XYZ Protect - Getting Started: Installation & Setup

XYZ_Admin

XYZ Protect includes two primary features that can operate independently:

Media Protection — Prevents unauthorized users from accessing your WordPress media files (images, videos, PDFs, audio) by routing protected content through a secure media network. Even if someone discovers a direct URL to your media, XYZ Protect verifies their authorization before serving the file.
Age Verification — Region-based adult verification for sites serving age-restricted content. Redirects visitors from regulated jurisdictions to a privacy-first identity verification page before they can view content.

You can use media protection without age verification, or both together. This guide walks you through installation and initial setup.

Prerequisites

Before installing XYZ Protect, you'll need:

A WordPress site (version 5.9 or higher, PHP 7.4+)
Access to your domain's DNS settings (to add three DNS records for media protection)
An XYZ Protect account (you can start a free trial during setup)

Cloudflare requirement: A free Cloudflare account is required if you plan to use the Age Verification features (for geographic region detection). If you only need Media Protection, no Cloudflare account is needed — just the ability to add DNS records at your domain provider.

XYZ Protect works with any WordPress hosting provider — shared hosting, managed WordPress (WP Engine, Kinsta, SiteGround), VPS, dedicated servers, and WordPress.com Business plans.

Step 1: Install the Plugin

Download the XYZ Protect plugin ZIP file from your xyzinc.com account.
In your WordPress admin, go to Plugins > Add New > Upload Plugin.
Choose the ZIP file and click Install Now.
Click Activate.
Navigate to Settings > XYZ Protect.

Step 2: Connect to the XYZ API

On the Connection & Status tab:

New users: Click "Start Free Trial," enter your email and site URL. You'll receive an API key by email. The free trial includes your first 10,000 protected media requests at no cost.

Existing users: Click "Already have an API key?" and enter your API URL and API key.

Once connected, the status indicator will show a green checkmark.

Step 3: Provision Your Media Hostname

Switch to the Content Protection tab and click Provision Media Hostname. You'll need to provide:

Origin hostname — Where your WordPress site serves media files. This is usually your site's domain (e.g., example.com).
Media hostname — A subdomain of your site's domain that will serve protected media (e.g., media.example.com for a site at example.com). This must be on the same domain as your WordPress site — the authorization cookie needs to reach both your site and the media subdomain. You can choose any subdomain name (e.g., media, cdn, files).

After provisioning, the plugin displays DNS records you need to create:

A CNAME record pointing your media hostname to the XYZ protection network
Two TXT records for domain ownership and SSL certificate verification

Step 4: Create DNS Records

Log into your DNS provider (your domain registrar, Cloudflare, Route53, GoDaddy, Namecheap, etc.) and create the records shown in the plugin.

Example:

| Type | Name | Value |
|------|------|-------|
| CNAME | media | media-proxy.xyzinc.com |
| TXT | media | (ownership validation value shown in plugin) |
| TXT | media | (SSL certificate validation value shown in plugin) |

DNS propagation typically takes 1–5 minutes. The plugin checks automatically every 30 seconds and activates protection once verified. You'll see the status change from "Pending DNS" to "Active."

Why a Media Subdomain?

Your media files are served by your web server (Apache, Nginx) which has no ability to check whether a visitor is authorized before serving a file. That's the fundamental problem — your server hands out files to anyone who asks.

The media subdomain routes protected media requests through a verification layer that checks authorization before serving the file. Your files never leave your server — they stay exactly where they are. When an authorized visitor requests a protected image, the request is verified and then fetched directly from your server and delivered to the visitor. Unauthorized requests never reach your server at all.

Privacy and security: Your media requests are processed by a Cloudflare Worker — the same global network trusted by millions of websites. Despite the CNAME pointing to xyzinc.com, your media traffic never reaches XYZ's servers. The authorization check happens within Cloudflare's infrastructure and authorized requests are fetched directly from your server. XYZ never sees, stores, or logs your media content.

Performance: Cloudflare's network spans hundreds of locations worldwide. The authorization check for each media request is handled at the location nearest to your visitor, minimizing any processing delay. For visitors far from your server, this can actually improve delivery times compared to direct access.

The only data involved in the authorization check is a cryptographic cookie token that proves the visitor is authorized. The token contains no user identity, email address, or browsing history. The system checks the token, serves the file if valid, and moves on.

Step 5: Configure Protection Settings

Once active, configure your preferences:

Protection Mode — Choose Guard Cookie (simpler, cache-compatible), Encrypted URL (maximum security), or Tiered (both simultaneously for different user levels)
Protection Scope — Protect everything in your uploads directory (with optional exempt paths), or protect only specific paths
Enforcement Mode — Start with Test Mode to verify everything works, then switch to Enforce
Exempt Paths (when using Protect All) — One path prefix per line. These paths will NOT be protected. The placeholder directory is always exempt automatically.
Protected Paths (when using Protect Specific) — One path prefix per line. Only these paths will be protected.
Placeholder Image — Optionally upload a custom image shown to unauthorized visitors

Click Save Settings to push your configuration to the protection network.

Step 6: Verify It's Working

Run the built-in self-test from Content Protection > Advanced > Self-Test. This confirms that unauthorized requests to your media hostname are being blocked correctly.

Then test manually:

Open an incognito/private browser window (not logged in)
Visit a page with protected media
You should see placeholder images instead of your real content
Log in and visit the same page — real media should appear

Congratulations! Your media is now protected.

Next Steps

Protection Modes Explained — Understand the difference between Guard Cookie, Encrypted URL, and Tiered modes
Configuring Protection Scope — Learn how to protect specific directories or your entire media library
Membership Integration — If you use a membership plugin, set up membership-based media protection