𝗛𝗼𝘄 𝘁𝗼 𝗕𝘂𝗶𝗹𝗱 𝗮 𝗪𝗼𝗿𝗱𝗣𝗿𝗲𝘀𝘀 𝗣𝗹𝘂𝗴𝗶𝗻 𝗟𝗶𝗰𝗲𝗻𝘀𝗶𝗻𝗴 𝗦𝘆𝘀𝘁𝗲𝗺
Selling a commercial WordPress plugin requires a licensing system.
You need to activate keys on customer sites. You need to lock keys to specific domains. You must stop users from sharing one key across many sites.
Most people use Freemius or EDD. These tools work well. However, they take a revenue share. They are third-party dependencies. You do not own the process.
We built our own system for RideCab WP. Here is how you build a custom system from scratch.
The system has two parts.
The License Server This runs on your own infrastructure. Use a WordPress must-use plugin on your marketing site. It stores keys in a database. It uses a REST API for activation and validation. It provides a dashboard to manage keys.
The Client This is a PHP class inside your commercial plugin. It adds a settings page. It calls your server to activate. It caches validation results. It re-validates in the background.
Core Requirements:
- Generate unique keys during purchase.
- Allow customers to activate keys.
- Bind keys to specific domains.
- Validate keys periodically.
- Handle deactivations when customers move sites.
- Fail gracefully if your server goes down.
The most important rule is to fail open.
If your license server is down, do not lock the customer out. If you fail closed, the customer sees a broken site. This ruins your reputation. If you fail open, the plugin keeps working. A few pirates might use it for free, but your paying customers stay happy.
Best Practices:
- Use HTTPS for all API calls.
- Cache validation results to save performance.
- Use random_bytes() for secure keys. Do not use rand().
- Give customers a way to deactivate keys themselves.
- Allow for staging or dev domains.
This setup handles the basics of licensing. It does not include update delivery. I will cover that in a future post.