当前位置：文江博客话题详情

如何创建付费插件/主题并安全地销售它们

发布于 2024-11-29 15:51:19 字数 220 浏览 0 评论 0原文

我正在为 drupal / wordpress / magento 创建支付网关。我已经有客户想要使用我的插件。因为这是一项付费作品，所以我想保护它不被其他网站使用。

我还看到许多销售主题、模块和插件的供应商都需要输入 API 密钥。

我怎样才能做同样的事情。我的服务器端需要什么。我知道如何创建模块，但我不知道如何安全地销售它们并提供定期更新。

如果有关于这方面的书请告诉我。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

夜巴黎 2024-12-06 15:51:19

我不熟悉任何关于这个主题的书籍，但我会告诉你我作为

有几种方法 -

有些插件根本不需要 API 密钥。该插件要么只有在购买后才可用，要么对免费下载版本有一些限制，鼓励人们付费购买商业版本。这种方法更多地依赖于人们的诚信度和尝试将免费版本破解为商业版本的低积极性，特别是如果他们不是技术用户（正如许多 CMS 用户一样）。
设置定期对您的服务器进行检查。为此，您不需要完整的 API，只需在服务器上设置一个端点，插件可以发送 API 密钥，并根据响应允许使用该插件。您需要对其进行规划，以便每次运行插件时都不会发生此检查，特别是如果它是在公共站点上运行而不仅仅是在管理面板中运行的插件 - 它将严重降低插件的性能使用它的网站会给您的服务器造成不必要的负载。使用某种基于时间的检查 - 绝对或从上次检查的时间开始。
除了执行 API 检查之外或代替执行 API 检查，有些人还会混淆他们的代码，以使修改和绕过检查变得更加困难。这通常要求服务器安装一个可以解析混淆文件的模块 - 这一要求通常使其对大多数人来说不太可行。您可以在另一个问题中查看混淆器的一些示例。

就我个人而言，我更倾向于第一种选择，因为有足够决心的人会破坏你设置的任何保护（人们会立即破坏更复杂的解决方案）。这是提供源代码而不是二进制文件的问题之一（经验丰富的黑客也可以轻松破解这些问题）。让那些愿意付钱的人，其他人就让他们做他们想做的事，因为无论如何你都无法创建真正安全的东西。

I'm not familiar with any books on the subject, but I'll tell you what I've seen as one of a founders of a component / plug-in marketplace that has many such plug-ins.

There are a few approaches -

Some plugins do not require an API key at all. Either the plug-in is only available after purchase, or has some limitations on the free downloadable version that encourages people to pay for the commercial version. This approach relies more on people's integrity and low motivation to try and hack the free version into the commercial one, especially if they are not technical users (as many CMS users are).
Set up a check against your server that happens periodically. You do not need a full blown API for this, just set up an endpoint on your server that the plug-in can send the API key and according to the response allows the use of the plug-in. You need to plan it so that this check doesn't happen every time the plug-in is run, especially if it a plug-in that runs on the public site and not only in the administration panel - it will seriously degrade the performance of the site using it and create unnecessary load on your server. Use some kind of time based checked - either absolutely or from the time of the last check.
In addition to or instead of doing an API check, some people will obfuscate their code to make it harder to modify and bypass the check. This often requires that the server has a module installed that can parse the obfuscated files - this requirement often makes it less viable for most people. You can see some examples of obfuscators in another question.

Personally, I lean more toward the first option, as someone determined enough will break whatever protection you put (people break much more complicated solutions in no time). This is one of the problems of delivering source-code instead of binaries (and those are broken just as easily by more experienced hackers). Let those who are willing pay, and the others just let them do what they want as you won't be able to create something truly secure anyway.

回复收藏 0 原文

~没有更多了~