Basically test to see if the referrer is from the same domain by placing the following code in nginx conf file. After putting this in the conf file, direct loading of images resulted in 403 forbidden but all the images when viewing on the site are also blocked. Not sure if I missed anything. If anyone who is more experienced with nginx config can shed a light it’d be appreciated.

server {

location ~ .(gif|png|jpg|jpe?g)$ {
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;


Hello! Got it to work. Basically need to include the root directory of your website inside the location.
location ~ .(jpg|jpe?g)$ {
valid_referers server_names;
if ($invalid_referer) {
return 403;
root /your/web/site/folder/;