WordPress Plugin — Works With Any Host

Stop Unauthorized Access
Before It Hits Your Server

Your membership plugin can block access. But every request still reaches your server. Bots, scrapers, and shared links all trigger unnecessary load. XYZ Protect moves that decision to the edge—so unauthorized requests never hit WordPress at all.

Download XYZ Protect See How It Works

10,000 protected media requests free. No credit card required.

Your Membership Protects Pages. Not Files.

MemberPress®, Paid Memberships Pro®, WooCommerce, and WordPress login control who sees your pages. But the images, videos, and documents on those pages? Anyone with the URL can download them—no login, no membership, no payment required.

Even when access is denied, your server still has to process every request. Under bot traffic, that means wasted CPU, bandwidth, and degraded performance for real users.

Link Sharing

A paying member copies an image URL and texts it to a friend. The friend downloads your premium content without paying.

URL Scraping

Anyone viewing your page source can extract every media URL. Your premium photos, course videos, and PDFs are accessible without logging in.

Search Engine Indexing

Google indexes your media files directly. Your premium content appears in image search results, accessible to anyone.

Why This Is Different

Most WordPress protection plugins work at the origin. They check permissions in PHP and return a 403 or 404.

But the request still reaches your server.

XYZ Protect handles access at the edge—before WordPress is involved.

That means fewer requests hitting your origin, better performance under load, and less need to upgrade hosting just to handle bots.

Fix It in Five Minutes

Install the plugin. Add three DNS records. Choose what to protect. That's it. No server changes, no file moves, no hosting requirements.

1

Install the Plugin

Upload XYZ Protect to your WordPress site and connect your account.

2

Add DNS Records

The plugin tells you exactly what to add. One CNAME, two TXT records. Takes two minutes.

3

Choose What to Protect

Protect everything, or just specific folders. Your site logo and public images stay accessible.

You're Protected

Authorized visitors see your content. Everyone else sees a placeholder. No shared links work without authorization.

click for Full Installation Instructions

Two Levels of Protection

Choose the level of security that matches the value of your content.

Guard Cookie

Your media URLs are obfuscated and only accessible to visitors with valid authorization. Fast, simple, and works perfectly with page caching plugins.

Best for: Most membership sites, online courses, photography portfolios

Encrypted URL

Every media URL is unique to the individual visitor and expires automatically. Even if someone copies a URL and shares it, it won't work for anyone else.

Best for: Premium stock photography, exclusive video, confidential documents

Tiered Mode (MemberPress & Paid Memberships Pro)

Run both simultaneously. Standard members get Guard Cookie protection. Premium members get Encrypted URLs. Map protection levels directly to your membership tiers.

Faster Than Unprotected

Protection That Speeds Up Your Site

Other file protection plugins route every request through PHP on your server—even when access is denied. Under bot traffic, that creates unnecessary load and slows your site.

XYZ Protect does the opposite. Requests are validated at the edge, so unauthorized traffic never reaches your origin. Protected media is served from a global network, often faster than your server could deliver it.

Edge-Cached Delivery

Protected images served from 300+ locations worldwide. After the first request, repeat visitors in the same region get instant edge delivery.

Zero PHP Overhead

Your WordPress server never processes media requests. No database queries, no PHP file streaming, no memory limits on file size.

Origin Load Nearly Eliminated

Popular content is cached at the edge after the first request. Your server handles page rendering—the global network handles media delivery.

One-Click Cache Flush

Replace an image? Flush your media cache from the WordPress admin. Site-scoped purge—your cache is yours alone.

How Other Plugins Deliver Protected Media

Every image request

Browser → Server → WordPress → PHP auth check → PHP streams file bytes → Browser

Page with 20 images

20 PHP processes loading WordPress, checking auth, streaming files through memory

Result

Slower pages, higher server load, PHP memory limits cap file sizes

How XYZ Protect Delivers Protected Media

First request (cache miss)

Browser → Edge network → Auth check (1-2ms) → Fetch from origin → Cache at edge → Browser

Repeat requests (cache hit)

Browser → Edge network → Auth check (1-2ms) → Serve from edge cache → Browser

Result

Faster delivery, zero server load for media, no PHP involved, no file size limits

MemberPress® & Paid Memberships Pro®

Protection That Matches Your Membership Levels

XYZ Protect detects your membership plugin automatically. No add-on to buy, no extra configuration. Just map your membership levels to protection tiers with appropriate content protection rules and you're done.

Protect by Folder

Put premium content in a protected directory. Everything in that folder requires authorization, regardless of which page it appears on. The most secure option.

Protect by Membership Rules

Media is only protected on pages that your membership plugin gates. No folder configuration needed—protection follows your existing membership and content protection rules automatically.

MemberPress: All editions—Launch, Growth, and Scale. No add-ons required.

Paid Memberships Pro: Works with the free core plugin. No premium plan required.

Administrators always see real content when previewing pages.

MemberPress is a registered trademark of Caseproof, LLC
Paid Memberships Pro is a registered trademark of Stranger Studios, LLC

Example: Photography Portfolio

Free Visitor placeholder

Sees watermarked previews from your public folder. Premium gallery shows placeholders.

Standard Member guard cookie

Full access to the high-resolution gallery. Protected from direct link sharing.

Pro Member encrypted

RAW files and exclusive collections. URLs are per-user and expire automatically.

What Makes XYZ Protect Different

Your Files Stay Put

Other plugins physically move your files to hidden directories. XYZ Protect never touches your files. Deactivate the plugin and everything is exactly where it was.

No Server Changes

No .htaccess rules, no Nginx config, no hosting-specific setup. Works on shared hosting, WP Engine, Kinsta, SiteGround, WordPress.com Business—everywhere.

Faster, Not Slower

Competitors route every image through PHP, slowing your site. XYZ Protect serves protected media from a global edge network with caching—your server does zero extra work.

Protects All Media Types

Images, videos, PDFs, audio, documents—everything in your protected folders. Competing plugins warn against protecting images due to performance. We recommend it.

Self-Expiring URLs

In Encrypted URL mode, every link expires automatically. A URL shared today stops working on its own—no manual intervention, no permanent leaks.

REST API Hardening

WordPress exposes your entire media library via the REST API by default. XYZ Protect blocks unauthenticated access to media endpoints while keeping the block editor functional.

Works Without a Membership Plugin

Any WordPress site with user login can use XYZ Protect. MemberPress and Paid Memberships Pro add tiered access control, but neither is required.

How We Compare

Existing solutions rely on server-level tricks that create limitations. XYZ Protect takes a fundamentally different approach.

XYZ Protect PDA Gold MemberPress Files PMPro Files
Setup required 3 DNS records .htaccess / Nginx config .htaccess required .htaccess / Nginx + wp-config.php
Nginx support Yes Manual config needed Not supported Manual config needed
WordPress.com compatible Yes No No No
Files moved on disk Never Moved to /_pda/ No Separate restricted folder
Media delivery Edge-cached CDN PHP on your server PHP on your server PHP on your server
Image protection Recommended Not recommended Not recommended Limited by server memory
Per-user URLs Yes No No No
Self-expiring URLs Yes No No No
REST API hardening Built-in No No No
Membership integration Built-in Separate extension Built-in (limited) Custom code required
Optional Add-On

Built-In Adult Verification

For sites serving age-restricted content, XYZ Protect includes region-based adult verification. Visitors from regulated jurisdictions are verified before they can view your content. Everyone else experiences zero friction.

Privacy-First

Images processed in memory only, never stored. iBeta Level 2 certified. No personal data retained after verification.

Fraction of the Cost

Verification credits starting at $0.038 each. Other providers charge $0.30 to $0.50+ per verification.

Age verification requires a free Cloudflare account on your main domain for geographic detection. Content protection does not require Cloudflare. Learn more about age verification →

Simple Pricing

One price. All features. No per-request fees for media protection.

Monthly

Cancel anytime

$15 /month
  • Guard Cookie + Encrypted URL modes
  • Edge-cached media delivery
  • MemberPress & PMPro tier mapping
  • Unlimited protected files
  • REST API hardening
  • Automatic key rotation
  • Email support
Download XYZ Protect
SAVE $30

Annual

Two months free

$150 /year
  • Everything in Monthly
  • $12.50/month effective rate
  • Priority support
Download XYZ Protect

10,000 protected media requests free during trial. No credit card required.
Need age verification? Purchase verification credit packs separately.

Common Questions

Which membership plugins are supported?

XYZ Protect has built-in support for MemberPress (all editions) and Paid Memberships Pro (including the free core plugin). Both are auto-detected—no configuration needed. Without a membership plugin, XYZ Protect works with standard WordPress login to protect media for any logged-in user.

Do my files move to a different server?

No. Your media stays exactly where it is on your server. XYZ Protect controls who can access those files by verifying authorization before serving them. Deactivate the plugin and your site is exactly as it was before.

Why do I need a media subdomain? Can I use a subdirectory instead?

A subdomain is required—a subdirectory won't work. XYZ Protect enforces protection at the edge of a global network rather than on your WordPress server, which means media requests have to be routed through that network instead of going straight to your origin. DNS routes traffic by hostname, so a dedicated subdomain (like media.yoursite.com) is the only way to send media traffic through the protection layer without affecting the rest of your site. You don't need to create the subdomain in advance—adding the CNAME record is what creates it.

What DNS records do I need to add, and where?

Three records, added at your domain registrar (or wherever you manage DNS—cPanel, your host's DNS panel, Cloudflare, Route 53, GoDaddy, etc.): one CNAME pointing your media subdomain to our protection network, and two TXT records—one for hostname ownership and one for automatic SSL certificate issuance. The plugin generates the exact values for you during setup. No Cloudflare account or API tokens are required on your end. The plugin polls every 30 seconds and activates protection automatically once DNS propagates, typically within 1–5 minutes.

Will this slow down my site?

No—it can actually speed it up. In Guard Cookie mode, protected media is edge-cached on a global network with 300+ locations. Your server handles zero media requests. Unlike PHP-based solutions that process every image through WordPress, XYZ Protect offloads media delivery entirely.

What file types can I protect?

Everything. Images (JPEG, PNG, WebP, AVIF, SVG), videos (MP4, WebM), audio (MP3, WAV), documents (PDF, DOCX)—any file in a protected directory. No file type restrictions.

What does the subscription include, and what are credits for?

The $15/month or $150/year subscription is your full license to use XYZ Protect. There are no per-request fees for media protection—the subscription covers it. The 10,000 protected media requests referenced on the pricing page is a free trial allowance, letting you evaluate the media protection features of the plugin end-to-end before subscribing. Separately, if you enable the optional age verification module, that feature is metered using credits, billed per verification. For standard content protection without age verification, credits don't apply.

What happens if I cancel?

Your protection stays active through the end of your billing period. After that, media URLs revert to normal—no broken images, no changes to your files. You can reactivate anytime.

What hosting do I need?

Any hosting that runs WordPress. Shared hosting, managed WordPress (WP Engine, Kinsta, SiteGround), VPS, dedicated servers, even WordPress.com Business plans. No special server configuration required.

Stop Paying to Serve Unauthorized Traffic

You put the work in. Your members should be the only ones who benefit. Start protecting your media in five minutes.

Download XYZ Protect Questions? Get in Touch

10,000 protected media requests free. No credit card required.