In WordPress I want to be able to sell sets of emoticons (png images). These sets emoticons are stored in a folder under the plugin (eg. wp-content/plugins/my-plugin/emoticons/set-1/happy.png)

Some emoticon sets are free, some are not. I want to be able to prevent the user from accessing the emoticons if they did not buy the set. Also, because these emoticons are used when writing text I need the check done as fast as possible.

What I tried so far:

1. loading the emoticons via a proxy php file in which I do the check for user purchases. This works, but it's awfully slow

2. using .htaccess inside the emoticons/ folder. With it I do a check like this:

   RewriteEngine On
   RewriteCond %{HTTP_COOKIE} .*?emoticonset-(.*)=(.*);?
   RewriteCond %{SCRIPT_FILENAME}::%1 emoticons/(.*?)/(.*\.png)::\1$
   RewriteRule .* - [L]
   RewriteRule ^ / [F]
   

It sorts of works in the sense that it will check if the user has a cookie emoticonset-set-1 and if yes then it serves the png image, otherwise it returns 403 forbidden.

3. I also tried with Wordpress rewriting rules, but these only seem to work for redirecting to index.php paths.

Option 2 is extremely fast, but it can be easily fooled by users manually adding the cookie in the browser.

Are there any other options I should look into? Is there any way to make option 2 secure?

In WordPress I want to be able to sell sets of emoticons (png images). These sets emoticons are stored in a folder under the plugin (eg. wp-content/plugins/my-plugin/emoticons/set-1/happy.png)

Some emoticon sets are free, some are not. I want to be able to prevent the user from accessing the emoticons if they did not buy the set. Also, because these emoticons are used when writing text I need the check done as fast as possible.

What I tried so far:

1. loading the emoticons via a proxy php file in which I do the check for user purchases. This works, but it's awfully slow

2. using .htaccess inside the emoticons/ folder. With it I do a check like this:

   RewriteEngine On
   RewriteCond %{HTTP_COOKIE} .*?emoticonset-(.*)=(.*);?
   RewriteCond %{SCRIPT_FILENAME}::%1 emoticons/(.*?)/(.*\.png)::\1$
   RewriteRule .* - [L]
   RewriteRule ^ / [F]
   

It sorts of works in the sense that it will check if the user has a cookie emoticonset-set-1 and if yes then it serves the png image, otherwise it returns 403 forbidden.

3. I also tried with Wordpress rewriting rules, but these only seem to work for redirecting to index.php paths.

Option 2 is extremely fast, but it can be easily fooled by users manually adding the cookie in the browser.

Are there any other options I should look into? Is there any way to make option 2 secure?

• plugin-development
• woocommerce-offtopic
• htaccess
• user-access

• you might have a problem with the wordpress plugin repository guideline there. I don't think you're allowed to have material in the plugin that is restricted to paid users only, that's why most plugin devs have a pro version of their plugin that contains the paid material. If you have to go that way anyways this might not be a problem you actually need to solve. – mrben522 Commented Mar 23, 2019 at 17:32
• actually that's not a problem for me. I'm implementing my own plugin for functionality in a website. I don't intend to distribute the plugin through WordPress plugin repository – coding-dude Commented Mar 23, 2019 at 18:00

1 Answer 1

I found an acceptable solution to my problem. The solution has a few steps:

1. I used .htaccess to deny direct access to the emoticon files for everybody

2. I created a simple PHP file in the plugin folder. The PHP file acts as a proxy for the images (I pass it the path to the emoticon via a GET parameter). Since the PHP file does not include the whole WordPress infrastructure the proxy works very fast. I also do a very basic check of a cookie (emoticon_set_name=md5(emoticon_set_name))

3. In the WordPress plugin I use the init action to set the cookie values according to the emoticon sets that the user bought.

The MD5 encryption can be substituted for any kind of encryption and the cookie value encrypted can be combined with other cookie values to make it more difficult for the user to directly key in the cookie in the browser.