- Author was Featured
- Bought between 50 and 99 items
- Exclusive Author
- Has been a member for 3-4 years
- Item was Featured
- Referred between 50 and 99 users
- Repeatedly Helped protect Envato Marketplaces against copyright violations
- Sold between 250 000 and 1 000 000 dollars
pixelentity said
freshface saidyou’re afraid of users trying to directly download the plugin zip from your theme folder ?
What that does is it redirects all requests (recursively) from the /plugins/ directory to homepage.
Yes. And I am not afraid since it’s quite a long shot, just trying to be thorough 
- Sold between 100 000 and 250 000 dollars
- Won a Competition
- Author was Featured
- Item was Featured
- Referred between 500 and 999 users
- Author had a Free File of the Month
- Author had a File in an Envato Bundle
- Bought between 10 and 49 items
Well i had some bad experiences trying to embed .htaccess files. Some buyers/hosting company have weird server configurations and , as a result, .htaccess may cause the “500 internal server error”.
i know you’re using only in that folder but since Murphy is right, some of them will eventually test the url (for unknown reasons), get the error and blame your theme for destroying their server.
I’d just rename the zip and place an index.html in the folder to avoid listing, less secure but more reliable (for you)
BF
- Author was Featured
- Bought between 50 and 99 items
- Exclusive Author
- Has been a member for 3-4 years
- Item was Featured
- Referred between 50 and 99 users
- Repeatedly Helped protect Envato Marketplaces against copyright violations
- Sold between 250 000 and 1 000 000 dollars
Good idea about index.html to avoid listing, that should be used as well.
Also, .htaccess does not work on windows servers. More I think about it, there is no concrete way of securing these files. The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?
- Sold between 100 000 and 250 000 dollars
- Won a Competition
- Author was Featured
- Item was Featured
- Referred between 500 and 999 users
- Author had a Free File of the Month
- Author had a File in an Envato Bundle
- Bought between 10 and 49 items
freshface said
The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?
imho, there’s no real need for it. I mean, an evil user would have to know the exact zip name inside that folder to be able to download the plugin.
- Exclusive Author
- Sold between 1 000 and 5 000 dollars
- Has been a member for 3-4 years
- Europe
- Microlancer Beta Tester
- Bought between 1 and 9 items
- Referred between 1 and 9 users
Wait a sec..
So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..
Now, could you explain me, how someone bad can know where you placed your bundled plugins? Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ?
- Contributed a Tutorial to a Tuts+ Site
- Sold between 5 000 and 10 000 dollars
- Microlancer Beta Tester
- Referred between 1 and 9 users
- Bought between 10 and 49 items
- Has been a member for 3-4 years
- Europe
- Exclusive Author
dekciw said
Wait a sec..So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..
Now, could you explain me, how someone bad can know where you placed your bundled plugins?
If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.
It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.
For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.
Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).
- Author was Featured
- Bought between 50 and 99 items
- Exclusive Author
- Has been a member for 3-4 years
- Item was Featured
- Referred between 50 and 99 users
- Repeatedly Helped protect Envato Marketplaces against copyright violations
- Sold between 250 000 and 1 000 000 dollars
PureMellow said
dekciw said
Wait a sec..So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..
Now, could you explain me, how someone bad can know where you placed your bundled plugins?If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.
It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.
For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.
Thanks, +1. In a wild case, my buyer’s hosting company could even receive a DMCA from the plugin author when he finds the hotlink on some warez site. I think security should be viewed more black and white. As it is now, the packages inside TGM folder are not secure. We are just trying to find a way to secure them.
- Exclusive Author
- Sold between 1 000 and 5 000 dollars
- Has been a member for 3-4 years
- Europe
- Microlancer Beta Tester
- Bought between 1 and 9 items
- Referred between 1 and 9 users
PureMellow said
dekciw said
Wait a sec..So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..
Now, could you explain me, how someone bad can know where you placed your bundled plugins?If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.
It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.
For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.
Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).
As far as I know, Google crawls using links. Now its crawling / indexing directories?
- Author had a Free File of the Month
- Microlancer Beta Tester
- Has been a member for 2-3 years
- Exclusive Author
- Europe
- Most Wanted Bounty Winner
- Bought between 50 and 99 items
- Referred between 10 and 49 users
- Sold between 10 000 and 50 000 dollars
The best solution would be to remove the plugins from theme directory automatically after plugin instalation.
But, is that hard to install 2,3 plugins, manually, after theme activation? I think this wouldn’t be a problem for buyers.
- Sold between 100 000 and 250 000 dollars
- Won a Competition
- Author was Featured
- Item was Featured
- Referred between 500 and 999 users
- Author had a Free File of the Month
- Author had a File in an Envato Bundle
- Bought between 10 and 49 items
I’d just check if plugin zip present, then print a notify in dashboard: “please remove $plugin.zip after the installation”
Request processing...