1

I'm having a WordPress theme which users can purchase. You are allowed to use one single license on a single website and I'm identifying websites by their domains. A single purchase is identified with a secure UUID.

I am trying to get a secure solution for enforcing this constraint -- you can use and receive updates for that theme only from a single, pre-configured domain.

I'm also having some constrains:

  • can't use obfuscated code in any way, that is security through obscurity is not an option for me
  • users are able to swap domains for their licenses, which is done on a separated dashboard

The question is, what are options for doing that?

The simplest thing that comes to my mind is to send the secret UUID and the current domain (which I extract from DB -- that's how WordPress works) as a payload to every request I send from theme to the API I have on the side. This looks very fragile to me and not secure at all.

Are there any other options I can consider?

I'm not asking for WordPress specific (and PHP, at all) solutions. I'm just looking for techniques that can help in those situations.

Thanks.

Andrei Glingeanu
  • 113
  • 3
  • 2
    The single-license themes and plugins I have seen don't go much further than the simple approach you described. Ultimately, you might have no choice but to trust the users because they can easily patch any security mechanism in the code. – Arminius Mar 16 '17 at 00:40
  • Yes, I wasn't able find something more useful than that. I guess I'll have to trust my users, you are right. – Andrei Glingeanu Mar 16 '17 at 00:43

1 Answers1

0

This is already partially answered in comments, but the simplest thing to do is to have a secret UUID string stored with the code and the current domain, and then that be used as a payload to the API side of things.

The tricky part here is the type of system you're using. When you state a Wordpress theme, Wordpress doesn't exactly give kindly to 'closed source' on themes. By this, I mean that the theme itself is designed in a way which is not kind towards 'secret' code. Any user who has access to the code given to them can patch around any security mechanisms embedded in the theme coding.

While this is less of the case with compiled code/binaries (in which case you need to decompile to 'patch' out security controls), it remains the case that anything you give to any user can continue to be 'patched' to circumvent any security controls put into place, with enough effort. This ultimately means that you have to trust that your users who are given the theme are not going to try and circumvent your controls; those who wish to, however, will be able to do so.

Your simple approach is likely the best approach, but keep in mind that there's ways to 'patch' around such controls, and with enough effort even the most robust 'security controls' for licensing items can be circumvented, with enough time and effort to do so; this ultimately means you just have to trust your users to not be trying to circumvent your security controls.

Thomas Ward
  • 731
  • 1
  • 7
  • 24