How to build custom license validation and automatic update servers for premium plugins
Designing the License Validation API
Building a robust license validation system for premium WordPress plugins requires a dedicated API. This API will handle license key verification, activation, deactivation, and potentially feature gating. We’ll design a RESTful API using PHP, focusing on security and efficiency. The core endpoints will be:
POST /activate: To activate a license key on a specific domain.POST /deactivate: To deactivate a license key from a specific domain.POST /validate: To check the validity and status of an activated license.
For this example, we’ll assume a simple license key format (e.g., a UUID) and a basic database structure to store license information. The API will be implemented as a standalone PHP application or integrated into a framework like Laravel or Symfony for better structure and dependency management. For simplicity, we’ll show a basic procedural implementation.
Implementing the License Validation API (PHP)
Let’s outline the core logic for the API. We’ll need a database connection and functions to interact with our license data. Security is paramount; all requests should be authenticated (e.g., via an API key) and validated.
Database Schema (Conceptual)
A minimal schema might look like this:
CREATE TABLE licenses (
id INT AUTO_INCREMENT PRIMARY KEY,
license_key VARCHAR(255) NOT NULL UNIQUE,
product_id VARCHAR(50) NOT NULL,
email VARCHAR(255),
status ENUM('active', 'inactive', 'expired', 'suspended') DEFAULT 'inactive',
activation_limit INT DEFAULT 1,
activated_domains TEXT, -- Stores JSON encoded list of domains
expiry_date DATETIME,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
);
CREATE TABLE activations (
id INT AUTO_INCREMENT PRIMARY KEY,
license_id INT NOT NULL,
domain VARCHAR(255) NOT NULL,
activated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (license_id) REFERENCES licenses(id) ON DELETE CASCADE,
UNIQUE KEY unique_activation (license_id, domain)
);
API Endpoint: Activation
The activation endpoint will take a license key, product ID, and the domain where it’s being activated. It will check the license’s status, activation limit, and if the domain is already activated. We’ll use JSON for request and response bodies.
<?php
// api/activate.php
header('Content-Type: application/json');
// Basic API Key authentication (replace with a more robust method in production)
$apiKey = 'YOUR_SECRET_API_KEY';
if (!isset($_SERVER['HTTP_X_API_KEY']) || $_SERVER['HTTP_X_API_KEY'] !== $apiKey) {
http_response_code(401);
echo json_encode(['success' => false, 'message' => 'Unauthorized']);
exit;
}
// Database connection (replace with your credentials and PDO)
$dbHost = 'localhost';
$dbName = 'license_db';
$dbUser = 'db_user';
$dbPass = 'db_password';
try {
$pdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8mb4", $dbUser, $dbPass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
http_response_code(500);
echo json_encode(['success' => false, 'message' => 'Database connection error']);
exit;
}
$input = json_decode(file_get_contents('php://input'), true);
if (!$input || !isset($input['license_key']) || !isset($input['product_id']) || !isset($input['domain'])) {
http_response_code(400);
echo json_encode(['success' => false, 'message' => 'Invalid request data']);
exit;
}
$licenseKey = $input['license_key'];
$productId = $input['product_id'];
$domain = rtrim($input['domain'], '/'); // Normalize domain
// 1. Check if license key exists and is for the correct product
$stmt = $pdo->prepare("SELECT * FROM licenses WHERE license_key = :license_key AND product_id = :product_id");
$stmt->execute([':license_key' => $licenseKey, ':product_id' => $productId]);
$license = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$license) {
echo json_encode(['success' => false, 'message' => 'License key not found or invalid for this product.']);
exit;
}
// 2. Check license status and expiry
if ($license['status'] !== 'active') {
echo json_encode(['success' => false, 'message' => 'License is not active. Status: ' . $license['status']]);
exit;
}
if ($license['expiry_date'] && strtotime($license['expiry_date']) < time()) {
echo json_encode(['success' => false, 'message' => 'License has expired.']);
// Optionally update status to 'expired' here
$updateStmt = $pdo->prepare("UPDATE licenses SET status = 'expired' WHERE id = :id");
$updateStmt->execute([':id' => $license['id']]);
exit;
}
// 3. Check activation limit and existing activations
$activationCount = 0;
$activatedDomains = [];
if ($license['activated_domains']) {
$activatedDomains = json_decode($license['activated_domains'], true);
if (is_array($activatedDomains)) {
$activationCount = count($activatedDomains);
}
}
if ($activationCount >= $license['activation_limit']) {
// Check if the current domain is already activated
if (in_array($domain, $activatedDomains)) {
echo json_encode(['success' => true, 'message' => 'License already activated on this domain.']);
exit;
} else {
echo json_encode(['success' => false, 'message' => 'License has reached its activation limit.']);
exit;
}
}
// 4. Activate the license on the new domain
try {
$pdo->beginTransaction();
// Add to activations table
$insertActivationStmt = $pdo->prepare("INSERT INTO activations (license_id, domain) VALUES (:license_id, :domain)");
$insertActivationStmt->execute([':license_id' => $license['id'], ':domain' => $domain]);
// Update license's activated_domains count and potentially status if it was the first activation
$activatedDomains[] = $domain;
$newActivatedDomainsJson = json_encode($activatedDomains);
$updateLicenseStmt = $pdo->prepare("UPDATE licenses SET activated_domains = :activated_domains, status = 'active' WHERE id = :id");
$updateLicenseStmt->execute([':activated_domains' => $newActivatedDomainsJson, ':id' => $license['id']]);
$pdo->commit();
echo json_encode(['success' => true, 'message' => 'License activated successfully.']);
} catch (PDOException $e) {
$pdo->rollBack();
http_response_code(500);
echo json_encode(['success' => false, 'message' => 'Failed to activate license: ' . $e->getMessage()]);
}
?>
API Endpoint: Deactivation
The deactivation endpoint removes a domain’s activation record.
<?php
// api/deactivate.php
header('Content-Type: application/json');
// API Key authentication (same as above)
$apiKey = 'YOUR_SECRET_API_KEY';
if (!isset($_SERVER['HTTP_X_API_KEY']) || $_SERVER['HTTP_X_API_KEY'] !== $apiKey) {
http_response_code(401);
echo json_encode(['success' => false, 'message' => 'Unauthorized']);
exit;
}
// Database connection (same as above)
$dbHost = 'localhost';
$dbName = 'license_db';
$dbUser = 'db_user';
$dbPass = 'db_password';
try {
$pdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8mb4", $dbUser, $dbPass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
http_response_code(500);
echo json_encode(['success' => false, 'message' => 'Database connection error']);
exit;
}
$input = json_decode(file_get_contents('php://input'), true);
if (!$input || !isset($input['license_key']) || !isset($input['product_id']) || !isset($input['domain'])) {
http_response_code(400);
echo json_encode(['success' => false, 'message' => 'Invalid request data']);
exit;
}
$licenseKey = $input['license_key'];
$productId = $input['product_id'];
$domain = rtrim($input['domain'], '/'); // Normalize domain
// 1. Find the license ID
$stmt = $pdo->prepare("SELECT id, activated_domains FROM licenses WHERE license_key = :license_key AND product_id = :product_id");
$stmt->execute([':license_key' => $licenseKey, ':product_id' => $productId]);
$license = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$license) {
echo json_encode(['success' => false, 'message' => 'License key not found or invalid for this product.']);
exit;
}
// 2. Remove activation record
try {
$pdo->beginTransaction();
$deleteActivationStmt = $pdo->prepare("DELETE FROM activations WHERE license_id = :license_id AND domain = :domain");
$deletedRows = $deleteActivationStmt->execute([':license_id' => $license['id'], ':domain' => $domain]);
if ($deletedRows === 0) {
// Domain was not activated, but we should still update the license's activated_domains list if it was there
$activatedDomains = json_decode($license['activated_domains'], true);
if (is_array($activatedDomains) && in_array($domain, $activatedDomains)) {
$key = array_search($domain, $activatedDomains);
if ($key !== false) {
unset($activatedDomains[$key]);
$newActivatedDomainsJson = json_encode(array_values($activatedDomains)); // Re-index array
$updateLicenseStmt = $pdo->prepare("UPDATE licenses SET activated_domains = :activated_domains WHERE id = :id");
$updateLicenseStmt->execute([':activated_domains' => $newActivatedDomainsJson, ':id' => $license['id']]);
}
}
echo json_encode(['success' => false, 'message' => 'Domain was not activated for this license.']);
exit;
}
// Update license's activated_domains list
$activatedDomains = json_decode($license['activated_domains'], true);
if (is_array($activatedDomains)) {
$key = array_search($domain, $activatedDomains);
if ($key !== false) {
unset($activatedDomains[$key]);
$newActivatedDomainsJson = json_encode(array_values($activatedDomains)); // Re-index array
$updateLicenseStmt = $pdo->prepare("UPDATE licenses SET activated_domains = :activated_domains WHERE id = :id");
$updateLicenseStmt->execute([':activated_domains' => $newActivatedDomainsJson, ':id' => $license['id']]);
}
}
$pdo->commit();
echo json_encode(['success' => true, 'message' => 'License deactivated successfully.']);
} catch (PDOException $e) {
$pdo->rollBack();
http_response_code(500);
echo json_encode(['success' => false, 'message' => 'Failed to deactivate license: ' . $e->getMessage()]);
}
?>
API Endpoint: Validation
The validation endpoint is crucial for the plugin to periodically check if its license is still valid. This is often called by the plugin on load or via a cron job.
<?php
// api/validate.php
header('Content-Type: application/json');
// API Key authentication (same as above)
$apiKey = 'YOUR_SECRET_API_KEY';
if (!isset($_SERVER['HTTP_X_API_KEY']) || $_SERVER['HTTP_X_API_KEY'] !== $apiKey) {
http_response_code(401);
echo json_encode(['success' => false, 'message' => 'Unauthorized']);
exit;
}
// Database connection (same as above)
$dbHost = 'localhost';
$dbName = 'license_db';
$dbUser = 'db_user';
$dbPass = 'db_password';
try {
$pdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8mb4", $dbUser, $dbPass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
http_response_code(500);
echo json_encode(['success' => false, 'message' => 'Database connection error']);
exit;
}
$input = json_decode(file_get_contents('php://input'), true);
if (!$input || !isset($input['license_key']) || !isset($input['product_id']) || !isset($input['domain'])) {
http_response_code(400);
echo json_encode(['success' => false, 'message' => 'Invalid request data']);
exit;
}
$licenseKey = $input['license_key'];
$productId = $input['product_id'];
$domain = rtrim($input['domain'], '/'); // Normalize domain
// 1. Find the license and check its status and expiry
$stmt = $pdo->prepare("SELECT * FROM licenses WHERE license_key = :license_key AND product_id = :product_id");
$stmt->execute([':license_key' => $licenseKey, ':product_id' => $productId]);
$license = $stmt->fetch(PDO::FETCH_ASSOC);
if (!$license) {
echo json_encode(['success' => false, 'message' => 'License key not found or invalid for this product.']);
exit;
}
// Check status and expiry, update if necessary
if ($license['status'] !== 'active') {
echo json_encode(['success' => false, 'message' => 'License is not active. Status: ' . $license['status']]);
exit;
}
if ($license['expiry_date'] && strtotime($license['expiry_date']) < time()) {
// License expired, update status and inform client
$updateStmt = $pdo->prepare("UPDATE licenses SET status = 'expired' WHERE id = :id");
$updateStmt->execute([':id' => $license['id']]);
echo json_encode(['success' => false, 'message' => 'License has expired.']);
exit;
}
// 2. Check if the domain is currently activated for this license
$isDomainActivated = false;
if ($license['activated_domains']) {
$activatedDomains = json_decode($license['activated_domains'], true);
if (is_array($activatedDomains) && in_array($domain, $activatedDomains)) {
$isDomainActivated = true;
}
}
if (!$isDomainActivated) {
echo json_encode(['success' => false, 'message' => 'License is not activated on this domain.']);
exit;
}
// 3. License is valid and activated on this domain
echo json_encode([
'success' => true,
'message' => 'License is valid and active.',
'expiry_date' => $license['expiry_date'],
'activation_limit' => $license['activation_limit'],
'current_activations' => count(json_decode($license['activated_domains'] ?? '[]', true))
]);
?>
Integrating with WordPress Plugin
The WordPress plugin needs to communicate with this API. This involves making HTTP requests and handling responses. We’ll use WordPress’s built-in HTTP API for this.
Storing License Information in WordPress
License keys and associated data should be stored securely within the WordPress site’s options or a custom database table. Using `update_option()` and `get_option()` is common.
// In your plugin's main file or an options class
// Store license details
update_option('my_plugin_license_key', 'USER_ENTERED_LICENSE_KEY');
update_option('my_plugin_license_status', 'active'); // Or 'inactive', 'expired'
update_option('my_plugin_license_expiry_date', '2024-12-31 23:59:59');
update_option('my_plugin_license_product_id', 'MY_PLUGIN_PRO'); // Your product identifier
// Retrieve license details
$licenseKey = get_option('my_plugin_license_key');
$licenseStatus = get_option('my_plugin_license_status');
$expiryDate = get_option('my_plugin_license_expiry_date');
$productId = get_option('my_plugin_license_product_id');
Making API Requests from the Plugin
We’ll create a helper class or functions to manage API interactions. This includes setting up the correct headers (especially the API key) and handling potential errors.
/**
* Helper class for License API interactions.
*/
class My_Plugin_License_API {
private $api_url = 'https://your-license-server.com/api/'; // Base URL of your API
private $api_key = 'YOUR_SECRET_API_KEY'; // Should ideally be stored securely, not hardcoded
private $product_id = 'MY_PLUGIN_PRO'; // Your product identifier
/**
* Get the current site's domain.
* @return string
*/
private function get_site_domain() {
return home_url('/', 'https'); // Use https for security
}
/**
* Make an API request.
* @param string $endpoint The API endpoint (e.g., 'activate', 'validate').
* @param array $body The request body data.
* @param string $method HTTP method (POST, GET, etc.).
* @return array|WP_Error
*/
private function request( $endpoint, $body = [], $method = 'POST' ) {
$url = trailingslashit( $this->api_url ) . $endpoint;
$headers = [
'Content-Type' => 'application/json',
'X-API-KEY' => $this->api_key,
];
$args = [
'method' => $method,
'headers' => $headers,
'timeout' => 30, // Adjust timeout as needed
];
if ( 'POST' === $method || 'PUT' === $method || 'PATCH' === $method ) {
$args['body'] = json_encode( $body );
}
$response = wp_remote_request( $url, $args );
if ( is_wp_error( $response ) ) {
return $response; // Return WP_Error object
}
$response_code = wp_remote_retrieve_response_code( $response );
$response_body = wp_remote_retrieve_body( $response );
$decoded_body = json_decode( $response_body, true );
if ( $response_code >= 400 ) {
// Handle API errors (e.g., 401 Unauthorized, 400 Bad Request)
$error_message = isset( $decoded_body['message'] ) ? $decoded_body['message'] : 'An unknown API error occurred.';
return new WP_Error( 'api_error', 'API Error: ' . $error_message . ' (Code: ' . $response_code . ')' );
}
if ( ! $decoded_body ) {
return new WP_Error( 'api_error', 'API returned an empty or invalid JSON response.' );
}
return $decoded_body;
}
/**
* Activate the license.
* @param string $license_key The license key to activate.
* @return array|WP_Error
*/
public function activate_license( $license_key ) {
$domain = $this->get_site_domain();
$body = [
'license_key' => $license_key,
'product_id' => $this->product_id,
'domain' => $domain,
];
$result = $this->request('activate', $body);
if (is_wp_error($result)) {
return $result;
}
if (isset($result['success']) && $result['success']) {
// Store successful activation details
update_option('my_plugin_license_key', $license_key);
update_option('my_plugin_license_status', 'active');
update_option('my_plugin_license_expiry_date', $result['expiry_date'] ?? ''); // Assuming API returns this
update_option('my_plugin_license_product_id', $this->product_id);
// Potentially store other data like activation count if API provides it
}
return $result;
}
/**
* Deactivate the license.
* @param string $license_key The license key to deactivate.
* @return array|WP_Error
*/
public function deactivate_license( $license_key ) {
$domain = $this->get_site_domain();
$body = [
'license_key' => $license_key,
'product_id' => $this->product_id,
'domain' => $domain,
];
$result = $this->request('deactivate', $body);
if (is_wp_error($result)) {
return $result;
}
if (isset($result['success']) && $result['success']) {
// Clear stored license details on successful deactivation
delete_option('my_plugin_license_key');
delete_option('my_plugin_license_status');
delete_option('my_plugin_license_expiry_date');
// Keep product_id if needed for re-activation
}
return $result;
}
/**
* Validate the license.
* @param string $license_key The license key to validate.
* @return array|WP_Error
*/
public function validate_license( $license_key ) {
$domain = $this->get_site_domain();
$body = [
'license_key' => $license_key,
'product_id' => $this->product_id,
'domain' => $domain,
];
$result = $this->request('validate', $body);
if (is_wp_error($result)) {
// If validation fails, update local status to reflect the server's state
if (strpos($result->get_error_message(), 'License key not found') !== false ||
strpos($result->get_error_message(), 'License is not activated on this domain') !== false) {
update_option('my_plugin_license_status', 'inactive');
delete_option('my_plugin_license_key'); // Remove key if invalid
} elseif (strpos($result->get_error_message(), 'License has expired') !== false) {
update_option('my_plugin_license_status', 'expired');
update_option('my_plugin_license_expiry_date', ''); // Clear expiry date
}
return $result;
}
if (isset($result['success']) && $result['success']) {
// Update local status and expiry date based on server response
update_option('my_plugin_license_status', 'active');
update_option('my_plugin_license_expiry_date', $result['expiry_date'] ?? '');
// Potentially update other options like remaining activations if provided
} else {
// If server says not successful but no WP_Error, treat as inactive/expired
update_option('my_plugin_license_status', $result['message'] ?? 'inactive');
if ($result['message'] === 'License has expired.') {
update_option('my_plugin_license_expiry_date', '');
}
}
return $result;
}
/**
* Check if the license is currently active and valid.
* @return bool
*/
public function is_license_active() {
$status = get_option('my_plugin_license_status');
$license_key = get_option('my_plugin_license_key');
if (empty($license_key) || $status !== 'active') {
return false;
}
// Optionally, perform a validation check periodically or on load
// This prevents the plugin from running with an expired license if the local status is stale
// Be mindful of API call limits and performance.
// A good strategy is to validate once per day or on specific user actions.
// Example: Validate if expiry date is near or if status is stale
$expiry_date_str = get_option('my_plugin_license_expiry_date');
if ($expiry_date_str) {
$expiry_timestamp = strtotime($expiry_date_str);
if ($expiry_timestamp !== false && $expiry_timestamp < time()) {
// License has expired locally, force validation
$this->validate_license($license_key);
return false; // It's expired
}
}
// You might want to add a transient to limit validation checks, e.g., validate_license() only once every 24 hours.
// if ( false === get_transient( 'my_plugin_license_validation_check' ) ) {
// $validation_result = $this->validate_license($license_key);
// if ( is_wp_error( $validation_result ) ) {
// // Handle validation error, maybe log it
// }
// set_transient( 'my_plugin_license_validation_check', 'done', DAY_IN_SECONDS );
// }
return $status === 'active';
}
}
Automatic Updates Server
WordPress’s built-in update mechanism relies on specific API endpoints. To provide automatic updates for your premium plugin, you need to set up a server that mimics this behavior.
WordPress Update API Structure
WordPress checks for updates by querying a specific URL (defined in your plugin’s headers) for information about available versions. The typical endpoint structure is:
?action=update-check: Checks for plugin updates.?action=info: Retrieves detailed information about a specific plugin version.
The response is typically JSON, containing details like the new version number, download URL, changelog, and required WordPress version.
Setting Up the Update Server (PHP)
This server needs to:
- Verify the license status of the requesting site.
- Check your internal database or version control for the latest available version of the plugin.
- Provide the correct JSON response for WordPress to parse.
<?php
// update-server.php
// --- Configuration ---
$plugin_slug = 'my-premium-plugin'; // The slug of your plugin (folder name)
$current_version = '1.2.0'; // The latest stable version available on your server
$download_url = 'https://your-license-server.com/downloads/my-premium-plugin-v1.2.0.zip'; // URL to the plugin zip file
$changelog_url = 'https://your-license-server.com/changelogs/my-premium-plugin.txt'; // URL to a plain text changelog
$api_key = 'YOUR_SECRET_API_KEY'; // API key for authentication
// --- Database Connection (for license validation) ---
$dbHost = 'localhost';
$dbName = 'license_db';
$dbUser = 'db_user';
$dbPass = 'db_password';
try {
$pdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8mb4", $dbUser, $dbPass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
// Log error, but don't expose details to client
error_log("Update Server DB Connection Error: " . $e->getMessage());
header('HTTP/1.1 500 Internal Server Error');
exit;
}
// --- Authentication ---
// WordPress sends the plugin slug and potentially other info.
// We need to verify the license key and domain.
$request_domain = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '';
$request_domain = rtrim($request_domain, '/');
// WordPress sends the license key in the 'X-Wp-License-Key' header
$license_key = isset($_SERVER['HTTP_X_WP_LICENSE_KEY']) ? $_SERVER['HTTP_X_WP_LICENSE_KEY'] : '';
if (empty($license_key)) {
header('HTTP/1.1 401 Unauthorized');
echo json_encode(['error' => 'License key is missing.']);
exit;
}
// Validate license against your database
$stmt = $pdo->prepare("
SELECT l.status, l.expiry_date, l.activated_domains
FROM licenses l
JOIN products p ON l.product_id = p.id -- Assuming a products table
WHERE l.license_key = :license_key
AND p.slug = :product_slug -- Match product slug
AND l.status = 'active'
AND (l.expiry_date IS NULL OR l.expiry_date > NOW())
");
$stmt->execute([
':license_key' => $license_key,
':product_slug' => $plugin_slug // Use the plugin