Security Best Practices

This page provides a hardening checklist for production LicenceForge deployments. Following these recommendations significantly reduces your attack surface and protects both your licensing data and your customers.

Transport Security

All communication between client plugins and the LicenceForge REST API must occur over HTTPS. License keys, API keys, and download tokens are transmitted in request headers and URLs — without TLS, these values are exposed to network interception.

• Install a valid SSL/TLS certificate on your WordPress site.
• Force HTTPS for the entire site, or at minimum for all /wp-json/wplf/ endpoints.
• Enable HSTS headers to prevent protocol downgrade attacks.

WordPress and PHP Updates

Keep WordPress core, PHP, and all plugins up to date. Security patches for WordPress and PHP frequently address vulnerabilities that could allow attackers to bypass authentication, execute arbitrary code, or access your database directly.

• Enable automatic minor WordPress updates (enabled by default).
• Run PHP 8.1 or later (see Requirements).
• Remove unused themes and plugins to reduce the attack surface.

WordPress Authentication Keys

LicenceForge derives its encryption keys from the WordPress authentication constants defined in wp-config.php. Specifically, AUTH_KEY and AUTH_SALT are used to generate HMAC keys for license key hashing and download token signing.

• Ensure all eight salt constants (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and their _SALT counterparts) are set to unique, random values.
• Changing these keys after deployment will invalidate all existing license key hashes, API key hashes, and download tokens. Plan a key rotation carefully.

API Key Security

LicenceForge supports optional API key authentication for all REST endpoints. Enabling this requirement ensures that only authorised applications can interact with your licensing API.

• Set the wplf_require_api_key option to yes in LicenceForge > Settings.
• Create separate API keys for each integration (one per client application, one per CI/CD pipeline, etc.).
• Use the minimum required permission level: read for validation-only clients, write for activation workflows, admin only for management tools.
• Review the last_used_at timestamp in the API Keys admin panel regularly. Revoke any key that has not been used recently or is no longer needed.

Rate Limiting

LicenceForge enforces per-IP rate limits on validation and activation endpoints to prevent brute-force attacks and abuse.

Review these defaults and adjust them based on your traffic patterns. Lower limits provide stronger protection but may impact legitimate bulk operations.

File Storage

Product ZIP files can be stored locally in wp-content/uploads/licenceforge/ or externally in an Amazon S3 bucket. S3 storage is strongly recommended for production deployments because it:

• Avoids direct filesystem access from the web server.
• Enables pre-signed URLs with time-limited access (managed automatically by LicenceForge).
• Provides redundancy and scalability independent of your WordPress server.

If using local storage, ensure the .htaccess rules generated by LicenceForge are in place to block direct access to ZIP files. See Download Security for details.

File Permissions

Apply standard WordPress file permission recommendations to your installation:

Debug Mode in Production

Ensure your production wp-config.php contains:

define( 'WP_DEBUG', false );
define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', false );

For debugging production issues, use the Debug Mode guide, which covers enabling logging temporarily and safely.

Database Backups

Maintain regular automated backups of your entire WordPress database, with particular attention to the eight LicenceForge tables. See Backup & Restore for specific commands and recommendations.

Web Application Firewall

A WAF (Web Application Firewall) adds an additional layer of protection by filtering malicious requests before they reach WordPress. Consider deploying a WAF at the server or CDN level to mitigate:

• SQL injection attempts targeting the REST API.
• Cross-site scripting (XSS) payloads.
• Distributed denial-of-service (DDoS) floods against license validation endpoints.

Monitoring and Audit Logging

LicenceForge maintains a detailed audit log of all license operations. Use it proactively to detect suspicious activity:

• Monitor for unusual spikes in failed validation attempts (potential brute-force attacks).
• Watch for bulk activation requests from a single IP hash.
• Enable health alerts by setting wplf_health_alerts_enabled to true in LicenceForge > Settings > Health Alerts. This sends email notifications when health checks detect anomalies.
• Review the Audit Log regularly from the admin panel.

Device Fingerprinting

For high-security deployments where you need to ensure a license is used only on authorised hardware, enable device fingerprinting. This feature ties each activation to a unique device identifier, preventing license sharing across machines. See Device Fingerprinting for configuration details.

Hardening Checklist

Use the following checklist to verify your production environment is properly secured.

Related Pages

• Encryption — Cryptographic methods used by LicenceForge
• Download Security — Token-based download protection and S3 integration
• Privacy & GDPR — Data export, erasure, and IP hashing
• Backup & Restore — Database backup commands and strategies
• API Keys — Key management and permissions
• Debug Mode — Safe debugging techniques for production