2002 posts
  • Has referred 50+ members
  • Has sold $500,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+9 more
bitfade says
ParkerAndKent said
Yeah, I know, I thought about this. The live preview is running on a different sub domain… while I’ve created specific sub domains and installations for the test drive themes.

There isn’t any access to any script, what could you think can be an entry point?

Thanks!
the important thing is the two must have different site roots (not like 2 subfolders sharing a parent folder)

by granting user access to the admin area, you’re giving them addition additional privileges
if a vulnerability is found, they could use it to escalate those privileges, exploit a read-only rule imposed by wordpress and being able to upload a file.

once that is done, you can kiss goodbye your whole wp installation.
3256 posts
  • Has referred 100+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+9 more
ParkerAndKent says
bitfade said
ParkerAndKent said
Yeah, I know, I thought about this. The live preview is running on a different sub domain… while I’ve created specific sub domains and installations for the test drive themes.

There isn’t any access to any script, what could you think can be an entry point?

Thanks!
the important thing is the two must have different site roots (not like 2 subfolders sharing a parent folder)

by granting user access to the admin area, you’re giving them addition additional privileges
if a vulnerability is found, they could use it to escalate those privileges, exploit a read-only rule imposed by wordpress and being able to upload a file.

once that is done, you can kiss goodbye your whole wp installation.

Well, no, they have different root… all the sub themes activated for the users will be in the same one, but that’s obvious. I’ll give full privileges, limited to a network theme of course.

I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…

At least I will save you guys trying this thing for the first time :p

2002 posts
  • Has referred 50+ members
  • Has sold $500,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+9 more
bitfade says
ParkerAndKent said
At least I will save you guys trying this thing for the first time :p
damn! i should have kept my mouth closed ….
3256 posts
  • Has referred 100+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+9 more
ParkerAndKent says
bitfade said
ParkerAndKent said
At least I will save you guys trying this thing for the first time :p
damn! i should have kept my mouth closed ….

Why? :)

390 posts
  • Has referred 100+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+5 more
EugeneO says

It’s an interesting idea. If anyone figures out a secure way to approach it I would be interested in trying it out with my themes.

2002 posts
  • Has referred 50+ members
  • Has sold $500,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+9 more
bitfade says
ParkerAndKent said
Why? :)
i quoted the wrong part ….
ParkerAndKent said
I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…
coz i had planned to exploit your demo site and put “pwned!” banner in there :evil:

seriously, being a sysadmin, i’d never implement such things even if tortured
if invitation only, it could be ok security wise but i can see 2 problems:

1 – too much work on your side
2 – “why i’m not allowed to ?” kind of buyer question
3256 posts
  • Has referred 100+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+9 more
ParkerAndKent says
bitfade said
ParkerAndKent said
Why? :)
i quoted the wrong part ….
ParkerAndKent said
I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…
coz i had planned to exploit your demo site and put “pwned!” banner in there :evil:

seriously, being a sysadmin, i’d never implement such things even if tortured
if invitation only, it could be ok security wise but i can see 2 problems:

1 – too much work on your side
2 – “why i’m not allowed to ?” kind of buyer question

Ahahah, I trust people… my bad :)

1: Not really, just 1 click 2: Everyone can have a theme activated, just need to send me an email ;)

PS

If you have any tip to improve security share it my dear sysadmin! :D

1012 posts
  • Has been part of the Envato Community for over 4 years
  • Has referred 10+ members
  • Has sold $10,000+ on Envato Market
  • Has collected 10+ items on Envato Market
+6 more
wizylabs says
ParkerAndKent said
wizylabs said
Hmm nice idea, but again its almost impossible to protect your code completely! Maybe a better idea would be a multisite for your theme, on your own server, that allows users to create a new instance of the theme with their own username/pass etc.. then you have full control of what they see as new users (theme instances, ie sites) created can be limited to certain capabilities etc…

I agree about code protection, in fact the main goal of this post is to find (if any) the best way to achieve this. I mean, not everybody is skilled enough to clean the code from the protections… only advanced users could be able to achieve so.

A multisite installation is also a good idea… but correct me if I’m wrong. You, as admin of the network, would need to create each theme installation manually for each user asking for a demo, right?

not really, everything can be done programmatically in WordPress. You can prepare a landing page for your network site that has a register form for users seeking demos etc…

It wont be hard, you can even require a envato api to make sure that the user is from envato and can chase him up later on!

3256 posts
  • Has referred 100+ members
  • Has sold $250,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Elite Author: Sold more than $75,000 on Envato Market
+9 more
ParkerAndKent says
wizylabs said
ParkerAndKent said
wizylabs said
Hmm nice idea, but again its almost impossible to protect your code completely! Maybe a better idea would be a multisite for your theme, on your own server, that allows users to create a new instance of the theme with their own username/pass etc.. then you have full control of what they see as new users (theme instances, ie sites) created can be limited to certain capabilities etc…

I agree about code protection, in fact the main goal of this post is to find (if any) the best way to achieve this. I mean, not everybody is skilled enough to clean the code from the protections… only advanced users could be able to achieve so.

A multisite installation is also a good idea… but correct me if I’m wrong. You, as admin of the network, would need to create each theme installation manually for each user asking for a demo, right?

not really, everything can be done programmatically in WordPress. You can prepare a landing page for your network site that has a register form for users seeking demos etc…

It wont be hard, you can even require a envato api to make sure that the user is from envato and can chase him up later on!

Hi,

yes, thanks… I’ve already installed everything and tested… it works like a charm :)

Parker

577 posts Themes and Graphics
  • Has been part of the Envato Community for over 5 years
  • Has referred 50+ members
  • Has sold $250,000+ on Envato Market
  • Has been a beta tester for an Envato feature
+9 more
Bebel says

it’s a good addition if done right. All of you know these comments “Can I do this and that in the backend…” People could simply try it out. There would be less complains after purchase as well because everyone really knows what he is getting…

by
by
by
by
by
by