Security

This article outlines some more details about keeping your data safe.

License Keys Encryption

The license keys are encrypted and stored in the db. To decrypt the license keys the plugin uses cryptographic keys which are generated upon plugin activation and located in: /wp-content/uploads/dlm-files

  • .htaccess
  • defuse.txt
  • secret.txt

Important: Make sure you backup those files, if you lose them you will not be able to decrypt your license keys.

Suggested setup for your cryptographic files

We recommend adding your cryptographic secret in the wp-config.php file. This way you will enhance your security and prevent extra disk reads which of course causes slowdown to your environment.

define('DLM_PLUGIN_SECRET', 'plugin secret found in secret.txt');
define('DLM_PLUGIN_DEFUSE', 'plugin secret found in defuse.txt');

If you already set up this, you can ignore below guides.

Securing your cryptographic files

By default our plugin uses cryptographic files to store the cryptography secrets for simplicity, However, if you are advanced user, please consider storing your cryptographic secrets in the wp-config.php as outlined above.

How to protect the cryptographic files in Apache2

If you use Apache2 you don’t have to do anything because the .htaccess file prevents direct access in this directory. For extra security you can test accessing secret.txt and defuse.txt from a public url and check if the .htaccess file is present.

How to protect the cryptographic files in NGINX

For NGINX server you have to edit your configuration file (usually located in /etc/nginx/sites-available/) and add the following section:

location /path/to/wp-content/uploads/dlm-files {
  deny all;
  return 404;
}

How to protect the cryptographic files in OTHER servers

To make sure you don’t expose your cryptographic files, please refer to the web server documentation.