Protection Scope: Choosing What to Protect
XYZ Protect offers two approaches to defining which media files are protected. This guide explains both and helps you choose the right one for your site.
Protect-All Mode
What it does: Every file in your WordPress uploads directory (/wp-content/uploads/) is protected by default. You create exemptions for files that should remain publicly accessible (site logos, favicons, social sharing images).
How to configure:
- Go to Settings > XYZ Protect > Content Protection
- Set Protection Scope to Protect All
- Add exempt paths for public content (e.g.,
/wp-content/uploads/public/, /wp-content/uploads/logos/)
- Click Save Settings
When to use: Sites where most or all media should be restricted. Adult content sites with age verification, photography portfolios where the entire library is premium, or any site where public media is the exception rather than the rule.
Important: Review your site's publicly visible assets (logo, favicon, social sharing images) and add their directories to the exempt paths list. Failing to exempt these can cause your site logo or social sharing previews to break.
Protect-Specific Mode
What it does: Nothing is protected by default. You specify which directories contain protected content. Files outside those directories are served normally and never touch the protection system.
How to configure:
- Go to Settings > XYZ Protect > Content Protection
- Set Protection Scope to Protect Specific Paths
- Enter the paths you want to protect, one per line:
/wp-content/uploads/protected/
/wp-content/uploads/premium/
/wp-content/uploads/courses/
- Click Save Settings
When to use: Membership sites where most content is public and only specific premium content needs protection. MemberPress sites, online course platforms, or any site with a mix of free and premium media.
Tip: If you use MemberPress, the plugin auto-detects MemberPress's default download directory (/wp-content/uploads/memberpress/) and suggests it as a protected path.
Content Organization Best Practices
For the most effective protection, organize your media files into clear directories:
/wp-content/uploads/
├── public/ ← Logos, thumbnails, free content (exempt or unprotected)
├── protected/ ← Premium images, videos, documents
├── courses/ ← Course materials
├── memberpress/ ← MemberPress downloads
└── 2026/ ← Default WordPress date-based uploads
Most file manager plugins (WP File Manager, Advanced File Manager, Bit File Manager) and FTP/SFTP clients let you create subdirectories within your uploads folder. Organize files into protected and public directories, then configure your protection scope to match.
Migrating Existing Sites
If your site has been running with unprotected media and some files have been indexed by search engines, we recommend a one-time reorganization:
- Create a new directory for protected content (e.g.,
/wp-content/uploads/protected/)
- Move your premium media files into it using FTP, SFTP, or a file manager plugin
- If the files are referenced in WordPress posts or pages, use a search-and-replace plugin (like Better Search Replace) to update the URLs in your database
- Optionally rename or remove the old directory so previously indexed URLs return 404
This ensures that old, publicly-indexed URLs no longer resolve, and the only way to access your protected content is through the protected media subdomain.
Exempt Content
In Protect-All mode, you'll want to exempt certain files that must remain publicly accessible:
- Site logo and favicon — These appear on every page and must load without authorization
- Open Graph / social sharing images — Social media platforms need to access these to generate link previews
- Theme images — Header images, background images, and other theme assets
- Public marketing images — Any images used on your public-facing pages
Exempt paths are directory prefixes, not glob or wildcard patterns. For example, /wp-content/uploads/public/ exempts everything in that directory and its subdirectories. Individual file patterns like *-logo.* are not supported. To exempt specific files, place them in an exempted directory.
The recommended approach is to organize your public assets into a dedicated directory (e.g., /wp-content/uploads/public/) and add that path as an exemption. The placeholder directory is always exempt automatically.
