Protect sitecake (white label)

#1

Is it possible to remove the change password on the login popup and protect the sitecake files that it only works on the installed website.
Because some customers have there FTP account and they could copy the files.

#2

I am not sure if I understand the use case. If customers have FTP and copy password files, it’s their website, what wrong they can do with password files?

#3

Nevermind I will make a code that the sitecake code will only work on a website for that customer. Or at least make it difficult to use it :slight_smile:
For example the sitecake code for website www.mysite.com will not work on the website www.yoursite.com

Greetings

#4

What I think he means is… since you are buying a cms for your clients to use, they may have their own webhosting with ftp access. I think the question is: how do you prevent a customer from copying sitecake.php and all the other files and using them for free on whatever project they please?

#5

Yes hitcom, that’s exactly what I mean. They could use it for other websites and even change the white label logo. Or it the worst scenario they could download it from there FTP server and give it to someone else. There is protection inside, only the password for editing.

It should be nice if there is some kind of protection that the script can only work on the domain name you have provide in a sha1 code.

#6

This is valid point.

It’s presumed that clients are not web agencies or business oriented developers or any web professionals at all. Clients are just that, end users who need a simple CMS because they are not web savvy and really don’t know how to use WordPress or even FTP. This makes this issues happen in rare, let’s say 1% of cases.

We can address this by making a key generator for Sitecake customers so they can generate keys for each domain they want to run Sitecake. This will make Sitecake install a bit more complicated for 99% of users who are not affected with this issue.

Maybe we can create a service for encoding logo of white label customers and then clients who steal white label version would continue to use it with original customer’s logo (and promote him and his website).

We are open for suggestions…

#7

I must admit this is the main reason white label does not interest me. I have seen the white label version in action (actually did some work for another teacher and saw hers).

Currently if you setup white label version, it is so simple for site owners to change the config file with their own info. Be nice if white label config file be encrypted or some way to make private.

Also, excellent idea by @orange66 and like your way of tackling @Nik

#8

Hi Nik, after a few months still no sign of protecting the white label? Are you planning this for a futher release?

#9

There is one important difference between purchased Sitecake (white label or regular version) and Sitecake you get from a friend or steal from a client’s web hosting. The difference is updates. Only people who buy, get version updates with new features, bugfixes etc.

At this moment we think it’s enough protection from the theft. Anyone who is serious about Sitecake will puchase it in order to provide clients with latest version, bug fixes and support.

At the moment we do not plan to introduce any other protection.

#10

Hi Nik,

I have made a little program to protect it. You only have to enter the domain name(s) that are allowed to use it and the program encrypt that part.

If you haven entered the domain name: www.domain.com and you will try to run sitecake on example www.domain.net you will get a popup that you are using an Illegal one.

This protection program can be run from any browser.

Let me know if you want to try or see this protection with a private email

With regards,
Patrick

#11

White label without protection is not worth buying.

#12

+1 from me

20 characters Minimum required

#13

@orange66

Are you selling this little code snippet to protect SC?

#14

Please send me a private message when you want more information about this free code to protect your Sitecake version from being used on other domains. Maybe the team of Sitecake will add this code in a further release.

#15

Can’t the config file jsut be placed above public_html and change the path in sitecake? I have done that with config files I don’t want to share with clients with ftp access.

#16

Hello -

My question wasn’t rhetorical. It seems an easy and secure way to protect files from being hacked.

In fact, can’t all of sitecake’s files be moved above public_html, or at least admin.php, config.php etc, for security?

#17

@dagwood If we do this we are loosing installation simplicity. But we could consider to make paths for some files configurable so that advanced users can move those files somewhere on their filesystem.