How to secure content.. Couple Q's
 

I am working on a wordpress based site at present and need a elegant way to secure my content. Now, I know I can just do dual installs of WP, one public with only preview content and one within a cgi secured directory with actual content but I am not in love with the functionality of this solution.

I found a plugin for WP called Magic Members. It looks great at first glance but upon deeper inspection, it only secures the text of a post or provides you a download link to secured content. Obviously I want to show image galleries and stream member videos as opposed to only offering downloads. So, first question: Is there a good way to secure this content?

I looked at locking the content through htaccess to prevent direct access or hotlinking but it seems that would block many legit members trying to view the content on the site (something about firewalls). Any thoughts?

Next question: If I want to use a CDN to deliver content such as images for members, is there a way to secure that?

You cant secure pictures or videos. If somebody really wants your content, they will get it. You cant secure against desktop cams.

A good thread on gfy is here: gfy.com/showthread.php?t=990150&highlight=secure+content

Apples and oranges. And yes, I know the secure stream thread well.

Really hoping for some good replies but not expecting much since this is gfy, after all. Crossing my fingers for someone who is actually knowledgeable and helpful.

Now im kinda curious how you perceive security?

Do you want your content not to be directly accesable from the internet? Or do you want to protect your content from being copied by members as well?

I am much more open to images and video being copied by paying members. As you said, there's no way to prevent screen capping. My desire is to limit access to those who have paid for a membership and prevent unpaid surfers access to paid content.

Preventing piracy is not my goal as that would be much to lofty for this little guy to take on by himself.

"I looked at locking the content through htaccess to prevent direct access or hotlinking but it seems that would block many legit members trying to view the content on the site (something about firewalls). Any thoughts?"

No, I don't see why this would be the case. Maybe you could explain the "something about firewalls" part in more detail.

Anyhow, consider the situation where you have two Wordpress installations. They install to separate directories. The .htaccess file under one of the WP installation directories (your secure section) can prevent access to everything stored underneath it.

I've also heard of some different WP plugins that manage secure content, but haven't used them, so will leave it to others to recommend. It seems there are some nice ones out there, though. I was considering MagicMembers myself, since it integrates with CCBill.

As for the use of .htaccess to disallow direct access (pulled from another site, in reference to blank referrers):

You can prevent people from directly accessing an image by typing in the URL in their browser, however, some surfers may use a personal firewall or antivirus program that deletes the page referer information sent by the web browser. Hotlink protection is based on this information. So if you choose not to allow blank referers, you will block these surfers.

I am now back to doing two installations if I cannot figure out how to fix this issue. I really don't like this option as not only is it not as elegant for the user, I have to do two posts for every update as opposed to one.

As for Magic Members, I love everything about it BUT this one little detail. I mean, that's a big ball to drop in my mind. As it stands, there is no built in way to secure any viewable media, only the post containing the media. So, if someone can just find where you store all your videos, images, audio, etc., the door is standing wide open.

Presently, I am looking into moving the content directory out of the webroot and making all content calls from within php. I think this will sufficiently fix the issue but I am still working on the system. If all does work out, I think Magic Members should give me royalties or something... :)

Use amember. Works like a charm.

amember is a fall back option but after reading their forums it seems I would need a team of programmers to get it integrate well.

Okay, I see what you're saying. There could be something set up on a webserver where you say, you can only get an image if you are accessing it from a web page on same site. And that would depend on the referer, which as you say correctly, can be circumvented/disabled.

But...

Your security should not depend on page referer at all. The .htaccess file can be configured a lot of different ways, but essentially for a paysite scheme, you want it configured to require basic authentication. And it can reference a .htpasswd file containing valid usernames and passwords. Further, you want your secure site to be served via HTTPS, which is a separate configuration. So after that is done, then access to any resource under your secure directory is going to prompt for username, password from the first access during a web session. It won't matter if you type in a direct URL or go in through the landing page of the members site.

At no point in this authentication process, does the browser or web server care what referer URL is. If the user happened to disable their browser in some strange way that it could not participate in the authentication process, the web server will simply not serve the content.

Also, I think it is a good idea to configure the referer check too, even on your free section. It will prevent people from using your servers to host content delivered from their sites. It won't prevent them from simply stealing the images, but at least you don't end up being their free host.

Try something like this:

1. One single WP install.
2. Member content all in "privatedir" behind http authentication
3. Login script calls 2 lines of code in "privatedir" as well, say "setmembercookie.php", then brings back to to standard wp.
4. WP-Shortcode in each page / post, that either pulls the content from "privatedir" or prints a "join" text. Shortcode makes decision based on "membercookie" set or not (you'll need a hack for the shorcode, but it's really quick/easy).

Doing this on new paysites (slightly more complex but that's the main idea). I believe it works like a charm, easy to maintain, simple, secure (as the real stuff is behind http authentication anyways).

Im building a TGP site and my content isnt directly accessable from the internet.
It uses an api to pickup the desired gallery and display it in the browser.

But as i am unfamiliar with the wordpress stuff, i can only say you have to know php to implement it.