Best Practices: Organizing & Migrating Your Media
This guide covers recommended practices for organizing your WordPress media files for maximum protection effectiveness, including migration strategies for existing sites.
Directory Structure
For new sites or sites that can reorganize, we recommend a clear directory structure:
/wp-content/uploads/
├── public/ ← Always accessible (logos, public images, marketing)
├── protected/ ← Members-only media (images, videos, documents)
├── courses/ ← Course-specific materials
├── premium/ ← Premium-tier content
└── 2026/ ← Default WordPress date-based uploads
This structure makes protection scope configuration straightforward: protect /protected/, /courses/, and /premium/ while leaving /public/ unprotected.
Uploading Protected Content
Protected files can be uploaded through any method:
- WordPress Media Library — Works normally; place files in protected directories by configuring your upload path or moving files after upload
- File Manager Plugins (WP File Manager, Advanced File Manager, Bit File Manager) — Create directories and upload files directly from your WordPress admin
- FTP / SFTP — Connect with FileZilla, Cyberduck, or your preferred FTP client
- Hosting Control Panel — Use cPanel File Manager, Plesk, or your hosting provider's file manager
Files uploaded outside the WordPress Media Library (via FTP or file manager) are protected by path-based rules without needing any WordPress registration. If a file is in a protected directory, it's protected.
Migrating an Existing Site
If your site has been running with unprotected media and files may have been indexed by search engines or shared via direct URLs, follow these steps to close the gap:
Step 1: Create your protected directory structure
Using FTP, SSH, or a file manager plugin, create the directories you plan to protect:
mkdir /wp-content/uploads/protected/
mkdir /wp-content/uploads/premium/
Step 2: Move your premium media files
Move the files that need protection into the new directories. You can do this via FTP, SSH, or a file manager plugin:
mv /wp-content/uploads/2025/06/premium-video.mp4 /wp-content/uploads/protected/
Step 3: Update your database
If the moved files are referenced in WordPress posts, pages, or custom post types, update the URLs in the database. Use a search-and-replace plugin like Better Search Replace:
- Search:
/wp-content/uploads/2025/06/premium-video.mp4
- Replace:
/wp-content/uploads/protected/premium-video.mp4
Step 4: Configure XYZ Protect
Set your protection scope to Protect Specific Paths and add your new directories:
/wp-content/uploads/protected/
/wp-content/uploads/premium/
Step 5 (Optional): Remove old paths
The old URLs (e.g., /wp-content/uploads/2025/06/premium-video.mp4) now return 404 since the files have been moved. Search engines will eventually de-index these URLs. For faster de-indexing, you can submit a removal request through Google Search Console.
WordPress Upload Path Configuration
For new sites, you can change WordPress's default upload directory so new uploads go directly to a protected location:
Add to wp-config.php:
define('UPLOADS', 'wp-content/uploads/protected');
This changes the default upload directory for the WordPress Media Library. Files uploaded through the admin interface will go to /wp-content/uploads/protected/ instead of the default date-based structure.
Note: This only affects new uploads. Existing files remain where they are.
MemberPress File Organization
MemberPress stores its download files in /wp-content/uploads/memberpress/ by default. When XYZ Protect detects MemberPress, it automatically suggests this path as a protected directory.
If you upload files for MemberPress downloads via FTP or a file manager plugin (rather than through the MemberPress admin), ensure they're placed in a directory that's included in your protection scope.
