- Sold between 100 000 and 250 000 dollars
- Author had a File in an Envato Bundle
- Has been a member for 4-5 years
- Author had a Free File of the Month
- Won a Competition
- Author was Featured
- Item was Featured
- Bought between 10 and 49 items
ParkerAndKent saidthe important thing is the two must have different site roots (not like 2 subfolders sharing a parent folder)
Yeah, I know, I thought about this. The live preview is running on a different sub domain… while I’ve created specific sub domains and installations for the test drive themes.There isn’t any access to any script, what could you think can be an entry point?
Thanks!
by granting user access to the admin area, you’re giving them addition additional privileges
if a vulnerability is found, they could use it to escalate those privileges, exploit a read-only rule imposed by wordpress and being able to upload a file.
once that is done, you can kiss goodbye your whole wp installation.
- Sold between 250 000 and 1 000 000 dollars
- Exclusive Author
- Interviewed on the Envato Notes blog
- Author was Featured
- Item was Featured
- Beta Tester
- Author had a File in an Envato Bundle
- Author had a Free File of the Month
bitfade said
ParkerAndKent saidthe important thing is the two must have different site roots (not like 2 subfolders sharing a parent folder)
Yeah, I know, I thought about this. The live preview is running on a different sub domain… while I’ve created specific sub domains and installations for the test drive themes.There isn’t any access to any script, what could you think can be an entry point?
Thanks!
by granting user access to the admin area, you’re giving them addition additional privileges
if a vulnerability is found, they could use it to escalate those privileges, exploit a read-only rule imposed by wordpress and being able to upload a file.
once that is done, you can kiss goodbye your whole wp installation.
Well, no, they have different root… all the sub themes activated for the users will be in the same one, but that’s obvious. I’ll give full privileges, limited to a network theme of course.
I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…
At least I will save you guys trying this thing for the first time 
- Sold between 100 000 and 250 000 dollars
- Author had a File in an Envato Bundle
- Has been a member for 4-5 years
- Author had a Free File of the Month
- Won a Competition
- Author was Featured
- Item was Featured
- Bought between 10 and 49 items
ParkerAndKent saiddamn! i should have kept my mouth closed ….
At least I will save you guys trying this thing for the first time
- Sold between 250 000 and 1 000 000 dollars
- Exclusive Author
- Interviewed on the Envato Notes blog
- Author was Featured
- Item was Featured
- Beta Tester
- Author had a File in an Envato Bundle
- Author had a Free File of the Month
bitfade said
ParkerAndKent saiddamn! i should have kept my mouth closed ….
At least I will save you guys trying this thing for the first time
Why? 
- Author was Featured
- Bought between 1 and 9 items
- Exclusive Author
- Has been a member for 3-4 years
- Item was Featured
- Referred between 100 and 199 users
- Sold between 100 000 and 250 000 dollars
- United Kingdom
It’s an interesting idea. If anyone figures out a secure way to approach it I would be interested in trying it out with my themes.
- Sold between 100 000 and 250 000 dollars
- Author had a File in an Envato Bundle
- Has been a member for 4-5 years
- Author had a Free File of the Month
- Won a Competition
- Author was Featured
- Item was Featured
- Bought between 10 and 49 items
ParkerAndKent saidi quoted the wrong part ….
Why?
ParkerAndKent saidcoz i had planned to exploit your demo site and put “pwned!” banner in there
I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…
seriously, being a sysadmin, i’d never implement such things even if tortured
if invitation only, it could be ok security wise but i can see 2 problems:
1 – too much work on your side
2 – “why i’m not allowed to ?” kind of buyer question
- Sold between 250 000 and 1 000 000 dollars
- Exclusive Author
- Interviewed on the Envato Notes blog
- Author was Featured
- Item was Featured
- Beta Tester
- Author had a File in an Envato Bundle
- Author had a Free File of the Month
bitfade said
ParkerAndKent saidi quoted the wrong part ….
Why?ParkerAndKent saidcoz i had planned to exploit your demo site and put “pwned!” banner in there
I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…
seriously, being a sysadmin, i’d never implement such things even if tortured
if invitation only, it could be ok security wise but i can see 2 problems:
1 – too much work on your side
2 – “why i’m not allowed to ?” kind of buyer question
Ahahah, I trust people… my bad
1: Not really, just 1 click
2: Everyone can have a theme activated, just need to send me an email 
PS
If you have any tip to improve security share it my dear sysadmin! 
- Author had a Free File of the Month
- Author was Featured
- Bought between 10 and 49 items
- Egypt
- Exclusive Author
- Has been a member for 2-3 years
- Item was Featured
- Referred between 10 and 49 users
- Sold between 10 000 and 50 000 dollars
ParkerAndKent said
wizylabs said
Hmm nice idea, but again its almost impossible to protect your code completely! Maybe a better idea would be a multisite for your theme, on your own server, that allows users to create a new instance of the theme with their own username/pass etc.. then you have full control of what they see as new users (theme instances, ie sites) created can be limited to certain capabilities etc…I agree about code protection, in fact the main goal of this post is to find (if any) the best way to achieve this. I mean, not everybody is skilled enough to clean the code from the protections… only advanced users could be able to achieve so.
A multisite installation is also a good idea… but correct me if I’m wrong. You, as admin of the network, would need to create each theme installation manually for each user asking for a demo, right?
not really, everything can be done programmatically in WordPress. You can prepare a landing page for your network site that has a register form for users seeking demos etc…
It wont be hard, you can even require a envato api to make sure that the user is from envato and can chase him up later on!
- Sold between 250 000 and 1 000 000 dollars
- Exclusive Author
- Interviewed on the Envato Notes blog
- Author was Featured
- Item was Featured
- Beta Tester
- Author had a File in an Envato Bundle
- Author had a Free File of the Month
wizylabs said
ParkerAndKent said
wizylabs said
Hmm nice idea, but again its almost impossible to protect your code completely! Maybe a better idea would be a multisite for your theme, on your own server, that allows users to create a new instance of the theme with their own username/pass etc.. then you have full control of what they see as new users (theme instances, ie sites) created can be limited to certain capabilities etc…I agree about code protection, in fact the main goal of this post is to find (if any) the best way to achieve this. I mean, not everybody is skilled enough to clean the code from the protections… only advanced users could be able to achieve so.
A multisite installation is also a good idea… but correct me if I’m wrong. You, as admin of the network, would need to create each theme installation manually for each user asking for a demo, right?not really, everything can be done programmatically in WordPress. You can prepare a landing page for your network site that has a register form for users seeking demos etc…
It wont be hard, you can even require a envato api to make sure that the user is from envato and can chase him up later on!
Hi,
yes, thanks… I’ve already installed everything and tested… it works like a charm
Parker
- Author had a File in an Envato Bundle
- Author had a Free File of the Month
- Author was Featured
- Bought between 100 and 499 items
- Europe
- Exclusive Author
- Featured in a Magazine
- Has been a member for 3-4 years
it’s a good addition if done right. All of you know these comments “Can I do this and that in the backend…” People could simply try it out. There would be less complains after purchase as well because everyone really knows what he is getting…
