Secure WordPress paid plugin

Option 1 – Process some data on your system

I wouldn’t place all of the plug-in’s processing on your own server, but pick one or two vital functions and keep them hosted on your system. Then require an API key for each site that uses the plug-in so that they can communicate with your server.

Option 2 – Encrypt stored data and require a hosted decryption key

Another alternative is a basic encryption setup – this is actually a system I’ve been toying with for a while, I just haven’t bothered to deploy it anywhere yet. The code itself (to stay true to the GPL) is all plaintext just like you’d expect. However, all stored data (default values, plug-in settings, etc) is encrypted before being saved to the database. The trick here is that the plug-in on the remote system doesn’t have the decryption key – in order to decrypt the data, it has to post its API key to your system which then responds with the decryption key. This can then be stored in a transient (temporary option) for a certain period of time before being flushed – that way you don’t have a site hitting your server every 2 seconds during heavy traffic.

The downsides of this approach might outweigh the benefits, though (which is why I haven’t deployed it anywhere yet). First of all, a savvy programmer can capture the decryption key and then they don’t need your server any more. Or they could just flush out all the encryption/decryption hooks and run in plaintext. This is the advantage of open source for the user and the disadvantage to the developer who wants to distribute a free-but-restricted system.

The other downside is the dependency on your server. Storing a key in a transient lifts some of the burden off your server … but if your site goes down for an hour or two, then every site using your plug-in goes down for an hour or two unless you plan for some kind of graceful deactivation. Also, it would mean you’d have to keep said server up-and-running indefinitely if people continue using your system.

Option 3 – Limit the features of the “free” version

A last option, and one I’m actively working on using, is to split your plug-in’s featureset and functionality. The core of the system (UI, basic features, etc) is freely available without registration. For more advanced features, users have to register their copy, gain an activation key, then enter that key into the UI to complete the process – the plug-in then verifies with your server and downloads additional premium “add-ons” to the system.

The disadvantage here is that once downloaded, all the code now rests on the user’s site and, under the GPL, they can still redistribute the full package. The advantage is that it only depends on your system once and doesn’t require any kind of long-term download/processing support.

Any way you decide to move forward, you’re either going to be hit with maintaining some sort of external API on your server or providing the full source of the system to your users. If you keep some functionality on your system, you almost have to guarantee 100% uptime for it to be worth it. If you’re going to provide the full source, there’s no way (under the GPL) to prevent someone else from re-distributing your system.

Related Posts:

  1. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  2. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  3. Are WordPress Plugins essential?
  4. I found this in a plugin. What does it do? is it dangerous?
  5. What are the common security flaws I need to look for? [closed]
  6. Disabled plugins are they security holes – rumor or reality?
  7. What could a hacker do with my wp-config.php
  8. Why “Contact Form 7” doesn’t update PHPmailer library?
  9. How to make media upload private? [duplicate]
  10. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  11. What does a security risk in a plugin look like?
  12. WordPress Capabilities: edit_user vs edit_users
  13. How to check plugins for malicious code?
  14. How to properly secure my WordPress installation?
  15. Where should my plugin POST to?
  16. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  17. Disabled plugins are security holes – rumor or reality?
  18. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  19. Should I use RIPS tool to test my themes and plugins?
  20. Why users disable the WordPress update?
  21. How many security plugins are too many? [closed]
  22. Will WordPress username displayed somewhere in the site?
  23. Upgrading WordPress 4.0 asks for FTP password
  24. Is revealing just the AUTH_KEY a security issue?
  25. How Restrict access to admin dashboard by specific static ip?
  26. When is it useful to use wp_verify_nonce
  27. Protecting against malicious code in WordPress plugin updates
  28. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  29. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  30. How to limit WordPress pages during updates?
  31. rms_unique_wp_mu_pl_fl_nm.php
  32. How can we deal with unmaintained plugins with vulnerabilities?
  33. Security issues with WP sites
  34. Security checking in meta_box save is reluctant?
  35. Escape when echoed
  36. Should you escape hardcoded URLs?
  37. How can I make uploaded images in the editor load with HTTPS?
  38. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  39. The safest way to automate WordPress backups
  40. wp_create_nonce function doesn’t work inside a plugin?
  41. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  42. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  43. Headers Content-Security-Policy CSP Major Issue
  44. Nonce failing on form submission
  45. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  46. Why can’t I access my Intranet LDAPS with NADI?
  47. Malware installation during plugin update?
  48. Hack-Proof OR Security in WordPress — is it real?
  49. I should enable automatic updates?
  50. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  51. Is Timthumb still broken? What security measures should be taken?
  52. Prevent direct access to WordPress plugin assets?
  53. Specific way to allow WordPress users to view their current password? And edit it?
  54. Too many login attempts
  55. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  56. How to prevent plugins from sniffing/stealing other plugins’ options?
  57. Website show Google Ads when we have no Google Ads linked to our website
  58. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  59. Custom API plugin to execute 3rd party API to retrieve data
  60. How to deal with Slow HTTP POST (slowloris) vulnerability
  61. Running multiple security plugins
  62. how do I secure my WP website from hackers? [closed]
  63. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  64. Webservice credential storage [duplicate]
  65. Regarding plugin security
  66. How do I determine if the user who registered is not spam?
  67. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  68. Is this plugin safe to run?
  69. Is the Block Bad Queries Plugin Still Relevant?
  70. WP Insert Post If user refreshes override new post
  71. Hide plugins and theme from public
  72. WordPress search shows protected content
  73. Security of a WordPress Plugin
  74. How can I disable new plugin and theme install, but allow updates?
  75. Validating ajax search
  76. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  77. WordPress disable direct access of files in WordPress installation path
  78. Asking help regarding potential malware
  79. prevent anonymous access to WordPress site (non-admin site)
  80. Bing/msn bots is heavily requesting random of my website
  81. “Fire Secure” menu item
  82. Securing a plugin pop-up window
  83. https rewrite not working for All in one security Brute force > rename login url
  84. Being hacked. Is there a list of WordPress security holes I can check against?
  85. How can i see/log all requests coming from a registration form (not from the UI)?
  86. Write mysql credentials in plugin
  87. Site is continuously accessing by several IPs
  88. using .htaccess only for wordpress security no plugins
  89. SWF in wordpress post
  90. Unwanted Links and Spam WordPress Pages and Posts
  91. Problem with permissions in wp-content/plugins
  92. File permissions for wp-minify plugin
  93. What is the recommended way to be notified of security updates to my plugins? [closed]
  94. How I can hide my wp folders from Inspect Element (Developer Tools)
  95. How to Find WordPress site has backdoor login Codes
  96. How to delete Password Protected posts cookies when a user logged out from the site
  97. How to rename files during upload to a random string?
  98. Stop the user if login from the cookies
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes

Leave a Comment