Security Overview
LicenceForge is designed with security as a core principle. Every layer of the plugin — from license key storage to file downloads to customer data handling — employs industry-standard cryptographic techniques and WordPress best practices to protect your data and your customers.
Defence in Depth. LicenceForge applies multiple overlapping security controls so that no single point of failure can compromise your licensing system.
Core Security Areas
The security architecture is organised into four pillars, each covered in detail on its own page.
| Area | Summary | Details |
|---|---|---|
| Encryption | License keys, API keys, Stripe credentials, IP addresses, and client-side storage are all encrypted or hashed using HMAC-SHA256, AES-256-CBC, SHA-256, and libsodium. | Encryption Details |
| Download Security | Time-limited, HMAC-signed download tokens prevent unauthorised access to product files. Supports local files, external URLs, and S3 pre-signed URLs. | Download Security |
| Privacy & GDPR | Full integration with the WordPress privacy tools framework. Supports automated data export and erasure, IP hashing, and audit log anonymisation. | Privacy & GDPR |
| Best Practices | Recommended server, WordPress, and plugin configuration to harden your licensing environment against common threats. | Best Practices |
Encryption at a Glance
LicenceForge never stores sensitive values in plaintext. License keys and API keys are stored as one-way hashes (HMAC-SHA256 and SHA-256 respectively), meaning they cannot be reversed even if the database is compromised. Stripe API keys are encrypted with AES-256-CBC and can be decrypted only by the server that holds the WordPress auth keys. IP addresses are hashed and truncated for privacy.
On the client side, license keys are protected using libsodium
(sodium_crypto_secretbox) with a per-operation random nonce, falling back to an XOR
cipher on systems where libsodium is unavailable.
Download Token Security
Product file downloads are gated behind short-lived tokens (default: 5 minutes). Each token is an
HMAC-SHA256 signed payload containing the license ID, product slug, and expiry timestamp. Tokens are
base64url-encoded and verified on every request. Direct access to ZIP files in the assets directory
is blocked at the web-server level via .htaccess rules.
Privacy and Data Protection
LicenceForge integrates with the WordPress privacy tools introduced in WordPress 4.9.6. When a data export or erasure request is processed, the plugin exports or anonymises license records, site activations, audit log entries, and analytics data. IP addresses are never stored in plaintext; instead, a 16-character SHA-256 hash is used.
Customer Portal. Customers can also initiate their own data export directly from the customer portal without requiring admin intervention.
Next Steps
- Encryption Details — deep dive into every cryptographic method used
- Download Security — token lifecycle, S3 integration, and .htaccess configuration
- Privacy & GDPR — data export, erasure, and IP hashing
- Best Practices — server and plugin hardening checklist