Home/ Questions/Q 6599991
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T18:33:50+00:00

I’m working on a WordPress theme that includes an actual installation script of its

  • 0

I’m working on a WordPress theme that includes an actual installation script of its own. So this is what happens;

1.) Users download theme.zip from mysite.

theme.zip does NOT contain the theme itself, it contains the installation script and all the required files to make the installation successful.

2.) Now the user will upload theme.zip to their server (using the WP dashboard)

3.) One they’ve uploaded theme.zip, they will run the installation script which requires a username and password, which is stored on MY sql db.

//the dodgy bit

Now here’s what happens in the installation script.

Once the user has entered their username and password, some variables (the user’s username, password and unique id number) will be sent to a php file on my server (using curl). Then my server will look into the sql db and select a certain row (using the unique id number sent earlier on) and check if the user’s details are correct. If the details are correct, my server will then send some variables back (using JSON encode/decode) with a value of TRUE. once the users server has received the TRUE value it will continue. And if it receives a value of FALSE, it will then stop and throw an error

Once the users has logged in successfully (my server sends back TRUE) then another CURL function will run.

This function will send a unique id to another php file on my server. The php file will then make a copy of a folder which is placed on my server and name the file with the unique id number so the duplicate folder will be called “265851654” (which contains all the themes content) then the php script (on my server) will then compress that folder into a .zip. Once the compression is complete, it will send some info(information on where the newly produced .zip is placed on the server, ready for download.) back to to users server.

The users server will then use the info it received from my server to generate the download link and begin downloading the .zip file. once the download has finished, another curl function will be ran. this function will do the same as the one just explained but instead of building the .zip ready for download, it deletes the .zip.

Now it does a load of other stuff too but thats all on the users side.

Is this safe? As this theme will be available to EVERYONE which means they will be able to see the curl functions and all the other source code which they can edit them as they please.

If it’s not safe, could you give me some advice to help prevent those evil people from messing around?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A few things you should keep in mind:

    • Make sure the request within the script calling cUrl with certain
      arguments stops or it’s blocked by the server (let’s say, for 1hr) if
      the identification fails for 5 consecutive times.
    • Make sure your cUrl script contains also proxy variables like ip,
      username and password. There a lot of configurations out there
      requiring these.
    • Create a md5sum file for each downloaded script and save it on
      your disk. Compare the md5sum from the file on disk with the one
      newly created. Make sure the next user asking for the same file will
      download the already created one and not create a new one, since it
      won’t load the server.
    • Try to secure your php script on the server with 2 distinct identification (like username/password works). This will make less easy for evil ppl to find a path into your server.

    I’m sure there are a lot of other stuff, but that’s all what’s in my mind now.

    • 0