Issue a license key for a wordpress plugin?

Now there's a flash of brilliance! Good luck with the post count building efforts!:rolleyes:

Now seriously, to answer your question:

I recently designed a WP plugin that did the exact same thing - it issues an API key and user ID to a user after they pay with ClickBank or PayPal.

In my case I did it with the information sent to me by ClickBank or PayPal, I built an IPN "listener" that received the transaction details. I then use a piece of code that essentially creates an API key (a random unique string with some rules regarding formatting). the API key is stored in the user table, along with the user ID (I used the users e-mail address from the CB/PayPal transaction as the ID). I also mail the key to the user.

On every call to the API I have the user ID and API key included (the Plugin Dashboard has fields to enter this data). If they validate then the user is permitted to make the API call, otherwise it fails.

Hope this is of some use to you, please feel free to contact me if you want any more details - always happy to help a fellow Canadian (actually, I'm always happy to help a fellow Warrior, no matter what nationality)!

Happy Holidays

Bill

Hi Bill,
Thanks so much for the reply. It definitely helps me to better understand what needs to be done. However, it's definitely above my skill level.
I'm using Wishlist Member too so I'm sure that will add another level of complexity.

Andrew

Hi Andrew

Actually I don't think WishList will add to the complexity, although I'd have to know a bit more about what you are trying to accomplish before I could say that with authority.

Bottom line is that you need a method of managing and validating keys. The method I described above is one way, no doubt there are countless others. Without knowing what your plugin actually does (and I understand if its a secret) makes it difficult to recommend the best method.

As you said you are having the plugin "developed" I assume you are working with a developer? No doubt he/she could offer a suggestion about the best way to accomplish this for your particular plugin design.

Best of luck with your plugin!

Bill

I have developed a custom script that does this however it is still in development, I can tell you a few things about this process, it is not as easy as it sounds, and you may encounter issues, that could cause you to pull your hair out, I am still working on this and eventually I will release the script however, one of the biggest problems that I keep encountering is the rapid development cycle of word-press,

3.0 3.01 3.02 3.03 3.04, one or more could end up breaking your code so you have to go back and try again, it is a real pain in the butt, trying to find the best balance between what works and what works best, now that is the real challenge.

mywebwork's solution will work if your plugin has to communicate with your server to get the job done, something like Askimet. However, if it's self-sufficient, then an API key won't be of any use.

As far as encoding the source code of the plugin is concerned, I'm not sure if it'd provide any additional security. WordPress plugins have to be GPL, and anyone can request the full source to it (as per GPL).

If your plugin is good enough, then the good guys won't share it with others. And the pirates will always be pirating stuff. You can't help it. Rather, put additional efforts into satisfying your loyal customers.

Regards,
Revolves

The whole GLP spec is quite touchy on how you can/can not have a different license for a plug-in.

Frequently Asked Questions about the GNU Licenses - GNU Project - Free Software Foundation (FSF)
Basically if you use functions from WordPress it has to be GLP.

This is pointed at themes, but it is a similar concept.
http://wordpress.org/news/2009/07/themes-are-gpl-too/

phpbbxpert: GPL for WP is a grayarea. WordPress Core Devs and Matt have their view on the subject but its not universal. All pro WP GPL is biased in the WP world. But its basically all gray when it comes to PHP since the GPLv2 wasnt written for dynamic stuff, linking etc.
And we don't know until its tried in court until then we are all bull****ting.

I thought the whole themes-and-plugins-are-GPL had been resolved some time ago. Since themes and plugins run under the same process and use the same hooks as the core software, then they are considered to be derivative works and therefore subject to GPL. However, any css, javacript or images (and other non-PHP parts) bundled with said plugin or theme are not subject to GPL, provided those components themselves are not derived from GPL code. Therefore, the PHP portions are most definitely GPL, though you can 'sell' the other parts. You could even release the entirety as GPL, but place it behind a paywall and 'sell' support and updates.

Well, one thing for sure everyone has an opinion, on this however, legally, one entity cannot take away the legal rights of another entity.

In other words If I create a plugin, and it contains my personal intellectual property which I can also copyright, by the way as well as apply for a patent, if I wanted, why bother, right.

So just because my plug-in touches word-press does not give word-press rights to my intellectual property see how that works, if this were in fact legal then wordpress could claim the rights to all server software where it runs including Cpanel,

Does that make sense? No, it does not, why, simply because just because wordpress runs on Cpanel does not mean that Cpanel is now GPL, that would be like trying to sell ice to an Eskimo no offense to the Eskimos.

Wanting something does not make it true, The biggest problem here is that most people here have never bothered to read the GPL, mostly because it is totally confusing unless you have a law background and even then its full of conversant facts,

But none of that matters, because, unless and until some case law is developed in this area, the final word is yet to come out, in other words the fat lady has not sung yet.

I think that intellectual property and the GPL are capable of playing well together, but they are not going to be having sex or children any time soon.

I implemented a similar approach to the premium plugin, Gravity Forms, in my own plugin, Slickr Flickr. I came up with the solution by inspecting their code.

I addressed the GPL and licensing issues as follow

1) Plugin is GPL and non encoded

2) Plugin has free version

3) Premium version comes with support and access to membership forum as well as bonus features that are unlocked with the license key

4) When someone buys the system generate a random 32 character key that has a few decillion possible unique values, sets up a membership account and emails them the login so they can log in and get their license key

5) Member enters their license key in the plugin's admin settings

6) Custom validation makes remote call to check license key is valid - a green tick is placed alongside the key if it is valid and a red cross if it is invalid

7) Whenever, the plugins page is visited, and the 12 hour cache has expired, a remote license check is made: I collect referrer information so I know on how many domains the license is being used - I could add more restrictions in the license validator but do not need to yet as nobody is taking the mickey


Because the code is GPL anyone can take it and remove the license checking if they wanted to so the security will not deter anyone with a little bit of time and determination who does not want to pay me for my work. This approach makes sense for me as the plugin is cheap so it is not worth spending a lot of time and effort to protect it.

However, I would go down the IonCube encryption route if you need to protect the code better. This can still be GPL as long as you offer to give anyone a copy of the unencrypted code to anyone who asks for it. (That's the rules). However you can send them a printout of the code by post so it you think the requestor has mal intent you can make it a little more difficult for them.

If you require more protection, then you can move some of the code on to a server and implement the plugin as a client/server implementation. Here you protect your IPR by hosting the key components on your own server while the client part of the plugin is GNU Lesser General Public License. Matt Mullenweg's own Akismet plugin is an example of the client/server approach

If you would like the random license key generator code just PM me.

Yep, as long as you keep the plugin GPL (or compatible licenses like MIT or BSD) it will be legal. I think people understand you're paying for support, which is fine. Just don't encrypt it.

Actually it makes perfect sense, from a purely ideological perspective, as Robin Williams once said during a standup comedy routine, (for those of you on Quaaludes) this is a disargeement between copyright, Intellectual rights advocates, and copyleft Socialized Code advocates, as mentioned previously there is no case law to support one position over another, (before you go there, read, when a case is settled, it does not mean case law has been created) additionally, when hardware is represented it is a totally different aspect of software, so the position some mentioned in some threads are not properly mounted in terms of argument.

Since hardware, cannot be distributed with a on demand GPL version,
(which by the way does not include IP rights to any code generated in a plugin)

Additionally, a copy of wordpress can be pointed to as a link and satisfy any GPL reguirements, along with a base statement, (which means that if you demand access to code from thesis or any other for hire, code) you will be laughed out of their email box.

Still, I remain unconvinced that the copy left theory of ordained law is accurate at all.

If wordpress continues down this path there will be consequences, likely not now and probably not in the near future, but in the tired but truthful analogy

Cant we all just get along,)

If PHP is BSD (like) and Wordpress wants to be GPL, fine, but you cannot makes reckless statements about how one license trumps another simply because they work together.

LAMP is quite different in its license terms.

again for those on Quaaludes different strokes for different folks.

As the OP, I'm still looking for a solution for a licensing key for a plugin. If anyone knows how to set this up and is looking to take this project on please PM me.

Thanks
Andrew

Any solution to this problem since I need to use something for a theme.
My coder is thinking of including this:

class-jfile-php at class.jfile.php - Free PHP Code

But it does not offer an automated process of providing a licence key upon payment.

I am chatting with him now to work on a solution, if i find something then I will be back here to provide a solution

The problem with encrypting source code is that anyone who's not an idiot and knows the slightest thing about programming, can unencrypt it. The people who don't know anything about programming are not going to know what to do with your code anyway.

Ioncube needs its own interpreter installed on the host though, doesn't it? Sort of like the Zend Optimizer? That seems it makes distribution more difficult to me. I don't know why most people are so worried about their source code anyway. Consumers are paying for support, not for products to steal.

If you're selling to a very specific industry that is willing to install whatever you require in order to run your product, I understand, however.

A different approach might be using a members area for customers and having the script verify active members via another script in the members area. This saves having to come up with license keys etc, let's you track which domains are being used by which members and members are less likely to share their login information.
Then obfuscate the PHP code with POBS. :-)

Hello I am also looking for a licensing option for a premium wordpress plugin and wondered if anyone had any suggestions.

The best solution I have found is through using WHMCS licensing addon, but that is a bit overkill for my needs as I don't need the WHMCS application (which is typicaly used by webhosts / domain name registrars to automate billing etc)

So, any suggestions ?
Thanks

AFAIK a 'derivative work' for GPL purposes is one that starts with GPL source code, and modifies that source code. A plugin need only access functionality exposed by the GPL code. Most often the functionality accessed is simply to tell Wordpress when to call back the plugin to perform the plugin's functions.

This is essentially similar to any program utilizing the API's (Application Program Interface) of Linux itself. The notion that API usage would 'contaminate' code and force it to become GPL was the basis for M$'s claims that anything that touched Linux would become GPL.

As I recall, this led to a distinction between 'utilizing' (via an API or otherwise) functionality exposed by GPL code VERSUS 'incorporating' GPL code, where 'utilizing' was not sufficient to force GPL licensing.

If I remember correctly, one of M$'s arguments was that if someone ran a GPL program on Windows, this would force Windows to become GPL. This was the basis for all sorts of anti-GPL activity. I think the matter resolved with some statement from the OSF that said that was not the intent of the GPL.

Regarding 'securing' a theme or plugin
Anything on a computer under a user's control can eventually be taken apart, and modified to ignore usage (i.e. license) restrictions. The only solution is to keep some of the functionality on computers never under the user's control. For a theme this might be a gui designer that runs on the vendor's computer. For a plugin, it might be fresh data, or providing a gateway to another service.

Security conscious system admins are skeptical about code from unknown sources that cannot be inspected. Encrypting your first plugin will make your marketing effort more up hill. (Also, I don't think you can get an encrypted theme or plugin listed in the Wordpress.org directory.)

Harrison

I've been researching this licensing stuff for a while for my project and I found out that there's nothing really an all-in-one off-the-shelves solution to protect your php scripts. You have to jump through a lot of hoops and spend a lot of money before you can get a solution.

Here's my recommendations:

1. If you are routing for software development for long term then I advice you to spend money for the development of your in house licensing solution.

2. If you want an off-the-shelves solution then you may try "SPBAS". It's an expensive one but it's a great solution, it's not fully automatic but with a little bit of programming knowledge you can easily automate the process.

3. If you need a low-end solution that works then try "PHPLicengine" + "ionCube". These 2 software can do the trick plus you can install it on your own server to control all your software and issue unlimited licenses without paying subscription.

Hope this helps.

Gama

I got a working WordPress system with registration, license keys, automatic updates etc. Are there any interest in releasing it as a standalone package?

To OP,

The way I envision would look something like this:

First, you'll need a script. This script needs to connect to the database.

When someone makes a purchase, your download page will make a calling to this script.

The script will check for the transaction details and then generates a license key.

The key will then updated into the database and finally displayed on the download page.

After the buyer uploaded the plugin, he/she will needs to activate it.

To activate, the buyer will need to enter their license key, and the info will be post to the script (on your server).

The script will query the database and check if the license key is valid. If yes, return the unlock key to its referrer. The plugin is now unlocked.

As you can see, the script itself consist of a lot of sensitive information, such as your database password, your Paypal/Clickbank API token, the secret algorithm to generate the license key and unlock key... For security reason, most people will prefer to develop the script in-house. It needs to be customized anyway.

- Rufas

Not sure on the cross domain connect to the db but you should be able to set the license key up using something like so to generate and store in the db.

I've done a similar licensing solution but I dropped it because I release my software as open source. It did indeed called *home* and cached the result/encrypted for 4hours.

By the way ioncube has an online version of its encoder. It is much cheaper.
It works on some kind of credits system and you are charged based on the complexity of your code.

I run a central wordpress admin tool that allows me to manage remote wordpress networks. I built an Oauth client/server with tokens. Oauth is a standard used by nearly all social networks so it's well supported.

My steps are as follows.
1. user activates my plugin
2. user connects their blog to my network. A secure window pops up asking for username and password. (they previously made a user account).
3. If user is authenticated, I generate a random key and key secret and store it in the options of the wordpress blog and on my server. I also record the domain name.

Now each call has the key, secret, domain, and signature sent. If the signature doesn't match, authentication fails and script dies...

You're not going to be able to hide your code and people will be able to reverse engineer any code. that's just the nature of building on wordpress, but the upside is, if you make a good product you have a lot of blogs to market to (14.7 million)

@Andrew:

Just found this thread when going though my subscription list. Am I right that this has evolved into your WP Plugin WSO?

If so, I can happily close the subscription, if not let me know. I didn't have the time to have a look at my purchase so far...
Cheers, Rob

Hi Rob,

That's right... since this post I have found a system and implemented it into my business model. I've packaged it into a WSO training program too.

Andrew

Have you looked into Ioncube PHP Encoder?
You can set it to have your plugin only run from certain websites or unlimited with a license key.

I have used this on several plugins. It works great!

One thing you need to be sure of if you implement security like this is that the domain you use for checking the license needs to ALWAYS be online FOREVER. So in 5 years you still have to have this system up and running or else all the plugins people purchased from you instantly go dead.

I implemented something like this but a little more advanced in a project once but it took into account the possible unavailability of the site by storing a custom activation code generated by the licensing site taken from part IP, domain name and special code generated from the plugin. Once activated it didn't need to call home except to check for updates and that was able to be disabled by user if they wanted.

Each site had it's own code so you couldn't just plug in any code or one from another site. I also experimented with auto regeneration of the code but that got too complex for users so I abandoned that.

Just be aware that if you implement a licensing scheme that requires the software, wp plugin or whatever to call home that you make allowances for that and purchase a domain name for more than one year at a time, preferably 5 to 10 years and make sure hosting is reliable.

There are more than one expensive plugins for software that have gone dead due to either out right abandonment of the software, selling out to a competitor or another business or just not taking the time to make sure things would be up and running for years in the future eg: hosting or letting domain expire etc...


- T

a script can be GPL and still be sold commercially. ultimately it's up to the developer. if they choose to publish under a GPL license, then they run the risk of having their stuff shared. by encoding the plugin, though, they break the GPL license and so are not following their own licenses. also, a plugin MUST be GPL to be featured on wordpress.org

Hello Bill
I am new in this field i suggest you to go Google or youtube and write your problem it gives you the best solutions.

if someone has a licensing system they would like to make in to a WSO, I am up for writing the sales letter if that is a roadblock. I think a lot of people would like a system like this for their software development

Has anyone released anything yet that can do do the license key generation and check?

@RussJam

I would also like to see the generator code if possible.

Did I miss something... did the user ever complete the licensing plugin he mentioned or more specifically detail how he solved the licensing problem?

From ProEFI ...
Is the end result of this thread "I figured it out, buy my course to figure out what I did"?. I PROMISE I don't mean that as poorly as it may sound. It's late. I'm tired. I'm interested. I care :-).

Hi gatech,

I went with SPBAS Business Automation Software | PHP Licensing, Client Management

Thanks,
Andrew

Hey, I just finished my wordpress plugin licensing software.
You can check it out at Wordpress Plugin Licensing

Sorin

The GPL debate aside here are some actual solutions for what the OP is trying to do...

https://wordpress.org/plugins/product-licensing-system/

https://easydigitaldownloads.com/ext...re-licensing/+

+http://www.warriorforum.com/warrior-...p-license.html

Callbacks only really work if there is enough trust between the developer and the purchaser, as most are startups that doesn't exist so you limit sales. On the other hand you need to make sure the IP stays yours. You have ionCube, but remember, everything about WP is free, so charging is hrder, charging with callback and not being a household name caysing lack of trust puts a damper on sales.