How to Securely Embed Videos on Your LMS or Membership Site (7 Platforms)
Your membership site is locked, your lesson page is gated, and students pay before they can access it. But the video playing inside that lesson? In most setups, it is not protected at all.
The moment a student loads that page, the video embed URL appears in their browser. Anyone who opens developer tools can copy it, share it, and play it without ever logging in. That is not a niche vulnerability. It is how browsers work.
And it means that thousands of course creators are protecting their revenue with a paywall that only guards the door, while the window is wide open.
This is the gap that very few LMS platforms or membership plugins talk about: the difference between page-level security and stream-level security. Your login wall controls who sees the page. It does nothing to control what happens to the video URL once the page loads.
If you are building courses on Teachable, Kajabi, or a WordPress LMS like LearnDash, this gap applies to your setup regardless of which plan you are on.
You could have spent months scripting, recording, and editing that course, priced it at a premium, and carefully restricted access. None of that matters if the embed itself can be extracted in under a minute by anyone who knows where to look.
This article covers what real secure video embedding actually requires and which platforms deliver it for the LMS and membership tools most creators are already using.
Key Takeaways
- A paywall protects the page, not the video stream. The embed URL loads in the browser and can be extracted, shared, and played with no login required.
- Real video security works at the stream level, not the page level.
- Three controls are required: domain-locked embeds (restrict playback to your authorized domain), signed URLs (expire after a set window, making copied links useless), and DRM encryption (device-level protection that defeats most download tools).
- Seven platforms offer some or all of these controls: Gumlet, VdoCipher, Wistia, Bunny.net + Presto Player, SproutVideo, Brightcove, and Vimeo.
- Compatibility with LearnDash, Teachable, and Kajabi varies significantly across platforms and is broken down in full below. Each platform section includes a brief note on how to complete the embed in your specific LMS.
Why Embedding a Vimeo or YouTube Player on Your Membership Page Is Not Enough
The problem is not with these platforms specifically. It is with how video delivery works at the URL level, and most LMS builders never explain this to the creators building on top of them.
The Embed URL Problem
When a video is embedded on a paywalled page, the player loads by pulling content from a video source URL. That URL is part of the page’s HTML. It appears in the page source, in the browser’s network activity tab, and in the DOM. Any enrolled student can see it. So can automation tools designed to scrape video links.
Once someone has that URL, they can play it on their own site, share it in a forum, or drop it into a downloader. The membership gate never gets involved.
Protecting a page with a paywall does not protect the video inside it. The embed URL sits in the page source and can be extracted, shared, and played independently of any login or payment.
Why Unlisted YouTube and Basic Vimeo Settings Are Not Enough
“Unlisted” on YouTube means a video will not appear in search results. The link still works for anyone who has it, including people who received it second-hand. There is no expiry, no domain restriction, and no authenticated video delivery.
Vimeo offers domain-level privacy on paid plans, which is a real and useful control. But it does not generate signed URLs with cryptographic expiry, and DRM only comes through Vimeo OTT, a separate enterprise product. For most creators using a standard Vimeo embed, link sharing remains a live risk.
What Secure Video Embedding Actually Requires
Secure video embedding is not a single toggle. It is a stack of overlapping controls, each one closing a different gap. Think of it as the Three-Layer Video Embed Security Model: domain-locked embeds at the distribution layer, signed URLs at the session layer, and DRM at the device layer. Each layer handles a threat the others do not.
1. Domain-Locked Embeds
A domain-locked embed means the video player will only load on a domain you have explicitly authorized. If someone copies your embed code and pastes it on another site, the video server checks the HTTP Referer header against your allowlist and blocks playback. This closes the hotlinking and unauthorized re-embedding gap entirely.
One critical technical note: some platforms only enforce domain locks on JavaScript embeds, not on iFrame embeds. Since many LMS plugins and course builders default to iFrame codes, confirm your chosen platform enforces the restriction on both methods before relying on it.
2. Signed URLs and Time-Limited Access
A signed URL is a playback link that contains a cryptographic token and an expiry timestamp. Before the video server serves any content, it validates the token and checks whether the link has expired. Once the window closes, the link is dead, even if it was copied and shared.
This is token-based video access in practice. Combined with a domain lock, signed URLs eliminate the second major gap: even if someone extracts the raw URL from the network request, it becomes unplayable after your configured session window.
3. DRM Encryption
DRM (Digital Rights Management) is device-level encryption. The two dominant standards are Widevine for Chrome and Android, and Apple FairPlay for Safari and iOS.
A DRM license server releases decryption keys only to authenticated, authorized devices in real-time. This goes further than AES-128 HLS encryption, which secures the stream in transit but does not prevent all download tools. DRM defeats most screen-capture software on compliant hardware and represents the strongest available layer for protecting high-value course content.
When choosing a host for gated video content on your LMS, use a platform that supports domain-locked embeds and signed URLs at minimum. Those two controls alone close the most common ways protected-video leaks from membership sites.
7 Platforms for Securely Embedding Videos on Your LMS or Membership Site
The platforms below were assessed on whether they support domain-locked embeds, signed URLs with configurable expiry, and DRM encryption, as well as their compatibility with LearnDash, Teachable, and Kajabi. The list moves from most to least comprehensive in terms of the security stack each platform provides.
1. Gumlet
Gumlet is a video hosting and infrastructure platform built for teams that need full control over how video is delivered and protected.
It enforces domain-locked embeds across both iFrame and JavaScript embed types, which matters because platforms that only restrict one embed type leave a gap when the other is used.
Gumlet generates signed URLs with configurable expiry windows, so any extracted or shared link stops working after the session closes. DRM is available through Widevine and FairPlay, providing device-level encryption without requiring a separate license server.
Dynamic watermarking overlays viewer-specific details (email address or IP) directly on the video stream, creating both a deterrent and a traceability mechanism if content does leak.
For LMS compatibility: Gumlet videos embed into LearnDash via iFrame, and into Teachable and Kajabi by pasting the embed code into the lesson editor’s custom HTML block. No plugin is required for Teachable or Kajabi.
To embed: open the video in your Gumlet dashboard, copy the iFrame embed code, and paste it into the lesson editor’s Custom HTML or Embed block. Confirm that domain lock and signed URL settings are active in the Gumlet dashboard before going live.
The platform’s video protection features cover the full Three-Layer Video Embed Security Model in a single dashboard.
Best for:
Course creators and membership site owners who want domain locks, signed URLs, DRM, and watermarking in one platform without managing separate infrastructure.
2. VdoCipher
VdoCipher is a video hosting platform built specifically for DRM-protected streaming for EdTech teams and content creators.
It supports Widevine and FairPlay DRM, dynamic watermarking with user ID or IP overlays, and OTP-based video access, where a one-time playback token is generated per session via server-side API call.
For LMS compatibility, VdoCipher has a native WordPress plugin that integrates directly with LearnDash via shortcode embedding. Teachable and Kajabi are supported through iFrame Quick Embed.
The OTP-based access model is secure but requires developer involvement to implement correctly.
To embed on LearnDash: Install the VdoCipher WordPress plugin, copy the video shortcode from your VdoCipher dashboard, and paste it into the lesson editor. For Teachable and Kajabi, use the iFrame Quick Embed code from your VdoCipher dashboard and paste it into the lesson’s custom HTML block.
Best for:
WordPress-heavy LMS setups, especially LearnDash, where DRM is the primary requirement and technical resources are available for the integration.
3. Wistia
Wistia is a business video platform with domain-level embedding controls on paid plans.
It restricts playback to authorized domains and allows disabling the download button. It does not offer signed URLs with cryptographic expiry, and DRM is not available.
For LMS compatibility, Wistia videos embed into Teachable and custom course sites via iFrame or JavaScript embed. There is no native LearnDash or Kajabi integration.
To embed on Teachable: Copy the iFrame or JavaScript embed code from Wistia’s share panel and paste it into the lesson editor’s custom embed field. For custom WordPress-based course sites, paste the code into any Custom HTML block. Domain restrictions must be configured inside Wistia’s privacy settings before the embed is placed.
Its strongest value is in analytics: in-player lead capture forms, heatmap engagement data, and A/B testing for video make it well-suited for courses where conversion tracking is as important as access control.
Best for:
Marketing-focused course creators who prioritize engagement analytics and light domain protection over strong anti-piracy controls.
4. Bunny.net + Presto Player
Bunny.net is a CDN and video hosting service supporting HLS-encrypted streaming, signed URLs, and domain-locked embeds.
Most creators pair it with Presto Player, a WordPress plugin that connects to Bunny.net storage and adds a branded, controlled playback experience.
This combination works natively with LearnDash, including support for video progression to mark lessons complete.
Teachable and Kajabi are not natively supported; Bunny.net embed codes can be pasted manually. DRM is not available here. AES-128 HLS encryption and signed URLs are the primary protection layers.
To use with LearnDash: Install the Presto Player WordPress plugin, connect it to your Bunny.net account under Presto Player settings, upload your video to Bunny.net Stream, then insert a Presto Player block inside the LearnDash lesson editor. For Teachable and Kajabi: copy the Bunny.net iFrame embed code from the video dashboard and paste it manually into the lesson’s custom HTML field.
Best for:
Budget-conscious WordPress course creators using LearnDash who need domain lock and signed URL protection without a per-feature monthly subscription.
5. SproutVideo
SproutVideo supports domain whitelisting, signed embeds with token-based access, password protection, and SSO-based video access for authenticated users. DRM is not available.
A notable feature for membership sites: SproutVideo supports login-required video viewing, where viewers must authenticate through SproutVideo before playback begins.
This creates a user-level gate on top of domain restrictions. Videos embed into Teachable and custom sites via iFrame or JavaScript. There is no native LearnDash or Kajabi plugin.
To embed on Teachable: Copy the iFrame embed code from the SproutVideo share menu and paste it into the lesson’s embed or custom HTML field. For custom membership platforms: Use the JavaScript embed to activate the signed-token access flow. Ensure the domain whitelist is configured before embedding.
Best for:
Course creators who want signed-embed security with viewer authentication on simpler course sites or custom membership platforms.
6. Brightcove
Brightcove is an enterprise video platform supporting domain restrictions, policy-enforced signed playback URLs, DRM via Widevine, FairPlay, and PlayReady, and geo-blocking.
The security stack here matches what broadcasters and OTT platforms use.
For LMS compatibility, Brightcove integrates with enterprise learning environments and custom-built course platforms. Teachable and Kajabi embedding requires manual embed code placement. Brightcove’s pricing is enterprise-tier and is not structured for independent creators.
To embed: Generate a player embed code from Brightcove Studio, then paste it into your course platform’s custom HTML block. Integration with enterprise LMS environments is typically handled by a dedicated technical team rather than the course author.
Best for:
Enterprise learning platforms, corporate training portals, and media organizations with high-value video assets and dedicated technical teams.
7. Vimeo
Vimeo offers domain-level privacy controls on Pro plans and above. When correctly configured, those controls prevent the player from loading on unauthorized domains, which is a real and useful protection for many low-risk course use cases.
The relevant limits: Vimeo does not generate signed URLs with cryptographic expiry, and DRM is only available through Vimeo OTT. An extracted video URL from the network request can remain playable even with domain privacy enabled.
LMS compatibility is smooth across the board: Vimeo embeds into LearnDash with video progression support, as well as into Teachable and Kajabi.
To embed: Copy the Vimeo embed code from the video’s share panel and paste it into the lesson editor’s custom HTML block. Before embedding, configure Vimeo’s privacy settings to domain-restricted under the video’s privacy tab. Without this step, the embed provides no domain-level protection.
Best for:
Free or introductory courses where light domain restriction is acceptable. Not the recommended choice for high-value paid content where link sharing is a genuine risk.
Quick Comparison: Security Features at a Glance
Here is how these seven platforms stack up across the features that matter most for protected video embedding on an LMS or membership site. LMS compatibility reflects confirmed integration with LearnDash (LD), Teachable (TC), or Kajabi (KJ) based on each platform’s published documentation.
| Platform | Domain Lock | Signed URLs | DRM | LMS Compatibility | Best For |
| Gumlet | Yes | Yes | Yes (Widevine + FairPlay) | LD, TC, KJ | Full security stack, all-in-one |
| VdoCipher | Yes | Yes (OTP-based) | Yes (Widevine + FairPlay) | LD (plugin), TC, KJ | WordPress LMS with DRM |
| Wistia | Yes | No | No | TC, custom | Analytics-first courses |
| Bunny.net + Presto Player | Yes | Yes | Yes (MediaCage DRM) | LD (native), custom | Budget WordPress setups |
| SproutVideo | Yes | Yes | No | TC, custom | Simple membership sites |
| Brightcove | Yes | Yes | Yes (Widevine + FairPlay + PlayReady) | Enterprise, custom | Enterprise scale |
| Vimeo | Yes | No | Vimeo OTT only (separate product) | LD, TC, KJ | Free or low-stakes content |
Frequently Asked Questions
1. If my membership site is behind a paywall, is my embedded video automatically protected?
No. The paywall protects the page, not the video stream. When the page loads, the video embed URL is rendered in the source code and browser network log. Anyone on that page can extract that URL and share it, and the video plays with no login required.
2. What is the difference between domain-level privacy and signed URLs?
Domain-level privacy restricts which websites the player will load on, using the HTTP Referer header. Signed URLs tie each session to a cryptographic token with an expiry window. The first blocks unauthorized embeds. The second kills shared links after the expiry closes. Both together close significantly more gaps than either one alone.
3. Does DRM mean nobody can ever record my video?
DRM prevents downloads on compliant hardware and defeats most screen-capture tools. It does not prevent someone from pointing a camera at a screen. DRM is a meaningful deterrent and a strong technical barrier, not an absolute guarantee, but it is proportionate protection for most commercial course content.
4. Do Teachable and Kajabi have secure video hosting built-in?
Neither platform offers DRM-protected hosting natively. Both support video uploads, but those videos do not benefit from domain locks, signed URLs, or DRM. For authenticated video delivery on either platform, host on a dedicated secure service and paste the embed code into the lesson editor’s custom HTML block.
5. What is the minimum setup to protect course videos from being shared outside my site?
At minimum, use a video host with domain-locked embeds configured to your course domain. Adding signed URLs with a session-length expiry closes the link-sharing gap. DRM is the right next layer for high-value content. Uploading directly to Teachable or Kajabi’s native storage is not recommended if piracy is a genuine concern.
6. How do I actually embed a secure video from one of these platforms into a Teachable or Kajabi lesson?
The process is consistent across both platforms: generate the embed code from your video host’s dashboard, open the lesson editor, locate the custom HTML or embed block, and paste the code in. For Gumlet, VdoCipher, Wistia, SproutVideo, and Brightcove, this is an iFrame or JavaScript snippet. For Bunny.net with Presto Player, the embed is handled inside WordPress via the Presto Player block rather than a raw embed code.
The critical step that most guides skip: make sure your domain restriction and signed URL settings are active on the video host side before you embed. The embed code alone does not activate security, those controls must be configured in your hosting dashboard first.
Bottom Line
Most course creators think about security at the wrong layer. They set up a paywall, restrict the lesson page, and move on, assuming the video is covered. It is not.
The paywall handles authentication. The video embed handles delivery. Those are two separate systems, and protecting one does not protect the other.
The practical fix is not complicated. Choose a video host that treats stream security as a first-class feature, not a paid add-on.
That means domain-locked embeds so your video cannot be hotlinked or re-embedded on unauthorized sites, signed URLs so any extracted link expires before it can do real damage, and DRM if your content is valuable enough to warrant device-level protection.
These are not enterprise-only tools. Several platforms on this list make them accessible at creator-level pricing.
A membership paywall and a secure video embed are two different things, and conflating them is one of the most common and costly mistakes in online course publishing. When embedding videos on your LMS, use a private video hosting platform that supports domain-locked embeds and signed URLs.
That combination is the practical minimum for protecting the actual video stream, not just the page it sits behind. If your content is your income, it deserves infrastructure designed around protecting it.