If you're setting up XYZ Protect for the first time, step 3 of the setup asks you to choose a media subdomain. If you're not sure what that means or why it's necessary, this post is for you.
The short answer: XYZ Protect needs a subdomain because it's the only way to route your media files through a secure protection network that checks every request before serving a file. A subdirectory can't do this. It's not a preference — it's how the underlying technology works.
Here's the longer explanation, starting from the basics.
What's a Subdomain?
Your website has a domain name — something like example.com. A subdomain is an extension added to the front of that domain, separated by a dot. You've seen these before:
www.example.com— thewwwis a subdomainblog.example.com— a subdomain often used for a separate blogshop.example.com— a subdomain for a storemedia.example.com— the kind XYZ Protect uses
Each subdomain can be pointed at a different destination. That's the key property. Your main site at example.com might be hosted on one server, while media.example.com is pointed somewhere else entirely. They share the same parent domain, but they're independent in terms of where their traffic goes.
What's a Subdirectory?
A subdirectory is a folder path on your existing site:
example.com/blog/example.com/shop/example.com/wp-content/uploads/
Subdirectories are part of your main website. Everything under example.com/anything/ is handled by the same server that runs your site. There's no way to send traffic for a specific subdirectory to a different destination — it all goes to the same place.
Why This Distinction Matters for Media Protection
When you upload an image, video, or PDF to WordPress, it goes into a subdirectory: /wp-content/uploads/. That folder lives on your web server, and your server handles every request for files in it. If someone has the direct URL to a file, your server hands it over — no questions asked.
This is the media protection gap that XYZ Protect exists to close. The solution is to stop letting your server hand out those files directly and instead route media requests through a secure protection network that checks whether the visitor is authorized before serving anything.
To do that, we need to intercept media requests before they reach your server. And the only way to intercept web traffic at that level is through DNS — the system that controls where a domain or subdomain points.
When you create media.example.com and point it to XYZ's protection network, every request for a file on that subdomain goes through the protection layer first. The network checks for a valid authorization cookie, and only then retrieves the file from your server and delivers it to the visitor. Unauthorized requests get a placeholder image or an empty response. Your actual files never leave your server without authorization.
A subdirectory can't do this. There's no way to tell the internet "send requests for example.com/wp-content/uploads/ to a different place than example.com/everything-else/." DNS doesn't work at the folder level. It works at the domain and subdomain level.
What XYZ Protect Does With Your Subdomain
Here's what happens once you set up media.example.com (or whatever subdomain you choose):
- The XYZ Protect plugin rewrites the URLs in your pages so that media files point to
media.example.cominstead ofexample.com. - When a visitor's browser requests an image or video from
media.example.com, the request goes to XYZ's secure protection network — not directly to your server. - The protection network checks whether the visitor has a valid authorization cookie. This cookie is set when the visitor logs in, passes age verification, or meets whatever authorization rule you've configured.
- If authorized, the network fetches the file from your server and delivers it. If not, the visitor gets a placeholder.
Your files stay on your server. They don't move anywhere. The subdomain is just a routing mechanism — a way to put a checkpoint between the visitor and your media.
How to Create a Subdomain
Creating a subdomain is straightforward and takes about two minutes. You do it wherever you manage your domain's DNS records — usually your hosting provider's control panel (cPanel, Plesk, etc.) or your domain registrar's dashboard.
You'll add a CNAME record. A CNAME is just a DNS entry that says "send traffic for this subdomain to that destination." XYZ Protect tells you exactly what values to enter — you don't need to figure anything out yourself. The plugin's setup screen shows you the records to create and automatically checks whether they're configured correctly.
If you've ever pointed a domain to a website or set up email, you've done something very similar. If you haven't, your hosting provider's support team can usually add a DNS record for you in a few minutes.
Common Questions
Can I use any subdomain name?
Yes. media.example.com is the convention, but you can use cdn.example.com, files.example.com, or anything else. The name doesn't affect how the protection works. Multi-level subdomains like media.cdn.example.com are not supported due to how domain ownership validation and SSL/TLS certificates are issued.
Does the subdomain affect my main site?
No. Your main site at example.com or www.example.com continues to work exactly as it does today. The subdomain is a separate address that only handles media file requests. Your pages, posts, login, membership system, and everything else are unaffected.
Do I need to move my files?
No. Your files stay in /wp-content/uploads/ on your server. The plugin rewrites URLs automatically so that visitors' browsers request them through the subdomain, but the files themselves don't move.
Does this affect my site's SEO? Protected media is intentionally hidden from search engines — that's part of the point. Any media you mark as public or exempt remains on your main domain with no SEO impact.
What if I already use Cloudflare on my main domain? That's fine. The media subdomain operates independently and doesn't interfere with any existing configuration on your main domain.
What if I don't have access to my DNS settings? You'll need to be able to add DNS records to use XYZ Protect. If your hosting provider manages DNS for you, contact their support team and ask them to add the CNAME & TXT records shown in the plugin's setup screen. Most hosts will do this quickly.
The Takeaway
A subdomain is required because it's the only way to route your media through a protection layer that sits between the visitor and your files. A subdirectory can't do this — it's a limitation of how the internet's addressing system works, not a choice we made.
The good news is that creating a subdomain is one of the simpler parts of the setup. Once the DNS record is in place, XYZ Protect handles everything else.