A lot of people say you should store images above the web-root. Especially if they were uploaded by users.
I was able to to find this...
<a class="postuseravatar" href="member.php?85867-bluedreamer" title="bluedreamer is online now">
<img src="image.php?u=85867&dateline=1386442668" alt="bluedreamer's Avatar" title="bluedreamer's Avatar" />
So can you explain how that works to hide the avatar's actual location?
I guess this is the key part here...
I think some of the fear of leaving uploaded photos in the web root, is that a hacker could upload an "image" that is executable in some way, and if it is left in the web root, then a hacker could upload a nefarious image, and then execute it.