Ok, I am in the process of creating a cms. There will be a free version, and a premium version. Obviously the premium version will have modules and such that the free version does not have. Does anyone have an idea on how i can prevent my premium version from being shared across the web? Ive looked into using a license key with remote server validation, as well as encrytion, and encoding the premium scripts. I dont want to use Zend Guard or Ioncube, because i dont want users to have to have that software installed just to ues the cms. I also want the cms to be customizable which rules out encoding. Anyone have ideas to prevent the scripts from being nulled? If its possible to maybe just encode a single page that does remote validation... just something... It doesnt have to be a bullet proof thing.. but something that prevents novice crackers from nulling it and releasing it
ENCODING PAGES:
Personally, I have tried a few techniques to avoid PHP encoders but nothing was really effective in a commercial environment.
Based on my experience though, I wouldn't worry so much about Ioncube and Zend not being installed on servers because most managed environments will most likely already have both, this is what I have found anyway. Because of this it reduces the problem of users to have to install it for a single application.
In saying that it depends on your target market also, if you're going head-to-head with the likes of Joomla! or WordPress for example, then your target market typically uses a managed environment so no big issue.
If you're however going for say an intranet market this could be a minor problem but any server admin worth a grain of salt will be able to install this easily without fuss, they will also understand why you put it in place. Note, the intranet market is a bit harder as you will need to specify port settings to check the license in your licensing module.
SIDE NOTE: As your product is going to be distributed with source code available you do need to be careful and pay attention to your Intellectual Property (IP), this generally means putting a legal disclaimer on every page that is readable. Also, don't forget to respect the requirements of other IP owners scripts you may be using in your project.
LICENSING & ENCODING (THE SUGGESTION):
Encoding a single page with licensing functions is a way of going about it but you will find it fairly easy to bypass if the rest of the source code is available.
What I would look at is encoding a single page with licensing functions but also encoding your login validation, half of your authentication checks for each protected page and some basic functions for posting to the database also. This way if they try to remove your encoded page with the licensing script there is no login or updating of content - plus they will get kicked out of the system as only half of your session checking will be valid - I hide a kill function nested into another function that is required for each page to operate, this may be a menu (this is great because you can hide the function with the logout), it just looks like part of the log-out function but in reality it is a function to destroy the session if not all variables are present.
When choosing values for your authentication checks on each protected page (that function should be encoded), try using what appears to be a random variable and non-descriptive names then encode the variable (I like MD5 hashes for this). It is another way to give more security around the 'hacking' of your script.
I hope this may help you and sorry that I cannot recommend a better solution.
Related
I have a script, and I sell it to some people. I need a way to make sure that my script won't work on any website that not in my clients list.
First of all, I am using IonCube to encrypt my PHP code.
I have all my clients in my server database.
Each Client has a domain name, email, name, phone.
What is the best method to avoid making people from stealing my script?
I read about making a license key in the script, so any script without license won't work. However, there are many ways to generate a license key without taking my permission right?
All I need is to not activate any script in any domain name, unless I have it in my clients list.
Your question is very interesting because way too many php developers wonder the same thing. How can I protect my product from being stolen and copied?
Some of the comment talk about not being greedy, but the truth is that many people program for a living, so it isn't a matter of just some software you built as a hobby, it is your work and you deserve to get paid for it, just like any other profession.
Sadly, PHP is a language that is very hard to protect, but I will give you a few pointers:
1) Don't trust encryption: I have seen way too many tools for un-encrypting code, even some tools that I used to trust like Zend Guard, are also vulnerable. The most advanced tools I have seen can reveal your code in minutes.
EDIT: Another thing I forgot to mention about encryption. It will require the server to have certain special modules installed in order for your code to work and this is a deal-breaker for all the people who use shared hosting and can't install the unencryption module.
2) Try obfuscation: Even though your code will be still readable, if the obfuscator does a good job at mixing variables, adding nonsense and making functions within functions, the code itself will become almost non-modificable, so it will be useless to try to modify it.
3) Take advantage of obfuscation to insert domain-lock code within your software itself: Instead of a license file, just sell the software to a certain customer with some domain verification code within the software itself, that approach combined with obfuscation, will make it very hard to figure out what to change to make it work in some other domain, so you will probably achieve your goal.
4) Make a great software: This is the most important part, build an outstanding software that people will be willing to pay for, create a proper website for it, get the word out there.
I hope I have helped you.
There's a reason Adobe, Microsoft, and others don't over actively pursue pirates (not saying they don't, just not at epic, absolutism levels) - they make most of their money from business to business sales and support. A simple license and support structure is typically enough to posture yourself for profit from legitimate businesses and parties who want your product.
Technical protection is a losing battle if you're going to give anyone the code. That's why SaaS is so popular.
The only true way to lock down script-based code that you give away, is to keep a core part of that code executing on a server you control -- and have the code you've given to your client 'call home' to your server on each execution. Then all you have to do is block access to this 'call home' script based on the requesting ip.
Also, in this 'call home' mechanism it is no good just performing a simple connection test or handshake because this can be worked around -- the script on your server has to do something integral to the system as a whole so that the client would have to rewrite that missing part in order to use your code elsewhere without you knowing. This could be some key calculation or data provision.
Obviously this is not ideal as many clients will not like a script calling a remote server, plus you'd have to make sure your network and server could handle the number of requests -- otherwise you'll slow or timeout your clients own systems.
All I need is to not activate any script in any domain name, unless I have it in my clients list.
Ok you narrowed it enough.
create your openssl certificate, hardcode public part to checking code, when issuing license sign domain.name string with your private key, issue sign part as license, in your license:
$lic=<<<EOL
LICENSE CODE HERE - SIGNATURE of string contained domain name
EOL;
in your code to check license:
include 'license.php';
$cert=<<<EOK
PUBLIC KEY DATA HERE
EOK;
$pub_key=openssl_get_publickey($cert);
$ok = openssl_verify($_SERVER['SERVER_NAME'], $lic, $pub_key);
if ($ok !== 1) {die ('bad license!')}
O'c all should be encrypted as much as possible.
this probably vulnerable for special crafted libopenssl binaries but I hope it will help you.
to avoid running of such code every you can add condition like this:
if (int(random()*100))==6) {check_license();}
but it depends on which part is should be protected.
also, in all parts of the code you should check md5summ of file that contain license check code.
You can use http://www.ioncube.com to obfuscate your source code or http://www.phplicengine.com to license your php code remotely or locally.
My thoughts are that you can't successfully save code from to be nulled. I really don't like way the Non-Free apps are created, but I won't judge you. Best solution to protect code is sometimes not worth of it, because many people (read websites) have very restricted hosting, where they cant install ioncube... Best protection is to join many types of protections (ex. IonCube + injected licence connection to your data server in different places with different code+if site NEED to use some ssl, you can try to make some protection with to sell also ssl with public key check on your data server), or many, many, other ways, just be creative)
But however as I said, If you want very high protection, you will get loss of money for creating it, and loss of money of loosing your customers, because they use some cheap hosting...
You need to think about everything...
Forgot to say: Hosting on your server is best protection, but have disadvantages: you need to add possibility for 'templating' site, access to be created some plugins, and similar stuff... But sometimes Clients just don't like to keep all data on your hosted server.
I think I helped somehow...
There are some good comments from other posters to this. Depending on the edition of the ionCube Encoder that you're using the features that you need are there already (in Pro and Cerberus), including features to allow you to craft your own layers of licensing if you wish, though this shouldn't be necessary. Some basic steps give the biggest wins, and as others have said, it's not generally worth going over the top with a massive licensing infrastructure. Keep in mind too that a main benefit to licensing comes not so much from stopping those who are intent on cheating and not paying, but from keeping the paying customers in line.
Say that you have a fee for each domain where your software is used. If you mention this somewhere but do nothing to enforce it, then when an honest customers tries your scripts on a second domain and finds that it works, chances are that they'll simply use it without even realising that they should have paid. In contrast, if your software alerts them to the fact that a new license is needed, it's likely that they'll purchase for the second domain.
Realistically it's impossible to stop the most determined thieves, and as one poster eluded to it may even be beneficial in the long term to have cheaters using software for free rather than not at all, but licensing can definitely lock in revenue from the honest majority who are happy to purchase good software (plus support, bug fixes, upgrades etc.), and it's foolish not to do that.
So I'm trying to make my own mini CMS, and just for my knowledge once I get it good enough, and I know enough, I'd like to sell it. Now for licensing, I know there's tons of licensing scripts you can pay for, but would the following be advisable?
I'd like to plant a script hidden in my CMS where instead of checking for some sort of key, it checks if your domain is allowed to run the CMS by running it past the main CMS database. Now I have two questions.
1.) Could I encrypt the code, so if I wanted it to redirect to a page where it just says "CMS Deactivated" For example, so that people don't go through the code just ctrl-f searching for the key text?
2.) I was going to reach the domain name by doing the following, $_SERVER['SERVER_NAME']. Is that going to be a reliable way of checking the domain? IE. Will IIS pick up on it?
I'm not trying to completely extinguish cracking of the CMS, I know that is impossible.
Maybe you should consider housing the whole thing on your own servers and making the content accessible via a REST API. You can certainly restrict and control that way.
Providing a CMS with source code to any client opens you to evaluation and cleansing. Not saying there's no way, but I am saying it may be easier for you to provide the content via REST than to write perfect security. Especially if you're asking this question.
As I said in my comment, I think worring about money is irrelevant for now, but here's some information for you to learn from.
1.) I haven't found an encryption solution that works. Any will require you to install additional PHP components (and no one wants to deal with that when there are plenty of free CMS's out there). There is code obfuscation, but that's iffy at best.
2.) According to this page, that should work on IIS!
Basically I have a new client that is after the following functionality from her accountancy website:
A client area in which here existing clients can log into.
a place within the log in are where clients can access documents
such as tax returns etc.
naturally this all needs to be very secure. My question is:
Is there a Wordpress plugin that can achieve this or is their an open source php framework out there that allows me to do this.
I could go through the process myself using php and mysql PDO but apart from encrypting the passwords i am not confident that the security i could program would be adequate. Any recommendations?
You could consider trying WP-Client
It's a Wordpress plugin that was built from the ground up to act as a client portal with the exact functionalities that you describe, plus much more.
http://WP-Client.com
If there are any plugins out there, they probably won't measure up to the amount of security you're looking for.
I would recommend storing all sensitive data outside of the public_html directory so that it is out of grasp for unwanted visitors/robots/etc.
You should also be encrypting all data sent/received with a SSL certificate.
It sounds like you're looking for a lot of functionality- the ability to upload these documents, access them based on users, etc. You may have to code something yourself or find a non-Wordpress solution that works for you. Perhaps you can use login credentials based off of the Wordpress installation...
Update
Since originally writing this I'm now in agreement with user1744188's answer below. WP-Client has been written specifically for this task, and for me it fills a big gap in the Wordpress market. The service I've been given is very good and I think it's priced well considering all the features and the resources you get.
It should definitely be noted, however, that the plugin itself is not open source. The main wp-client.php file in the root of the plugin is a big 0.5Mb monster of a file that has been encoded. Every method has been obfuscated and ties into some unencryption method using the licence key.
So it does what it does but you won't be able to extend or modify it easily.
Original Answer
I agree with John - I personally don't think I'd use Wordpress at all for this. However, I did a job not long ago and they sprung this requirement on me right at the end of the build so I had no choice.
I did it using S2 Member and it worked out well. Here's the ongoing thread on how to do it, the developer is a really helpful guy, he's produced a video to help and supported requests.
www.primothemes.com/forums/viewtopic.php?t=586
It's WordPress Plugin that connects with CRM to CMS, Means all your data will store in CRM for better management. you can find Here, They Prodive best solution for WordPress Client Portal.
I've created a couple of little few page long websites for one time projects or conferences in mostly Wordpress, and I'm thinking about what will happen to those websites in the future. And I think I'm not alone, as there are a big number of sites out there, which is now only kept as an archive, but unlike in the 90s where everything was static HTML, these websites are now using some software to provide CMS functionality, even if its only for a few pages + search.
My problem is that with all these modular software (Wordpress, Joomla, etc.) you need to use various plugins and themes to make them usable and nice, but all these functionality brakes sooner or later. Which means that if you want to keep the website as is, you need to leave the old versions of the software. I mean forever.
On the other hand they are so popular (Wordpress has more than 100 million downloads now), that I would be surprised if they would not became a target for the most popular exploits in the near future. I don't know how safe these software are, but I have experienced what it means to continuously keep cleaning/fixing an osCommerce website with about 7 successful hacker attacks every month, till the sites owner agreed that its better close the site entirely and start building a new one.
As an alternative solution (but I really don't know if its possible), is there any way to make a whole site into a read-only mode? I mean something like making the database read-only, the file system read-only, disabling the admin interface and all the comment fields and just leaving the site as an archive, the only dynamic part being the search function.
Is it possible on file-system/database level? Will it help at all to keep hackers out? Is there any other solution? Please understand that my point is that it is not possible to keep CMS sites always updated forever, and even if some of as are fanatic enough to spend a night looking for fixing a broken theme/plugin which just broke after a core upgrade, 99% of the sites will end up in a "fixed" state; using a working but old CMS/plugins/theme combination forever.
I think 99% is a very generous estimate, but that's beside the point. The majority of the sites that end up in the state you are referring to only last as long as their domain registrations (especially since most Wordpress or OSCommerce deployments are usually set up as the root domain and service the entirety of the web presence.) So generally speaking, if the domain itself is in a state of neglect and abandonment, the natural expiration process will decommission it and it will no longer be accessible in general.
As for locking down an entire, sitewide state on one of these CMS systems, it could in theory be possible if one removed all write privileges for all the server files and revoked every database user privilege except SELECT. In most cases this would defeat the purpose of leaving the software for CMS there at all, since none of the records would updatable any longer (items in the case of OSCommerce, posts in the case of Wordpress.) But this would be highly dependent on the environment required by the particular CMS, and Wordpress for one is pretty particular about read/write permissions to work at all. It would make for an interesting experiment, but probably isn't a practical solution for what you're describing.
Taking the rendered content and building a static mirror is another option, and can be pretty easily automated by writing a script that could get the HTML content of the rendered pages and building static, linked alternatives. But this too is a bit impractical, especially in the case of a search (since this by its very definition requires database access.)
In short, it's an interesting idea, but ultimately sites that are neglected and whose owners are not committed to sustaining proper updates are doomed to expiration, and the natural course of Internet business and domain registration pretty often Darwinizes them.
Yes, you can take a snapshot of a website using wget or similar, basically replacing the CMS driven site with static HTML pages.
wget -mk http://www.example.com/
That way you wouldn't need to update it forever.
As an alternative solution (but I
really don't know if its possible), is
there any way to make a whole site
into a read-only mode? I mean
something like making the database
read-only, the file system read-only,
disabling the admin interface and all
the comment fields and just leaving
the site as an archive, the only
dynamic part being the search
function.
WP Super Cache has a "Lockdown" function — serving static HTML files for almost every visitor.
It's not exactly what you're looking for, but a simple workaround, as I dont know a of a "read only" function for WordPress.
http://wordpress.org/extend/plugins/wp-super-cache/
About 4 years ago I used a php product called amember pro, it is a membership script which has plugins for lie 30 different payment processors, it was an easy way to set up an automated membership site where users would pay a payment and get access to a certain area.
The script used ioncube http://www.ioncube.com/sa_encoder.php to prevent non-paying users from using the script, it requered that you register the domain that the script would be used on, you were then given a key to enter into the file that would make the system/script work.
Now I am wanting to know how to do such a task, I know ioncube encoder just makes it hard to see the code, in the script I mention, they would just have a small section at the tp of 1 of the included pages that was encrypted and without that part of the code it would break and in addition if the owner of the script did not put you domain in the list and give you a valid key it would not work, also if you tried to use the script on a different domain it would not work.
I realize that somewhere in the encrypted code that is must of sent you key to there server and checked that it was valid for the domain name it is on, or possibly it did not even do that, maybe the key would just verify that it matched the domain the script was on, that more likely what it did.
Here is where the real question is, How would you make a script require the portion that is encrypted? If I made a script and had a small encrypted part at the top, it would seem a user would be able to easily just remove the encrypted part and figure out what the non encrypted part is doing and fix it to work. Any ideas?
fever has a similar model, you sign up, download the software (also PHP), then get an activation key. You can see how it works in the demo video (towards the end).
If you're giving away the source code, there's no way you can prevent someone with programming knowledge from patching out whatever copy protection / security you put in.
One thing I can think of is distributing a C/C++ compiled program or extension that the PHP app calls in to to verify the license. That compiled part could then phone home, etc. Even that could be easily circumvented though.
You can see some other ideas in these similar questions:
Code obfuscator for php?
Best solution to protect PHP code without encryption
Basically if you're giving away the code you're in an arms race with putting increasingly complex copy protection, which can always be broken in the end. You'll have to decide how much effort is worth it. I personally wouldn't invest much effort.
Not a perfect way of doing it, however you could use an encoder to hide the code and make it call a page on your server that returns a value that is difficult to forge. It would be server intense, but could do what you want. You would want to do something where time was involved. Updating the code so often.
I have seen it done multiple ways. Just about any software method you think of can be bypassed if somebody is interested enough to work at it. We use ioncube to encrypt our non-hosted products and back it up with a USB hardware dongle. Can it be cracked? Yes. But, people are basically honest. I think the thing to do to keep people paying for the script is to make it a pain to crack and release frequent updates with new features that people won't want to wait for. If your price isn't too high, people will just decide to pay for it instead of cracking.