Maximum Security: Locking Down Your Site

David Bullock — 
Opening Thought
“When you’re in jail, a good friend will be trying to bail you out. A best friend will be in the cell next to you saying, ‘Damn, that was fun‘.”
― Groucho Marx

jail-831270_960_720One of the most common concerns we hear from membership site operators, is about the abuse of their membership systems by their own members. This is a natural concern since the function of the membership site is to provide different content to different members, and this naturally creates scarcity and value.

The Impact

It’s also worth noting that the content in membership sites can be quite valuable. For example corporate extranet sites may include corporate strategies and processes that would be of value to a competitor.

In extreme cases of commercial sites, it also can materially impact the ability of the membership site operator to profitably operate their site. On the other end of the spectrum, a lead magnet download that is branded with your contact info would be of minimal value or impact if it was shared beyond the scope of the original recipient. There may also be soft considerations as well, such as your content being presented out of the original context, for example a video without the framing article that gives it context.

Like with any security issue, you’ll need to break these down and do a threat assessment to determine how serious the impact of the threat is, and how far you should go to address them.

The Bad News

You cannot stop a bad actor who is determined from copying and sharing your content.

If it’s on the internet and viewable on a screen or hearable over speakers, then it can be captured, copied and distributed on a global scale at little to no cost.

The Good News

You can make it inconvenient and uncomfortable for casual people to abuse your service. Most of these strategies have little or no hard cost, and really only require you to think about how much you want to tighten down the system. Be forewarned that the tighter your system is, the less friendly it is to your honest customers.

Pro Tip
Don’t make the mistake of going so far as to punish your good customers in a vain attempt to prevent the bad actors.

You’ll want to make sure that your security stance is appropriate for your threat.

The Threat

I think I'll go embarrass myself with GooseThe threat to your content comes from many directions and takes several forms. Bad actors doesn’t refer to menacing thespians. It refers to individuals who are acting against your interests. they’re not limited to strangers on the internet who stumble across your site and attack it to relieve it of it’s valuable content.

Most often, the attack comes from the inside – from your paying customers or even your own staff. This really isn’t a new problem. Brick and Mortar stores have long factored things like spoilage, breakage and shrinkage into their cost of doing business. The internet is no different.

The attacks on your site take several forms, which include but are not limited to:

Shared logins

One of the downsides of having good content is that your users will genuinely want to share this content with their family, friends and co-workers. It’s in our human nature to want to spread good will and beneficial things to those in our circles of caring.

There’s several ways to combat this both technologically and behaviorally, and there are even opportunities to use this to increase your bottom line profits.

Sharing download links

Shared download links are one of the low hanging fruits of sharing. If you provide links to MP3’s, PDF’s, PowerPoints or other documents for download, those links can be easily shared on other sites, through email, or chat. This has the extra costs of putting you in the position of footing the bill for the stolen bandwidth, as well as additional load on your server to serve the files to your new-non-paying customers.

This one is easy and inexpensive to solve with some simple technology.

Deep Linking

This is a variation on download link sharing, and most commonly happens when another website links directly to an image or file on your website.

Like download link sharing, deep linking is very easy and inexpensive to prevent. Regardless of anything else you do, you should consider a strategy to protect against deep linking to protect your server’s performance.

Content copying

Once you’ve protected your other avenues, the remaining one is the actual duplication and distribution of your content. There’s really nothing that can be done to prevent this. You can make it more difficult for them, but you cannot stop them. This attack has a higher cost to the attacker because now THEY have to make the effort to distribute your content. While this is easy to use with tools like Dropbox, it’s more likely to be done between friends and not a wide distribution unless your content truly has a broader interest.

While you can’t stop this you can raise the bar to make it more difficult with varying levels of effort. Don’t get sucked into fighting this tooth and nail because for every step you take, your bad actor can match you.


Now that we’ve identified the different methods of attacks, there are several tools that you can use to raise the bar and add some speed bumps to the thieves get-away car.

What you Shouldn’t Do

DON’T host your valuable or large files yourself on your WordPress server. WordPress’s media library isn’t designed for security, and adding a security layer on top of it is inefficient and will slow down everything on your server.

DON’T attack your users with lawyers. Ask the MPAA and RIAA how well that worked for them. Hint: It didn’t. Defendants who share files often have limited or no assets to seize and the only one who gets rich is the lawyer, not to mention the burden of proof is on you to prove their guilt.

Protecting Your WordPress Hosted Server Files

This is typically done in your .htaccess file, and any reputable webhost can help you do this quickly and easily. You can read more about the technical aspects of preventing deep linking. Depending on your web server and hosting environment these guides may not work for you. Don’t struggle with this, work with your web host to implement deep linking protections on your site.

Hosting Your Files Outside of WordPress

Large files should be hosted outside of WordPress regardless of how much protection they need. It’s just the Right Thing To Do. For file hosting, I would recommend a service like Rackspace Files, or Amazon S3, Microsoft Azure and Google Cloud. Amazon is my personal favorite and we have built-in support for it in Memberium but you won’t go too wrong either way.

Services like Amazon have features that allow you to create single use or time limited links that can’t be shared. Memberium adds additional features on top of Amazon that ensure your links can only be used on your site.

DON’T put your files in Dropbox and share a Dropbox link. Dropbox is not designed as a mass file sharing service. Your Dropbox account will be flagged and blocked for abuse of the service.

Protecting Your Video

Alongside not hosting your own video files, I recommend using a dedicated video hosting service such as Vimeo to host your video. Vimeo makes it harder for your video to be downloaded, and reduces the load on your server by offloading the resource intensive tasks of storing and delivering streaming video to their network. It’s a classic Win-Win-Win.

You can use services like Youtube as well, but Vimeo has specific tools to domain restrict playback of your videos only to your domain. Otherwise, your bad actor can simply copy your embed codes and place them wherever they wish, even if your video is on Youtube and is unlisted.

Wistia would work equally well, but is far more expensive for bulk video storage and delivery. Dilogr is another great option and includes the ability to make interactive videos.

Stamping and Watermarking

Place your site information into your content. If your content does make it’s way out of your walled garden and onto the information superhighway, at least give your readers an easy way to find their way back to you. They may like your content so much that they choose to signup for your service.

Watermarking is a similar concept, where each download or copy of your content distributed has a visible or hidden mark identifying the user who downloaded it. This used to be more popular online but is fading out as a protection mechanism. The movie industry still uses this. Bad actors can remove or obscure watermarks, but it will help deter the casual user.

DON’T restrict your PDF files with passwords or limits.

Don’t require personalized passwords for your PDF files. Don’t prevent them from printing. This just punishes your honest customers. Besides, nobody mass distributes content on paper, it’s just too expensive and inconvenient.

Member Restrictions

Once you have your backend attack surfaces above addressed, you can start looking at locking down your user access. There are several tactics and tools to help you with this.

IP Address and Time Limits

You can limit the number of IP addresses that your users are allowed to login from during a given time frame.

A typical protection for a B2C site would be that any single user cannot login from more than two different IP addresses in an 8 or 16 hour period. This gives most people the flexibility to use their mobile device or work device, and their home computer.

A typical protection for a B2B site would be that any single user can only login from up to 2 devices in a 24 hour period, their work computer and their home computer.

You’re not limited to these profiles, you can set the IP address count and time frame as it best fits your customer’s needs.

Simultaneous Login Limits

You can disable simultaneous logins to make it more inconvenient for someone to share their password. With this setting on, each time a user logs in, if that user is already logged in, the first login will be disconnected. This doesn’t prevent account sharing, but it does make it more annoying and inconvenient.

Use Generated Passwords

Don’t let your members pick their own passwords if possible.

When given the opportunity, people will do one or more of the following things that will put their login at risk: they’ll use a common password like “love”, they’ll re-use the same password they use on other sites, or they’ll choose something easy to hack like “11111111”. Use the auto-generated passwords which are random.

Login Log

Memberium has a built-in database of login history with the time, username and IP address that the user logged in with. By default this is turned off, but you can turn it on and write your own code to analyze the results to look for abuse. An example would be to look for user logins with wildly different IP addresses that are far apart geographically.

Creating Personalized Value

By personalizing the user experience you decrease the value of sharing it. An example would be a testing and certification system with per-user progress tracking, scoring and awards. Sharing this sort of account may give some value to the recipient, but in the end they don’t reap the benefits of the system or the certification.

Fair Pricing and Availability

Pro Tip
The tighter you hold onto your content the more you incentivize your good customer to become a bad actor.

A common cause of content sharing is for your customer to want to make your content available to their family/friends or coworker. This is a great opportunity for you as the site owner to extend your reach if you’re not greedy about it. Look at this an opportunity for an upsell, not to double your income. Be generous and your customers will be generous with you.

Memberium’s Pro version has the capability to implement Umbrella Accounts, where a single paying customer can have multiple logins that they can share with whoever they wish. You can still do this without the Pro Version, but it’s much harder to manage. You could for example offer a coupon code for customers to use to purchase additional accounts

Regardless of how you solve it, consider selling your customers additional logins at a reduced rate. Think of it as showing appreciation for them selling your content for you.