36 {{ upvoteCount | shortNum }}
36 {{ upvoteCount | shortNum }}

Stopping PHP Theft

by Richard Pickett
31 replies
I'm getting ready to release a handful of wordpress plugins, some for free, some for low price:

1. amazon s3 theft prevention - lock your amazon content so everyone can view it on your site / paid pages, but can't steal it and use it somewhere else.

2. exit pop - dead-simple exit pop on any page/post you want it on.

3. delayed "add to cart" button - dead simple way to "hide" your "add to cart" button and have it appear when you want it to (great for video sales pages, makes them watch X minutes before being able to see the price)

I've seen a number of php encryption softwares available, I obviously want to stay away from any that require server modifications.

One in particular I'm looking at is phpcipher. It says that most servers already come with the modules needed (zend optimizer).

Looks like the next best thing would be an obfuscator, but it doesn't really lock down the code...

You guys have any experience or recommendations?

Thanks!
#encryption #php #stopping #theft #theftproof
  • Profile picture of the author SteveJohnson
    My suggestion, for what it's worth - I don't install ANY plugins on my sites until I look at the code and make sure it's not doing something malicious. If the code is obfuscated, and I want to use the plugin badly enough, I'll de-obfuscate it ( base64 decoding, translating, etc.). If the plugin's encrypted, I won't use it and I'll advise everyone in the blogosphere that I know not to use it.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[3644565].message }}
    • Profile picture of the author Cash Money Hosting
      Originally Posted by SteveJohnson View Post

      If the plugin's encrypted, I won't use it and I'll advise everyone in the blogosphere that I know not to use it.
      That's crazy.
      {{ DiscussionBoard.errors[3646155].message }}
      • Profile picture of the author Net66
        If you decide you do want to encrypt and lock down your php then a good, simple system is PHP Encoder, PHP Compiler. The $99 full bytecode encoder including PHP script protectio

        Most wordpress users don't look at the source before they install anything so unless you're selling to Steve it shouldn't be a problem

        But Headfirst is right. You'll get less support by not protecting the code and theft isn't as rife as you might think. If someone really wants to steal something they'll probably find a way.

        Andy
        Signature
        What I do - And How I do it. My Personal Blog...
        http://AndyBrocklehurst.com
        {{ DiscussionBoard.errors[3646241].message }}
  • Profile picture of the author RobinInTexas
    I'm with Steve. Encrypted or obfuscated code is scary, I stay away.
    Signature

    Robin



    ...Even if you're on the right track, you'll get run over if you just set there.
    {{ DiscussionBoard.errors[3644807].message }}
  • Profile picture of the author Headfirst
    It's tough decision. When we first started releasing software, my partners primary concern was theft. He was so worried about it I ended up spending more time securing it than I did creating the program to begin with.

    On top of that 100%, really, 100% of the support requests I got had to deal with install issues caused by the codelocking.

    In the end, I released version 2.0 of the software about a year ago without any protection at all. Completely plain text code.

    I haven't seen it stolen yet. The clients prefer it better, I'm down to 0-1 support requests a month and its so much easier to deal with.

    I'll never encypt, obfuscate or domain lock my PHP code ever again. It costs too much both in time and money and adds no value to either you or your clients.
    Signature
    Golf Outing Sponsor Signs, Banners and Flags||Plymouth, MI Marketing || Plymouth Dentist
    {{ DiscussionBoard.errors[3644935].message }}
  • Profile picture of the author xrvel
    I guess it depends on the author. Encrypted code does not always scary. Of course you should test on local server / testing server first if you are really paranoid about it.
    {{ DiscussionBoard.errors[3645353].message }}
  • Profile picture of the author Revolves
    I understand your concern for protecting your source code. However, if a person who doesn't know any programming (or knows very little of it) steals your code, then there is very little he can do with it. He won't be able to sell it successfully, for he probably won't have the same reputation as you do, and definitely won't be able to provide support.

    A reasonably skilled programmer won't need your source code to replicate your product.

    If customers are finding the encryption procedure inconvenient, then it's better to leave it off.
    {{ DiscussionBoard.errors[3647034].message }}
  • Profile picture of the author Tim Franklin
    Interesting thread, as some others have discussed, I can see how it can really be inconvenient, there are some plugins that do some inconvenient things, even possibly criminal things, but and here is where I sort of disagree with this whole ("Im from Missouri thing, ) But for most "average" users, they are not going to look at the code, mostly because they would not know what it was doing in the first place.

    The best way to develop digital products is to develop trust with your customers.

    I can see both sides of this, you dont want someone to just come along and take your hard work, and you dont want to make it hard on your customers to use your products. The best you can hope for is to sort of create a middle ground.

    I think anyone that would look at PHP code, is not your customer and so the idea that someone would not buy your product unless they could see all the code, irrelevant, they would not buy your products to begin with.

    If you do use a method to protect your code, do it as little as possible and test it before your release, just a few thoughts.
    Signature
    Bitcoin | Crypto | Blockchain Secrets |
    {{ DiscussionBoard.errors[3647100].message }}
    • Profile picture of the author SteveJohnson
      Originally Posted by Tim Franklin View Post

      I think anyone that would look at PHP code, is not your customer and so the idea that someone would not buy your product unless they could see all the code, irrelevant, they would not buy your products to begin with.
      That's not necessarily the case. I've purchased several plugins that I could have done myself and been perfectly happy. I simply didn't have the time or inclination to do it myself - buying it already done was easier.

      That said, I've also requested refunds for a couple of them because they were either encrypted to the degree that I couldn't see how they functioned, or they were dependent on an outside server. If there's a valid reason for ET to phone home, that's fine - but I need to be told before I buy.
      Signature

      The 2nd Amendment, 1789 - The Original Homeland Security.

      Gun control means never having to say, "I missed you."

      {{ DiscussionBoard.errors[3647775].message }}
  • Profile picture of the author stma
    Encoding will cost you:

    - Customers will need more support.

    - Performance issues (significant ones if the customers hosting is sub-par).

    - Some customers will NOT install encoded plugins. There are so many things that can be buried in it that it is a real concern.



    Not encoding will cost you:

    - I've never seen an encoded script that a hacker didn't want to break into. Consider it a challenge.

    - It will get shared places and those people wouldn't have bought it anyway.

    Looking at the things you are making, none of them seem terribly complex. It's not like you have 900 hours of coding in there.

    I've released dozens of scripts over the years. I've encoded a couple of them - and they were all my biggest headache.
    {{ DiscussionBoard.errors[3647248].message }}
  • Profile picture of the author Tim Franklin
    I can understand that, in fact last year, there was a Wordpress plugin that was being promoted here on this forum, (free download) and inside the plugin was a click bot, I had to go in and decode it, to find it, (I get it, and I also understand it) but there are only so many people out there with the skill to actually find these things, which sort of brings me back to the idea that you really have to develop trust if your going to encrypt a script,

    Interesting topic to be sure, really all you can hope to do is to slow someone down, but all in all, I sort of think its over kill, unless your producing a highly specialized product.
    Signature
    Bitcoin | Crypto | Blockchain Secrets |
    {{ DiscussionBoard.errors[3647834].message }}
    • Profile picture of the author SteveJohnson
      Originally Posted by Tim Franklin View Post

      Interesting topic to be sure, really all you can hope to do is to slow someone down, but all in all, I sort of think its over kill, unless your producing a highly specialized product.
      I totally agree.
      Signature

      The 2nd Amendment, 1789 - The Original Homeland Security.

      Gun control means never having to say, "I missed you."

      {{ DiscussionBoard.errors[3647846].message }}
  • Profile picture of the author SteveJohnson
    I saw a plugin once that did some pretty nifty stuff. But on the dark side, the creator not only made the script phone home to validate on each load, he/she/it also created a backdoor login amidst some obfuscated code.

    That's why I always check plugins before I use them.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[3647840].message }}
  • Profile picture of the author Adam Struve
    I understand wanting to protect your code, but I don't install any wordpress plugin or theme that has any encrypted or obfuscated code. Also the Wordpress community really frowns on that since they are all about GPL2 license. I know its easy to just blow them off, but I've seen a lot of protected plugins that ended up having some free and open source clone made because someone in the community wanted a free alternative.

    I don't mind it when its a stand alone piece of software protected by Zend or ionCube.
    {{ DiscussionBoard.errors[3648834].message }}
  • Profile picture of the author Richard Pickett
    Thanks guys for all the great feedback!

    After reading all the above, I'm leaning towards "don't encrypt or obfuscate", but I will strip out the comments ;-D.

    The other thought I had was licensing, because if you buy the plugin you can easily pass it around to all your buddies, but if it's encoded and has a license check feature...

    But it would be pretty obvious if it's all plain-code:


    if( license_check( ) )
    {
    do_your_plugin_thing( );
    }
    else
    {
    throw_up_a_warning( );
    }


    ;-D

    Thanks again for the great discussion!
    Signature
    Mastering Email Delivery
    Have (or want) a large list and want to ensure delivery and eliminate spam reports?
    Inbox me
    {{ DiscussionBoard.errors[3650557].message }}
  • Profile picture of the author Adam Struve
    My advice has always been to just build a quality product and price it right. No matter how much work you put into protecting it form piracy, it'll still be pirated and shared. Sell quality support more than a plugin.
    {{ DiscussionBoard.errors[3651019].message }}
    • Profile picture of the author Alex Nash
      Originally Posted by Adam Struve View Post

      My advice has always been to just build a quality product and price it right. No matter how much work you put into protecting it form piracy, it'll still be pirated and shared. Sell quality support more than a plugin.

      As Adam Struve have written above. It is impossible to fight the war against piracy. The anti-folks will never win it. Simple because they can't. The crackers are always one step ahead. Sorry but thats the way it is so...

      Create the best product/plugin and you will still earn lots of money, without any doubt. People that think a product or plugin is worth buying, even if they tried the cracked version at first - will buy it. Specially if it's in the moneymaking online-category (in some sort).


      Otherwise, make it a little bit harder for the crackers. Continue to release small updates once a week (just inserting your own bugs aswell maybe). After a while your latest updated plugin/software won't be out there since nobody wants to crack it - again.

      So I suggest: Open code. That's the way We want it. Or maybe a Developers edition whats open and not encrypted.

      Good luck :-)


      Regards,
      Alex Nash
      Signature

      Learn from your mistakes. Experience is priceless.

      {{ DiscussionBoard.errors[3651063].message }}
  • Profile picture of the author christopher jon
    Now lets throw a monkey wrench in your plans.

    PHP fallls under a GPL license.

    If I'm not mistaken, if I buy your plugin and request it, you are required to give me the unencrypted php code.

    Also, due to GPL, you can sell your work if you choose but I could also give the PHP portions of your work away for free if I wanted.

    WordPress Theme Thesis Maker Backs Down, Adopts GPL

    To be honest, plugins are pretty low on the warez radar unless it's something like wprobot.

    I don't see the point of putting in additional work to protect low cost and free plugins. If somebody really wanted to crack it, they will, just ask Adobe.

    BTW, I have had my own work hit the warez and torrent scene so I know exactly how other authors feel when it happens to them. It sucks.

    For IM related stuff, your best bet is to make a deal with the devil, join BHW (and other similar forums) and become a slightly active member. When your stuff shows up you can request that it's removed and put on the no-share list. It doesn't solve the problem but it will reduce it.
    {{ DiscussionBoard.errors[3651261].message }}
    • Profile picture of the author Tashi Mortier
      Originally Posted by christopher jon View Post

      Now lets throw a monkey wrench in your plans.

      PHP fallls under a GPL license.

      If I'm not mistaken, if I buy your plugin and request it, you are required to give me the unencrypted php code.

      Somehow that doesn't make sense to me, Zend, kind of the company behind PHP, offers Zend Guard themselves.

      Zend Guard - Encode Your PHP Application to Protect Your Code - Zend.com

      Besides that, I also think that you shouldn't worry too much about your plugin being used without a license. Better focus on making the product better so more people are going to buy it.

      Anyone who is seriously trying to make money using pirated software is... questionably intelligent.
      Signature

      Want to read my personal blog? Tashi Mortier

      {{ DiscussionBoard.errors[3656849].message }}
      • Profile picture of the author wayfarer
        Originally Posted by Tashi Mortier View Post

        Besides that, I also think that you shouldn't worry too much about your plugin being used without a license. Better focus on making the product better so more people are going to buy it.

        Anyone who is seriously trying to make money using pirated software is... questionably intelligent.
        Totally agreed.
        Signature
        I build web things, server things. I help build the startup Veenome. | Remote Programming Jobs
        {{ DiscussionBoard.errors[3659257].message }}
  • Profile picture of the author jminkler
    Really, you cant encrypt the code AT ALL. It's against the License agreement.

    Really though, if you make the plugin correctly, it won't suck as bad as you think it will.

    Be clever in authorizing the use of the plugin, require them to enter the domains, require them to use a "powered by", make a script to VERIFY this info, then offer other software for free as a paying member.

    PHP, MySQL (for a while), and other Open Source software firms make $ on the Support of their product, and upgrades.

    Learn this business model well if you are getting into software building.
    {{ DiscussionBoard.errors[3654603].message }}
    • Profile picture of the author Tim Franklin
      The old GPL vs David vs Goliath Vs old Grandma, on a moped, argument again,

      Until this is adjudicated in court, everything is about opinion and not the law, since it has not been adjudicated the idea that anything that touches GPL is Automatically GPL is just somewhat well sorry but that is "absurd"

      As far as PHP is concerned, please check with the source before quoting things in a public forum,

      The PHP license is a BSD-style license which does not have the "copyleft" restrictions associated with GPL.

      check it here.
      PHP: License Information

      As well there is no provision that prevents anyone from encrypting anything they wish to encrypt, leave grandma alone she has been sleeping and has not posted on this thread, besides GPL VS Grandma on a moped is OT
      Signature
      Bitcoin | Crypto | Blockchain Secrets |
      {{ DiscussionBoard.errors[3654864].message }}
      • Profile picture of the author jminkler
        Originally Posted by Tim Franklin View Post

        The old GPL vs David vs Goliath Vs old Grandma, on a moped, argument again,

        Until this is adjudicated in court, everything is about opinion and not the law, since it has not been adjudicated the idea that anything that touches GPL is Automatically GPL is just somewhat well sorry but that is "absurd"

        As far as PHP is concerned, please check with the source before quoting things in a public forum,

        The PHP license is a BSD-style license which does not have the "copyleft" restrictions associated with GPL.

        check it here.
        PHP: License Information

        As well there is no provision that prevents anyone from encrypting anything they wish to encrypt, leave grandma alone she has been sleeping and has not posted on this thread, besides GPL VS Grandma on a moped is OT
        Wordpress has different license, no?
        {{ DiscussionBoard.errors[3654916].message }}
  • Profile picture of the author Tim Franklin
    yes, Wordpress is GPL,

    begin prolific deprecated code.
    but the one thing that perhaps many have not considered is that in order for Wordpress to work it depends upon PHP and MySQL, what if one day both PHP and MySQL decided to say change its license type and say you know what Wordpress, you have really (polite version) Made me angry, with your incessant whining about everything that touches your code must conform to the GPL, well your code thouches our code and so now we demand that you either cease using our code or you conform to our demands.

    How long do you think it would take wordpress to change its tune about how great the GPL is or is not?

    How long would it take wordpress to decide that in order to survive they would have to accept the new license terms, so in essence, it is only by virtue, of the grace of PHP and MySQL that Wordpress even exists in the first place.

    Which brings me to my final point, it is ridiculous, for wordpress to insist that all plugins must be GPL, simply because they are in the middle, without PHP and MySQL there is no Wordpress, while PHP and MySQL can stand on their own two feet, or three, depending on your point of view.

    It is this vital fact that means eventually GPL will die a show and shuttering death in the annals of the beast.

    End, prolific deprecated code.
    Signature
    Bitcoin | Crypto | Blockchain Secrets |
    {{ DiscussionBoard.errors[3655008].message }}
    • Profile picture of the author jminkler
      Originally Posted by Tim Franklin View Post

      yes, Wordpress is GPL,
      Still, if they want the code, they can get it, so no use fighting it. I would provide services or anterior plugins to subscribers through the mailing list, and market these services and announcements on the dashboard. Plenty of the 'gurus' do this, and build huge lists with this method.
      {{ DiscussionBoard.errors[3655131].message }}
  • Profile picture of the author tylerd1
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[3655591].message }}
    • Profile picture of the author wayfarer
      Wordpress doesn't depend on the PHP or MySQL licenses because it isn't being distributed with them. It is only dependent upon them in order to work.

      Ever notice that MySQL is never distributed with PHP? This is because the licenses are not compatible. But it's ok for others to combine them and use them together.
      Signature
      I build web things, server things. I help build the startup Veenome. | Remote Programming Jobs
      {{ DiscussionBoard.errors[3655966].message }}
  • Profile picture of the author intenseblog
    After reading a long thread, is it better to leave all WP plugin script file as plain text or encode only license checking file with simple encoder (which doesn't require any loader)?
    Signature
    Do you want to build an authority website? Visit my blog today and learn everything to create the successful web blog.
    {{ DiscussionBoard.errors[3659684].message }}
    • Profile picture of the author Tashi Mortier
      Originally Posted by intenseblog View Post

      After reading a long thread, is it better to leave all WP plugin script file as plain text or encode only license checking file with simple encoder (which doesn't require any loader)?
      I'd recommend that you simply leave it completely unencrypted. Your real customers will want your support and know that they bought a valid license. Don't do it like the game developers who make their customers freak out because they are worse off than the pirates who simply have all the protection stuff removed.
      Signature

      Want to read my personal blog? Tashi Mortier

      {{ DiscussionBoard.errors[3660551].message }}
  • Profile picture of the author christopher jon
    Somehow that doesn't make sense to me, Zend, kind of the company behind PHP, offers Zend Guard themselves.
    I think the key thing to keep in mind is you're not talking strictly about PHP but wordpress as well, that is the catch.

    Once you've included anything having to do with wordpress into your PHP, you've just been sucked into the wordpress licensing agreement.

    Wordpress provides their product for free and wants everybody else to do the same.

    So, since we are dealing with wordpress, the only guideline we have on licencing issues is wordpress vs. thesis.

    Thesis gave up the fight and went GPL so that kind of settles the debate.

    From what I understand, wordpress core files and PHP utilizing wordpress functions remain GPL while css, javascript and images fall under the authors copyright.

    This is why a bunch of themeforest themes are using woo themes code. Those tabbed sidebar widgets sure do look familiar don't they?

    But everybody is free to draw their own conclusions.
    {{ DiscussionBoard.errors[3660670].message }}
    • Profile picture of the author SteveJohnson
      Originally Posted by christopher jon View Post

      So, since we are dealing with wordpress, the only guideline we have on licencing issues is wordpress vs. thesis.

      Thesis gave up the fight and went GPL so that kind of settles the debate.
      The only thing it settles is that Chris Pearson evidently didn't want to play David to Matt's Goliath.
      Signature

      The 2nd Amendment, 1789 - The Original Homeland Security.

      Gun control means never having to say, "I missed you."

      {{ DiscussionBoard.errors[3662830].message }}
      • Profile picture of the author Tim Franklin
        Originally Posted by SteveJohnson View Post

        The only thing it settles is that Chris Pearson evidently didn't want to play David to Matt's Goliath.
        Agreed last I looked there is no providence nor any legal activism that would have any bearing on the legal standing of any of this at all.

        The fact remains obviously, that wordpress must have the co-operation and favorable license terms from PHP, without it there is no such thing as wordpress.

        So, all in all PHP is Goliath, Wordpress is the poor cousin that cant get along with others, Everything runs on PHP, simply put, without PHP and MySQL there is no such thing as wordpress or wordpress plugin, or any other LAMP product or service.

        As icing on the cake, I like wordpress but if wordpress came out and said that all my Intellectual property belong to them because I my product touched their PHP code, then I would move to Joomla or some other thing.

        The main thing here is this, I can do without wordpress if I have to, I was playing around with code before wordpress came along and if they insist on this destructive anti social behavior eventually they will cease to exist as well, they need us more than we need them.
        Signature
        Bitcoin | Crypto | Blockchain Secrets |
        {{ DiscussionBoard.errors[3663497].message }}

Trending Topics