1882 posts YOU TOUCH IT YOU BUY IT
  • Has referred 200+ members
  • Has sold $500,000+ on Envato Market
  • Has collected 100+ items on Envato Market
  • Made it to the Authors' Hall of Fame
+6 more
FRESHFACE says


What that does is it redirects all requests (recursively) from the /plugins/ directory to homepage.
you’re afraid of users trying to directly download the plugin zip from your theme folder ?

Yes. And I am not afraid since it’s quite a long shot, just trying to be thorough :)

501 posts
  • Has referred 1000+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
pixelentity says

Well i had some bad experiences trying to embed .htaccess files. Some buyers/hosting company have weird server configurations and , as a result, .htaccess may cause the “500 internal server error”.

i know you’re using only in that folder but since Murphy is right, some of them will eventually test the url (for unknown reasons), get the error and blame your theme for destroying their server.

I’d just rename the zip and place an index.html in the folder to avoid listing, less secure but more reliable (for you)

BF

1882 posts YOU TOUCH IT YOU BUY IT
  • Has referred 200+ members
  • Has sold $500,000+ on Envato Market
  • Has collected 100+ items on Envato Market
  • Made it to the Authors' Hall of Fame
+6 more
FRESHFACE says

Good idea about index.html to avoid listing, that should be used as well.

Also, .htaccess does not work on windows servers. More I think about it, there is no concrete way of securing these files. The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?

501 posts
  • Has referred 1000+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
pixelentity says

The user could secure them quite well depending on their server, but they won’t bother, we need to do that for them – if possible. Last idea we thought about was php rename and doing some mumbo jumbo with file names, how about that?

imho, there’s no real need for it. I mean, an evil user would have to know the exact zip name inside that folder to be able to download the plugin.

332 posts
  • Has referred 1+ members
  • Has sold $5,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 1+ items on Envato Market
+2 more
dekciw says

Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

114 posts Norris & Tanita
  • Elite Author: Sold more than $75,000 on Envato Market
  • Has sold $125,000+ on Envato Market
  • Sells items exclusively on Envato Market
  • Has been a beta tester for an Envato feature
+4 more
ThemeVillage says

Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).

1882 posts YOU TOUCH IT YOU BUY IT
  • Has referred 200+ members
  • Has sold $500,000+ on Envato Market
  • Has collected 100+ items on Envato Market
  • Made it to the Authors' Hall of Fame
+6 more
FRESHFACE says


Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Thanks, +1. In a wild case, my buyer’s hosting company could even receive a DMCA from the plugin author when he finds the hotlink on some warez site. I think security should be viewed more black and white. As it is now, the packages inside TGM folder are not secure. We are just trying to find a way to secure them.

332 posts
  • Has referred 1+ members
  • Has sold $5,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 1+ items on Envato Market
+2 more
dekciw says


Wait a sec..

So, you create a folder named, let’s say, themeroot/coolauthornameframework/inc/bundledplugins and place all the zips in that folder. Buyer activates the theme, installs the plugins and enjoys your theme. Then, someone bad comes and tries something like this -> http://www.coolwebsite.com/wp-content/themes/themeroot/coolauthornameframework/inc/bundledplugins/premiumplugin.zip and downloads the package..

Now, could you explain me, how someone bad can know where you placed your bundled plugins? :) Is there a way to guess, that plugins are hidden in /coolauthornameframework/inc/bundledplugins/ ? :)

If someone has poorly configured robots.txt, google sniffs up the file, and warez people exploit that. Just one of the ways.

It’s not about “nobody is going to find it anyway”, it’s about that you shouldn’t wait for somebody to do so.

For example, if someone finds out you have a premium codecanyon plugin bundled in your theme, it’s not too hard to write a little crawler that uses google to find where your theme is used and then checks if that site has removed the .zip file. If not, it posts automatically the link to the zip file in some forums, and there you go. Your buyer/client has just become a piracy distributer, just by installing your theme.

Even further. If a plugin author decides to be an AH enough, he can do the same, and instead of distributing the file – sue everybody (not likely, but still…).

As far as I know, Google crawls using links. Now its crawling / indexing directories? :)

1290 posts
  • Has been part of the Envato Community for over 4 years
  • Has sold $40,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 50+ items on Envato Market
+5 more
Smartik says

The best solution would be to remove the plugins from theme directory automatically after plugin instalation.

But, is that hard to install 2,3 plugins, manually, after theme activation? I think this wouldn’t be a problem for buyers.

501 posts
  • Has referred 1000+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+8 more
pixelentity says

I’d just check if plugin zip present, then print a notify in dashboard: “please remove $plugin.zip after the installation”

Helpful Information

  • Please read our community guidelines. Self promotion and discussion of piracy is not allowed.
  • Open a support ticket if you would like specific help with your account, deposits or purchases.
  • Item Support by authors is optional and may vary. Please see the Support tab on each item page.

Most of all, enjoy your time here. Thank you for being a valued Envato community member.

Post Reply

Format your entry with some basic HTML. Read the Full Details, or here is a refresher:

<strong></strong> to make things bold
<em></em> to emphasize
<ul><li> or <ol><li> to make lists
<h3> or <h4> to make headings
<pre></pre> for code blocks
<code></code> for a few words of code
<a></a> for links
<img> to paste in an image (it'll need to be hosted somewhere else though)
<blockquote></blockquote> to quote somebody

:grin: :shocked: :cry: Complete List of Smiley Codes

by
by
by
by
by
by