Hosting a premium WordPress plugin on a server for auto-update purposes

I followed a guide on how to host your (premium) plugin on a server for auto-updates. Everything is working, but it’s not secure at all. The link to the plugin’s ZIP is public and anyone can download it.

Here is how the update.php file (on my server) looks like:

if (isset($_POST['action'])) {
    switch ($_POST['action']) {
        case 'version':
            echo "3.1.1";
            break;
        case 'info':
            $obj                = new stdClass();
            $obj->slug          = '...';
            $obj->plugin_name   = '...';
            $obj->new_version = "3.1.0";
            $obj->requires      = '4.7';
            $obj->tested        = '4.7.3';
            $obj->downloaded    = 12540;
            $obj->last_updated  = '2017-02-12';
            $obj->homepage      = '...';
            $obj->sections      = array(
                'description' => '...'
            );
            $obj->download_link = 'https://.../latest.zip';
            echo serialize($obj);
            break;
        case 'license':
            echo 'false';
            break;
    }
} else {
    header('Cache-Control: public');
    header('Content-Description: File Transfer');
    header('Content-Type: application/zip');
    readfile('latest.zip');
}

The script will always return the .zip file, if no POST parameter (version, info or license) is provided.

All I want is to have a parameter that is sent to update.php, when WordPress requests the new .zip, just so I can authorize the download.

Even if anyone knows where this process is documented, that would help a lot as well.

Read more here: Hosting a premium WordPress plugin on a server for auto-update purposes

Leave a Reply

Your email address will not be published. Required fields are marked *