I followed a guide on how to host your (premium) plugin on a server for auto-updates. Everything is working, but it’s not secure at all. The link to the plugin’s ZIP is public and anyone can download it.

Here is how the update.php file (on my server) looks like:

if (isset($_POST['action'])) {
    switch ($_POST['action']) {
        case 'version':
            echo "3.1.1";
        case 'info':
            $obj                = new stdClass();
            $obj->slug          = '...';
            $obj->plugin_name   = '...';
            $obj->new_version = "3.1.0";
            $obj->requires      = '4.7';
            $obj->tested        = '4.7.3';
            $obj->downloaded    = 12540;
            $obj->last_updated  = '2017-02-12';
            $obj->homepage      = '...';
            $obj->sections      = array(
                'description' => '...'
            $obj->download_link = 'https://.../latest.zip';
            echo serialize($obj);
        case 'license':
            echo 'false';
} else {
    header('Cache-Control: public');
    header('Content-Description: File Transfer');
    header('Content-Type: application/zip');

The script will always return the .zip file, if no POST parameter (version, info or license) is provided.

All I want is to have a parameter that is sent to update.php, when WordPress requests the new .zip, just so I can authorize the download.

Even if anyone knows where this process is documented, that would help a lot as well.

Read more here: Hosting a premium WordPress plugin on a server for auto-update purposes


If you know the solution of this issue, please leave us a reply in Comment section, to update the question.

Wordpress related questions and answers: