WordPress Plugin · User Guide

How the plugin works —
from upload to verified proof

A plain-language walkthrough of everything the MarkMyAI WordPress Plugin does: what happens to your image, why WordPress delivers different sizes, what gets stored, and how the Chrome Extension verifies it all.

Why you need this

When you publish an AI-generated image, EU AI Act Article 50 requires that it remain machine-readably marked and verifiable — not just at creation, but through your entire publishing workflow. Enforceable from August 2, 2026.

The problem: embedded metadata is silently destroyed by almost every image pipeline. In our tests, C2PA signatures survived 0 of 10 common transformations — JPEG re-compression, resize, CDN optimization, social upload. All of them.

🔏

C2PA Signature

Destroyed by re-encoding

🌊

Invisible Watermark

91% real-world survival

🗄️

Fingerprint + Audit

Works from screenshots

⛓️

Blockchain Anchor

Permanent, independent

No single layer covers every scenario. Together, they do. Even if someone downloads a compressed thumbnail from your site years from now, there is still a recoverable proof trail.

The marking pipeline, step by step

You click Mark

In the MarkMyAI Dashboard or Media Library, you click Mark on an image. A modal asks for Creator (your name or organisation) and AI Model (e.g. ChatGPT, Midjourney). All marking is manual — nothing happens on upload without your action.

Already marked? Fast check first

Before doing anything, the plugin calls our API with a perceptual fingerprint of the image (takes ~3 seconds). If a match is found in our database, the existing proof record is adopted — no new mark is created, no file is replaced. A toast shows: "Already marked — use Re-mark to change metadata."

Our server marks the image

→Downloads your image — from the public URL WordPress has for it

→Embeds an invisible watermark — using TrustMark (Adobe Research, MIT-licensed) — a 40-bit proof token is encoded into the pixel values. Visually identical. Takes ~15 seconds.

→Signs with C2PA — a cryptographic publisher certificate is embedded in the file header. Records: creator, AI model, timestamp, "AI-generated." Readable by Adobe, Google, Microsoft tools.

→Stores a proof record — in our database (see What is stored where below)

→Blockchain anchor — on paid plans, a transaction is written to the Polygon blockchain within minutes

→Returns the marked file — as a temporary download URL (valid 24 hours)

WordPress replaces the original file

The plugin downloads the marked image and overwrites the original in your wp-content/uploads/ directory. It also overwrites the -scaled version (created by WordPress for images over 2560px). All existing thumbnails are deleted — so WordPress regenerates every size from the newly marked original. From this point, every image size on your site derives from the marked file.

Mark ID is stored in WordPress

The plugin saves the mark ID, verify URL, creator, and AI model as post meta on the attachment. The Dashboard shows ✓ Verified with Verify, Proof PDF, History, and Re-mark buttons.

How WordPress handles images — and why it matters

When you insert an image in WordPress, WordPress doesn't deliver a single file. It generates multiple resized versions and lets the browser choose the most appropriate one based on screen width and resolution — this is called srcset.

<img src="image-800x600.jpg"
     srcset="image-300x225.jpg 300w,
             image-800x600.jpg 800w,
             image-1024x768.jpg 1024w"
     sizes="(max-width: 800px) 100vw, 800px">

A visitor on a phone might receive image-300x225.jpg. A desktop visitor gets image-1024x768.jpg. These are different files, re-encoded from the original.

This re-encoding strips all embedded metadata:

❌

C2PA

Gone. The thumbnail is a new JPEG. The certificate only exists in the original.

⚠️

Watermark

May be degraded. Very small sizes (< ~150×150px) can lose it entirely.

✅

Fingerprint

Still works. Our server can match even a compressed thumbnail back to the original proof.

Page Builders (Beaver Builder, Elementor, Divi): When you choose "Thumbnail" as the image size in a builder, the URL on the page points to the thumbnail file — not the original. The Chrome Extension sees this thumbnail URL. Fingerprint matching still works, but C2PA is not in the thumbnail. This is expected behavior. Enable "Preserve Proof" in Settings to fix it.

What "Preserve Proof" does

MarkMyAI → Settings → Frontend & Verification (Chrome Extension / Checker)

Default — OFF

Normal WordPress behavior

→ WordPress serves the best-fit resized version to each visitor

→ Mobile: image-300x225.jpg (no C2PA)

→ Desktop: image-1024x768.jpg (no C2PA)

→ Chrome Extension: fingerprint matches, but C2PA = NOT FOUND

✅ Choose this for normal site performance. The fingerprint and blockchain proof still work.

Recommended for verification — ON

Original file with C2PA delivered

→ Every marked image is served as the full-size original

→ srcset and sizes are removed for marked images

→ data-markmyai-mark-id is injected on the <img> tag

→ Chrome Extension: C2PA = FOUND ✅

✅ Choose this if you use the Chrome Extension or markmyai.com/check to verify frontend images.

HTML output — Preserve Proof ON

<!-- Normal WordPress: -->
<img src="image-300x225.jpg" srcset="..." sizes="...">

<!-- With Preserve Proof ON: -->
<img src="image-original.jpg"
     data-markmyai-mark-id="mk_rRVQQYDqV-"
     data-markmyai-verify-url="https://...">

Works with all page builders. The plugin runs a second pass over the HTML output and finds images by their wp-image-{ID} CSS class — which Beaver Builder, Elementor, Divi, and WPBakery all set automatically. Even when a builder bypasses standard WordPress image hooks, marked images are still rewritten to the full-size original.

Chrome Extension: how verification works

The Extension adds a shield badge to images on any page. Click the badge to verify.

Quick Check < 1 second

The Extension picks the largest available image URL from srcset (avoiding tiny thumbnails), sends it to /api/v1/check-batch. A perceptual fingerprint is compared against our database. If a match is found: mark ID, creator, AI model, marked date, blockchain status are shown immediately.

Deep Check ~15–18 seconds, on demand

Click "Run full watermark check." The image is sent to /api/check-watermark. The server:

→ C2PA extraction — reads the file header. Reports claim generator and signer if found.

→ Watermark decode — the TrustMark Worker (~15s) extracts the 40-bit token and matches it against known mark IDs.

→ All four layers updated in the tooltip.

Layer check results

Fingerprint	MATCHED	Visual fingerprint matched a mark in our database
Blockchain	ANCHORED	Proof transaction confirmed on Polygon
Watermark	FOUND / NOT FOUND	TrustMark token decoded from pixel data (requires Deep Check)
C2PA	FOUND	Publisher certificate found — only if original file is delivered
C2PA	IN ORIGINAL	C2PA stripped in this rendition, but original was C2PA-signed
C2PA	NOT FOUND	C2PA not present and no record of original being signed

C2PA "IN ORIGINAL" is shown in amber when: the checked image (e.g. a thumbnail) doesn't contain C2PA, but our proof record shows the original was C2PA-signed. This is common when WordPress serves a thumbnail and "Preserve Proof" is off. The proof still exists — just not in this rendition. Enable Preserve Proof to get FOUND instead.

What is stored where

Your WordPress

Media Library

→ The marked original image file

→ All regenerated thumbnails

→ Post meta: mark_id, verify_url, creator, ai_model, status

Stays with you forever. MarkMyAI does not host your images long-term.

MarkMyAI Server

Audit Log + Proof

→ mark_id, SHA-256 hash, perceptual fingerprint

→ creator, ai_model, timestamp

→ c2pa_signed, watermark_embedded flags

→ Verify URL, Proof PDF, Proof JSON

→ Delivery file: 24h only

Proof record stays permanently. Delivery file is deleted after 24h — WordPress already has the file.

Polygon Blockchain

Immutable Anchor

→ mark_id

→ SHA-256 hash of image

→ Perceptual fingerprint

→ h:creator_hash — GDPR-pseudonymized

→ h:model_hash — GDPR-pseudonymized

→ Timestamp (set by blockchain)

Paid plans only. Permanent and independent — exists even if MarkMyAI shuts down. Verifiable at polygonscan.com with TX hash from Proof PDF.

Quick reference

Situation	What to do
Chrome Extension shows C2PA: NOT FOUND	Enable "Preserve proof in frontend images" in Settings, clear builder/CDN cache, reload page
Chrome Extension shows C2PA: IN ORIGINAL	Normal for thumbnails. Enable Preserve Proof to get FOUND instead.
Chrome Extension shows wrong MarkID	Old cached thumbnail. Clear CDN and browser cache after re-marking.
Dashboard says Verified, Extension shows No Signal	Check if the image URL is publicly accessible. Localhost installs won't work without a tunnel.
Mark failed / spinner forever	API timeout. Retry from Dashboard. Check Settings → Test Connection.
Re-mark needed (new creator or model)	Click Re-mark — new mark ID, new watermark, new C2PA. Clear CDN cache afterward.
Already marked toast shown	Image was detected as already having a mark. Use Re-mark only if you need a new proof record.
C2PA IN ORIGINAL on Large image	The image on page may still be a cached pre-Preserve-Proof version. Clear cache and reload.

Need help or have a question?

Reach out directly — we respond to every message.

How the plugin works —from upload to verified proof