Ask your WordPress questions! Pay money and get answers fast! Comodo Trusted Site Seal
Official PayPal Seal

How to protect our code? WordPress

So, I've been working hard for six weeks now on a new WordPress framework that will be packaged with our premium themes that are going on sale. The theme will be distributed unpacked with good comments and so on as its fine for the user to edit those files as they need and want. However, the framework is not supposed to be edited/copied/re-used and if we ship the framework without some level of protection, other theme developers will steal it, re-write a couple of bits, re-design it and sell it as their own with their own themes and I didn't work 6 long weeks for that to happen.

So, how can I protect my framework code? I've written php and javascript and want to be able to encrypt/minify/protect as much as I possibly can of those files that are not for editing (the framework). I already know of a few like ioncube but I want a solution that requires no server installs or edits for the end user of our themes as this is obviously hassle if they have to contact their host or make server changes etc.

The best recommendations of how and what I can do to protect my valuable framework wins the loot. Thanks =)

Answers (13)


Ali Hussain answers:

I would suggest using as many shortcodes as much as possible.
You can not really stop the theft


Oleg Butuzov answers:

1) one obfucation free init file (with hooks + filters )
2) all other *.php zend encoded



Oleg Butuzov comments:

1) one obfucation free init file (with hooks + filters )
2) all other *.php zend encoded




S├ębastien | French WordpressDesigner answers:

you can use a system of unique licence key like wpseo for example

drew comments:

Any suggestions as to a system like this?

S├ębastien | French WordpressDesigner comments:

Yes, i can suggest you to send an email to alex or sergej who are really expert and have probably good response for you :-)

that's the best suggestion i can do :-)


Ozh RICHARD answers:

Or you can just be smart, responsible, and not a douchebag: ship clear code, well structured, well commented.

Take example on those who are more successful than you and make more money than you: they ship GPL'd readable code.

drew comments:

As previously stated, I didn't work 6 long weeks to allow my competitors to steal my USP and make money from it themselves. The framework code is not intended to be read/edited and is a bonus to managing theme options more easily. The user is in fact buying rights to the theme and therefore will get the theme well commented and unprotected. If that makes me a douche, so be it.


James answers:

You'll likely not get many sales selling encrypted code; or to put it another way if I bought your theme and found encrypted code I'd be expecting a full and immediate refund as there's no way I'd use the code on a live site not knowing exactly what's going on.

WordPress is GPL software, and any work dependant on it should also use GPL code (or split licence for CSS / JS files if need be). How many hours went into making it what it is? I'm guessing a lot longer than 6 weeks.

If you designs are good and there's quality support behind your products you have no need to encrypt the files as people buy quality themes.


Andrew Wetzel answers:

Gravity Forms uses a license key for their well-received [going for the understatement of the year award here] product. The code is clear, commented PHP, and their excellent support is enhanced by the participation of the community. All this despite charging developers $199/year to use the product & be part of the community.

So Ozh, despite being quite blunt, is correct: clear, GPL code will not hamper your relationships with customers or leave you vulnerable to thieves. There are plenty of businesses out there to give evidence for that claim.

That said, I don't believe that is exactly what you are asking, since you are already talking about releasing the child-themes that way. It is other developers - unethical ones - that you're concerned about. My recommendation would be to leave the core framework code GPL, clear & well-commented as well. This will avoid breaking strong WordPress community norms, without danger to your business or to the customer community - both end users and developers - whose goodwill will be paying your bills.

You can make it clear that your core framework should be treated like the WordPress core files - hands off! Any edits your users make will be wiped out on each update, if they're not doing it right.

Why does exposing your valuable framework not leave your business vulnerable to rip-off developers? First, because people who do that sort of thing become pariahs, and the internet talks. Second, because people who pay for access to download software and become part of the community are unlikely to abuse it. Third, and most important, because nobody knows and supports your code as well as you and your community. They may steal your tools, but they can't steal your craftsmanship. They may imitate your business, but they can't duplicate your reputation.


Vidyut Kale answers:

I don't think there is any real way to prevent code from being copied if the theme is to be usable. The shortcodes idea is good, because it at least makes it difficult for people to just pick up stuff, but of course, it can be done, if your theme is that miraculous.

If you obfuscate the code, its unlikely to sell well, and if it does, it will probably have demands for refunds - no one wants to put unknown code on their websites.

The best bet would be to work out a revenue model that allows you to earn in spite of copying and works to make the copying an advertisement of your work. In what little I know of the theming world, people do write good things about good code and provide credit where it is due. This works to create your reputation. No one can call your code good if they can't see it. Remember, people have no clue how good your theme is till they pay up. Reputation will help them get there.

Justin tadlock of Hybrid fame has an interesting model - the theme is opensource. He charges for support. Check it out. Its a thriving community - I don't think he's going broke any time soon.


Denzel Chia answers:


There is no way to protect your codes. Any skilled programmer will be able to decrypt your codes if they really want to.

And there are many superb theme frameworks that are free, I don't think people need to steal your framework. Unless yours is as good as Carrington Build or Hybrid Core? Or your theme is better designed than Woo Theme's?

Relax people will not be bother to steal your framework.

Denzel Chia comments:

Stop wasting your time here.

90% of the framework files do not use WP functions but are instead custom PHP/js and change things like sliders, skins, css, fonts and so on. Therefore I'm well within my right to encrypt these files and released them not as GPL

You said 90% of the code not 100% of the code do not use WP functions. Your codes should be GPL even if you use only one function of WordPress. Only CSS and Javascript codes can be licensed separately from WordPress.

It is pointless to talk about GPL here.

You can obfuscate your code if you want to make it difficult for people to reverse engineered, use this



Valentinas Bakaitis answers:

To answer your question: if you want to protect your code you need to keep it in your server and provide service instead. For example user only sends you his serial key (which you generate on purchase) and data to calculate, and you send back the result. Very much like Akismet.

More on the topic:
There are various business models around GPL, and the one that you are choosing definitely does not work very well. Apart from the "service" model that I've mentioned above there's also "support" model, where you provide support only to those that bought your framework. This one is really popular.

Some more thoughts about why the thing that you are doing is wrong:

Any WP theme or plugin or framework HAS to be GPL. that does not apply to js (that do not use WP functions), styles, images and similar stuff, but applies to all PHP files that uses WP functions.

This is WP licence, and if you want people to respect your licence, you need to respect theirs ;)

What you want to do is not only against WP license but also not fair. Not fair to the user and to other developers. Here's why: lets say user buys your framework, then you decide to go out of business, then WP API changes and your framework suddenly stops working. You see where I'm going.

drew comments:

The user isn't buying our framework, they're buying a theme with the framework as a bundled bonus for easy management of their site look and content.

90% of the framework files do not use WP functions but are instead custom PHP/js and change things like sliders, skins, css, fonts and so on. Therefore I'm well within my right to encrypt these files and released them not as GPL.

I repeat again, we're not selling the framework, it is a tool to manage theme options, most of which don't use WP functions, those that do would be released as GPL and not encrypted.

Valentinas Bakaitis comments:

Ah, i see. Well fair enough about the licence :)
My advice for you would be to go with support business model. Obfuscated code will not give you more clients. And it doesn't really matter how much people will steal your code. What matters is how much will buy. So you better make it good, developer friendly code, and fellow developers will appreciate that :)


Victor Teixeira answers:

As a WordPress user you are taking advantage of free code and making money from it because it is opensource.
As WordPress is released under the GPL license, you must also release your code under the same license. So it must be opened.

If you want to release closed proprietary code then you are developing for the wrong cms. You should just develop themes for a proprietary cms, not WordPress.

<blockquote>I didn't work 6 long weeks to allow my competitors to steal my USP and make money from it themselves
How much time do you think all the people involved on the wordpress development gave to the project?

Even if you encode your code, then this will just count against your business.
People will not buy from you....

And the "bad" guys will just decode and use your code. There are all sort of decoders out there...

The point here is: you must respect the license.

drew comments:

You only have to release code that uses WP functions as GPL, please try reading other comments and replies before commenting.

Victor Teixeira comments:

Actually your framework must interface with wordpress somehow, so you are building on top of wordpress, and so it must be GPL.

And again, even if it doesn't interface with wordpress, wich is not possible, if you are using a product for free that other people have written and given their time for you to make money on top of it, it's just fair for you to give back to the community.
We are not telling that you should release your product for free, you should just release it with complete source code, so other people can learn from your code the same way you learned from their code. It's simple like this.

Do you know Woothemes? Last year they built a Menu Builder interface inside their commercial theme framework. Some months later wordpress core developers incorporated their menu builder inside wordpress, so that's the menu builder you use, it was originally written by a company for their framework, and they were really happy when they were told that the core developers were "stealing" their code...


Rashid Aliyev answers:

1) Spit it into many clases first of all, and then encode file with any 64bit decryptable encoder and make custom function wich will call, decode and include your class. It's most warking ways. 2) Also you can store your FW on your host and call it remotely :)
3) pack it in any kind gZip file with encripted filenames and use php to unpack and call each of it ad Java do.


Jarret Minkler answers:

I second, third, and forth the "no encrypted code" route. For lots of reasons.

But if you really must, maybe you could look into Phar archives? and somehow caching the templates it generates?

or ioncube ..

perhaps this should have been thought about when you started down this business model path before you put in 6 weeks or whatever?


Michael Fields answers:

I would strongly suggest the following method for code obfuscation. Not only is it the best method but, if I do say so myself, the only method.

1. Open your file in a text editor of your choosing. I prefer Notepad++, but to each their own.
2. Press and hold the control key as well as the "A" key at the same time. If you're on a mac, you might need to use the command key, I'm not certain though. I'll have to write another tutorial after I've tried this on a mac.
3. At this point all of the code on the page should have changed colors. This means it's working :)
4. Next step is to press the "Backspace" key. If you are having trouble locating the "backspace" key, another alternative is to look for the "delete" key. I have heard reports from some users that this is sometimes easier to find on certain keyboards.
5. We're almost there... The fifth and final step is to save your document.

It is now safe to ship your code! Not only is it 100% safe, it's also totally secure! Two for the price of one, now THAT'S value.

Best wishes,