1864 posts YOU TOUCH IT YOU BUY IT
  • Bought between 100 and 499 items
  • Referred between 200 and 499 users
  • Has been a member for 5-6 years
  • Won a Competition
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Elite Author
  • Sold between 250 000 and 1 000 000 dollars
+1 more
FRESHFACE says


What that does is it redirects all requests (recursively) from the /plugins/ directory to homepage.
you’re afraid of users trying to directly download the plugin zip from your theme folder ?

Yes. And I am not afraid since it’s quite a long shot, just trying to be thorough :)

491 posts
  • Elite Author
  • Sold between 250 000 and 1 000 000 dollars
  • Won a Competition
  • Referred between 1000 and 1999 users
  • Author had a Free File of the Month
  • Author had a File in an Envato Bundle
  • Bought between 10 and 49 items
+3 more
pixelentity says

Well i had some bad experiences trying to embed .htaccess files. Some buyers/hosting company have weird server configurations and , as a result, .htaccess may cause the “500 internal server error”.

i know you’re using only in that folder but since Murphy is right, some of them will eventually test the url (for unknown reasons), get the error and blame your theme for destroying their server.

I’d just rename the zip and place an index.html in the folder to avoid listing, less secure but more reliable (for you)

BF

1864 posts YOU TOUCH IT YOU BUY IT
  • Bought between 100 and 499 items
  • Referred between 200 and 499 users
  • Has been a member for 5-6 years
  • Won a Competition
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Elite Author
  • Sold between 250 000 and 1 000 000 dollars
+1 more
FRESHFACE says

Good idea about index.html to avoid listing, that should be used as well.

Also, .htaccess does not work on windows servers. More I think about it, there is no concrete way of securing these files. The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?

491 posts
  • Elite Author
  • Sold between 250 000 and 1 000 000 dollars
  • Won a Competition
  • Referred between 1000 and 1999 users
  • Author had a Free File of the Month
  • Author had a File in an Envato Bundle
  • Bought between 10 and 49 items
+3 more
pixelentity says

The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?

imho, there’s no real need for it. I mean, an evil user would have to know the exact zip name inside that folder to be able to download the plugin.

332 posts
  • Exclusive Author
  • Sold between 5 000 and 10 000 dollars
  • Has been a member for 4-5 years
  • Europe
  • Envato Studio (Microlancer) Beta Tester
  • Bought between 1 and 9 items
  • Referred between 1 and 9 users
dekciw says

Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

100 posts Norris & Tanita
  • Elite Author
  • Contributed a Tutorial to a Tuts+ Site
  • Sold between 100 000 and 250 000 dollars
  • Has been a member for 4-5 years
  • Exclusive Author
  • Referred between 10 and 49 users
  • Bought between 10 and 49 items
  • Envato Studio (Microlancer) Beta Tester
  • Europe
ThemeVillage says

Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).

1864 posts YOU TOUCH IT YOU BUY IT
  • Bought between 100 and 499 items
  • Referred between 200 and 499 users
  • Has been a member for 5-6 years
  • Won a Competition
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Elite Author
  • Sold between 250 000 and 1 000 000 dollars
+1 more
FRESHFACE says


Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Thanks, +1. In a wild case, my buyer’s hosting company could even receive a DMCA from the plugin author when he finds the hotlink on some warez site. I think security should be viewed more black and white. As it is now, the packages inside TGM folder are not secure. We are just trying to find a way to secure them.

332 posts
  • Exclusive Author
  • Sold between 5 000 and 10 000 dollars
  • Has been a member for 4-5 years
  • Europe
  • Envato Studio (Microlancer) Beta Tester
  • Bought between 1 and 9 items
  • Referred between 1 and 9 users
dekciw says


Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).

As far as I know, Google crawls using links. Now its crawling / indexing directories? :)

1081 posts
  • Forum Superstar
  • Most Wanted Bounty Winner
  • Envato Studio (Microlancer) Beta Tester
  • Author had a Free File of the Month
  • Bought between 50 and 99 items
  • Referred between 50 and 99 users
  • Europe
  • Has been a member for 3-4 years
  • Exclusive Author
+1 more
Smartik says

The best solution would be to remove the plugins from theme directory automatically after plugin instalation.

But, is that hard to install 2,3 plugins, manually, after theme activation? I think this wouldn’t be a problem for buyers.

491 posts
  • Elite Author
  • Sold between 250 000 and 1 000 000 dollars
  • Won a Competition
  • Referred between 1000 and 1999 users
  • Author had a Free File of the Month
  • Author had a File in an Envato Bundle
  • Bought between 10 and 49 items
+3 more
pixelentity says

I’d just check if plugin zip present, then print a notify in dashboard: “please remove $plugin.zip after the installation”

by
by
by
by
by
by