I want to create a WordPress plug-in but also want to ensure that the plugin can only be used after it has been activated with a serial key that should be unique for each domain.
What is the best way to go about it assuming:
- I have to give the actual source code to the users and cannot have a VideoPress type of security – which is just a JavaScript wrapper for the actual content that comes from the plugin’s server.
- I want to ensure that a novice to average PHP developer will not be able to cirumvent the security easily.
The simplest solution is to have a server that will be able to serve as an endpoint for verifying if the domain that the request is coming from is the correct one or not (an Ajax call on plugin-install, init etc). But, there is nothing stopping the end user to just simply remove those bits of code and make it work without the authentication. I just want to make this a little tougher.
The following algorithm will only prevent users that don’t have access to a valid serial from using your application.
The first requirement is to generate a public / private key.
Algo
Base on the current domain ($_SERVER[‘HTTP_HOST’]) and serial key (load from a config file), it will generate the public key.
One implementation:
1.1 Repeat the domain bytes to be the same length as the serial / public key.
1.2 XOR the previous result with the serial. (This should give you the public key)
Use the generated public key to decrypt some content (code to be executed) that was encrypt with the private key.
Ideally the encrypted code should be execute only at the installation or in a initialization task.
To generate a new serial you’ll need to do a XOR of the domain bytes repeated and the public key.