Protection Modes: Guard Cookie vs Encrypted URL vs Tiered
XYZ Protect offers two protection modes that can be used individually or together. This guide explains each mode, when to use it, and the trade-offs.
Guard Cookie Mode
How it works: The plugin rewrites your media URLs to route through a protected media subdomain. The URLs use obfuscated paths — your original directory structure and filenames are not visible in the page source. When a browser requests a protected file, the system checks for a special authorization cookie. If the cookie is present and valid, the real file is served. If not, a placeholder image is returned.
Strengths:
- Fast — minimal processing overhead
- Compatible with page caching plugins (WP Rocket, LiteSpeed Cache, W3 Total Cache) for content-protection-only sites
- Works immediately on first page load — no per-user URL generation needed
- Obfuscated paths prevent casual URL guessing
Limitations:
- The same obfuscated URL works for any authorized user — URLs are not per-user
- A technically sophisticated user could decode the obfuscated path structure
- URLs don't expire — they work as long as the authorization cookie is valid
Best for: Most sites. Membership sites, online courses, photography portfolios, and any site where the primary goal is preventing unauthorized direct-URL access. If you use page caching for logged-in users, Guard Cookie mode is the compatible choice.
Encrypted URL Mode
How it works: The plugin encrypts each media URL using AES-256-GCM encryption. Each encrypted URL is unique to the specific user (bound to their session) and time-limited (expires after a 1-hour window by default). The original filename, path, and directory structure are completely hidden — the URL is an opaque encrypted token.
Strengths:
- Per-user URLs — sharing a URL with another person renders it useless
- Time-limited — URLs expire automatically, even if shared
- Maximum obfuscation — original paths and filenames are completely hidden
- Automatic key rotation provides ongoing security
Limitations:
- Not compatible with full-page caching for logged-in users (each user's URLs are different)
- Slightly more processing overhead per page load (encryption computation)
- URLs change when the time window rotates, so browser back/forward may show stale URLs (the system handles this gracefully for authorized users)
- The time window duration (default 1 hour) is not configurable in the plugin — contact support if you need a different window
Best for: Sites with high-value content where individual URL leaking is a significant concern. Premium stock photography, exclusive video content, confidential documents.
Tiered Mode (Membership plugins Only)
How it works: Both modes operate simultaneously. Different users receive different levels of protection based on their membership level. (MemberPress and PMPro currently suported.) For example, standard members get Guard Cookie protection while premium members get Encrypted URL protection.
Strengths:
- Match protection level to membership value
- Standard members get cache-compatible performance
- Premium members get maximum security
- Single plugin configuration handles both
Requires MemberPress or Paid Memberships Pro. Tiered mode is only available when a membership plugin is installed and active. Without a membership plugin choose either Guard Cookie or Encrypted URL mode for all users.
Best for: Membership sites sites with multiple membership tiers where different membership levels warrant different levels of content security.
Choosing the Right Mode
| Consideration | Guard Cookie | Encrypted URL | Tiered |
|---|---|---|---|
| Page caching compatibility | Yes | No (for logged-in users) | Guard tier: Yes |
| Per-user URL binding | No | Yes | By tier |
| Time-limited URLs | No | Yes | By tier |
| Processing overhead | Minimal | Low (encryption per URL) | Varies by tier |
| Setup complexity | Simple | Simple | Moderate |
Our recommendation: Start with Guard Cookie mode. It provides strong protection for the vast majority of use cases with the best performance and compatibility. If you later determine you need per-user URL binding, switch to Encrypted URL or Tiered mode — the change is immediate with no data migration.
