Every product starts with a problem someone couldn't ignore. For XYZ Protect, it started with a question from the owner at Cerulean Software — a website development firm who builds and maintains websites for content creators in the adult industry.
The Question That Started Everything
XYZ's first product was age verification — a privacy-first identity verification system for WordPress sites in regulated industries. The plugin works: a visitor arrives from a regulated jurisdiction, gets redirected to a verification page, confirms their age through a biometric face scan or government ID check, and receives a cookie that lets them through the age gate.
It gates the page. But Cerulean Software--a company that works with WordPress regularly--pointed out something we hadn't considered: it doesn't gate the media on the page.
Every image, video, and document embedded in a WordPress page lives in /wp-content/uploads/. These files are served directly by the web server — Apache, Nginx, LiteSpeed, whatever your host runs. WordPress never gets a chance to check whether the visitor is authorized. The age gate controls who sees the page, but the media URLs in that page's HTML are accessible to anyone.
Copy an image URL from a protected page, paste it in an incognito window, and it loads. No verification. No login. No membership check.
For a site where the content is the product — a photography portfolio, a premium video library, a course platform with exclusive materials — that's not a minor gap. It's a fundamental flaw in how WordPress handles media.
Why Existing Solutions Didn't Work
We looked at what was available. The options fell into a few categories, and none of them solved the problem cleanly.
Server-level rules (.htaccess, Nginx config) can restrict access to directories, but they're hosting-dependent, fragile across environments, and require technical knowledge most site operators don't have. Move to a different host and your protection breaks. Switch from Apache to Nginx and your rules don't apply.
PHP-based file proxying routes every media request through WordPress. It works — but it means your web server processes every image load through PHP instead of serving static files directly. That's a significant performance hit, especially for image-heavy sites. It also means your hosting environment's PHP memory limit caps the file sizes you can serve.
File-moving plugins relocate your media to hidden directories and serve them through download handlers. Fine for PDFs and ZIPs that users explicitly click to download. Not viable for images embedded in a page that need to render inline — you can't move hundreds of gallery images into a download handler and still have a functional gallery page.
CSS/JavaScript tricks — disabling right-click, detecting developer tools, overlaying transparent images — are cosmetic at best. View source defeats all of them.
None of these approaches address the core problem: media URLs in the HTML are publicly accessible regardless of the page's access controls.
Building the Fix
We needed something that works at the URL level. When WordPress renders a protected page, the media URLs in the HTML should only be accessible to the visitor who's authorized to see that page. Not to someone who copies the URL. Not to a search engine that indexes the uploads directory. Not to a scraper that follows every src attribute in the DOM.
XYZ Protect intercepts the rendered HTML before it reaches the visitor's browser and rewrites every media URL that matches a protected path. The rewritten URLs route through a protection layer that verifies authorization before serving the file. If the visitor isn't authorized, they get a placeholder. The real file is never served.
Two protection modes cover different needs:
Guard Cookie mode is fast and simple. Protected URLs are obfuscated — the original filename and path are hidden — and a signed cookie proves the visitor is authorized. Without the cookie, the request returns a placeholder. This mode is compatible with page caching plugins like WP Rocket, which matters for sites where performance is critical.
Encrypted URL mode provides stronger protection. Each media URL is AES-256-GCM encrypted, unique to the individual visitor, and expires after a configurable time window. Even if someone extracts a URL from page source, it's useless to anyone else and stops working after the window closes. This mode is ideal for high-value content where per-user accountability matters.
The protection happens at the network level, not on the WordPress server. Media requests are handled by infrastructure distributed globally — they never touch your hosting environment. Your origin server serves the files to the protection layer, and the protection layer serves them (or doesn't) to the visitor. No PHP overhead. No memory limits on file size. No performance impact on your WordPress site.
Setup is three DNS records and about five minutes. No server configuration. No files moved on disk. No hosting-specific rules to maintain. It works the same on a $10/month shared host and a dedicated server.
Beyond Age Verification
The original problem was specific to age verification — gating media on age-restricted sites. But once we built the URL rewriting and protection infrastructure, we realized the same architecture solves a much broader problem.
Any WordPress site with content behind a login or membership wall has the same gap. MemberPress gates pages. Paid Memberships Pro gates pages. WordPress login gates pages. None of them gate the media files on those pages.
So we built native integrations for the most popular WordPress membership plugins:
MemberPress — XYZ Protect auto-detects MemberPress and lets you map each membership level to a protection tier. Standard members can get Guard Cookie protection while premium members get Encrypted URLs. No MemberPress add-ons required, works with all editions.
Paid Memberships Pro — Same approach. Auto-detects PMPro, maps membership levels to protection tiers, works with the free core plugin. No PMPro premium plan or add-ons required.
WordPress Login — For sites that don't use a membership plugin, any logged-in user is authorized. Simple and effective for client portals, internal resources, or any site with login-protected content.
Media protection and age verification work independently of each other. A MemberPress photography site doesn't need age verification — it just needs media protection. An adult content site needs both. A course platform needs media protection for lesson videos. Each feature is configured separately and can be scoped to the whole site or specific directories.
What We Don't Do
We're honest about what XYZ Protect is and isn't.
We don't prevent a paying member from saving an image to their computer. Once someone is authorized and the content renders in their browser, they have it — that's true of any protection system, including DRM. What we prevent is unauthorized access: people who never paid, never logged in, and never passed age verification being able to access your files through direct URLs.
We don't move your files. We don't require specific server software. We don't proxy media through PHP. We don't use CSS tricks. We don't pretend that disabling right-click is security.
We do one thing well: we make sure the media URLs in your WordPress pages are only accessible to visitors who are authorized to see them. Everything else — the membership management, the payment processing, the page design — is your existing stack, unchanged.
Try It Yourself
If you run a WordPress site with login-protected or membership-gated content, here's a ten-second test: log in, visit a protected page, right-click an image, copy the URL, and open it in an incognito window.
If the image loads without authentication — that's the gap XYZ Protect closes.
Free trial includes 10,000 protected media requests. No credit card required. Setup takes about five minutes.