5

I'm planning to develop some professional Wordpress Themes and would like to protect it using license keys, is it possible?

If so, would any one be willing to link to some posts or articles to help me get started?

holiveira
  • 4,445
  • 9
  • 36
  • 39

2 Answers2

4

You could set up a database on your own server, holding the license key and the licensed url for the theme. Then, set up an admin page for your theme. Within, first register a license settings array. Then implement a hidden settings field on that same page that gets updated whenever the license key is being updated by site admin. the update function sends a request to your server passing the license key and the $_SERVER's host and setting the hidden license_settings field to either true or false.

A really simplified code would look like this:

functions.php 

<?php
// functions.php
require("myadminpage.php");

# Functions follow here...
?>

myadminpage.php 

<?php
// myadminpage.php

// register settings
function my_settings_init() {
  register_setting('settings_license', 'settings_license');
}
// register admin page
function my_add_admin_page() {
  add_menu_page(__( '' ), __( 'Manage License' ), 'administrator', 'myadminpage', 'my_admin_page');
}
add_action('admin_init', 'my_settings_init');   
add_action('admin_menu', 'my_add_admin_page' );

if(isset($_GET["settings-updated"]) && $_GET["settings-updated"] == true) { 
    $options = get_option('settings_license');
    $key = $options["key"];
    $host = parse_url($GLOBALS['HTTP_SERVER_VARS']['REQUEST_URI'], PHP_URL_HOST);
    $url = sprintf("http://you.com/check-license.php?key=%s&url=%s", $key, $host);
    $options["valid"] = trim(file_get_contents($url)) == 1) ? "true" : "false"; 
    update_option('settings_license', $options);
}

// callback function that renders your admin page
function my_admin_page() {
  settings_fields('settings_license'); 
  $options = get_option('settings_license'); 
  ?>
  <form method="post" action="options.php"> 
  <input id="settings_license[key]" type="text" name="settings_license[key]" value="<?php echo $options["key"]; ?>">
  <input id="settings_license[valid]" type="hidden" name="settings_license[valid]" value="<?php echo $options["valid"]; ?>">
  <input type="submit" value="Save"> 
  </form> 
  <?php
}
?>

Now you can, when ever you need/want, get the license options and handle the invalid usage in any way you want. Eg (a rude way):

header.php

<?php
// very first line
$license = get_option('settings_license');
// see: http://ckon.wordpress.com/2006/08/09/server-request_uri-doesnt-always-work-correctly-heres-how-to-fix/
$ruri = $GLOBALS['HTTP_SERVER_VARS']['REQUEST_URI'];
if(!preg_match("#wp-admin#", $ruri) && $license["valid"] != "true") {
  wp_die( __('This website uses unlicensed software.<br>Administrators can update their license key <a href="'. get_bloginfo('url') .'/wp-admin/admin.php?page=myadminpage.php">here</a>.') );
}

# rest of header.php comes here..

Finally obfuscate your php code (eg http://www.ioncube.com/sa_encoder.php) and you're done. However, make sure you're not violating any other licenses, such as WP's. If there's one single line of WordPress core functions used within your final code, you can not release it under any other license than WP, which is GPL.

eyecatchUp
  • 10,032
  • 4
  • 55
  • 65
  • If the user knows beforehand that the theme uses some kind of a license key it will take them just one unsuccessful attempt to find out what's going on (fresh WP, export database, install theme, export database, diff the two exports). Ignoring the fact that if a user is determined to use an illegal copy of your theme they will do it, GPL doesn't allow obfuscated code (http://stackoverflow.com/questions/1086445/obfuscation-and-gpl) And WP themes are GPL (http://wordpress.org/news/2009/07/themes-are-gpl-too/) – Nikolay Yordanov May 01 '12 at 21:35
  • I know that you're not allowed to do so and that's why i mentioned the license issue by myself. However i wanted to give an example of how it *could* be done. And ignoring the fact it is not allowed, i know a couple of theme / plugin developers who use this technique to protect their products (and nobody ever got problems so far). Regarding your other point: I don't see how you can bypass such a method. Even if you know that the API Key is associated with your URL. As long as all your code is obfuscated, the only way is to know how to build a valid checksum (aka API Key) for a URL. – eyecatchUp May 02 '12 at 09:12
  • PS: Also, the question was not if it would be legal to do so, but if it would be possible to do so. ;) – eyecatchUp May 02 '12 at 09:25
1

I don't think so. After all, the users must have the php code to use the theme and if they have it - they may alter it in a such way that it won't need a key any more.

Nikolay Yordanov
  • 1,404
  • 16
  • 25
  • 1
    Nikolay, you're right that the users must have the php code to use the theme. But he must not have a **human readable** copy of your php code. Take a look at my answer to get a basic idea of how this could be done. – eyecatchUp May 01 '12 at 19:00
  • You *must* provide human readable code (http://stackoverflow.com/questions/1086445/obfuscation-and-gpl) – Nikolay Yordanov May 01 '12 at 21:38