Maximum Security: Locking Down Your Site

Memberium Admin — 
Table of Contents

One of the most common concerns we hear from membership site owners is about the abuse of their membership systems by their own members. This is a natural concern since the function of the membership site is to provide different content to different members, and this naturally creates scarcity and value.

The Impact

It’s worth noting that the content in membership sites can be quite valuable. For example corporate membership/intranet sites may include corporate strategies and processes that would be of value to a competitor.

In extreme cases of commercial sites, it also can materially impact the ability of the membership site operator to profitably operate their site. On the other end of the spectrum, a lead magnet download that is branded with your contact info would be of minimal value or impact if it was shared beyond the scope of the original recipient. There may also be soft considerations as well, such as your content being presented out of the original context, for example a video without the framing article that gives it context.

Like with any security issue, you’ll need to break these down and do a threat assessment to determine how serious the impact of the threat is, and how far you should go to address them.

The Bad News

You cannot stop a bad actor who is determined from copying and sharing your content.

If it’s on the internet and viewable on a screen or hearable over speakers, then it can be captured, copied and distributed on a global scale at little to no cost.

The Good News

You can make it inconvenient and uncomfortable for casual people to abuse your service. Most of these strategies have little or no hard cost, and really only require you to think about how much you want to tighten down the system. Be forewarned that the tighter your system is, the less friendly it is to your honest customers.

Don’t make the mistake of going so far as to punish your good customers in a vain attempt to prevent the bad actors.

You’ll want to make sure that your security stance is appropriate for your threat.

The Threat

I think I'll go embarrass myself with GooseThe threat to your content comes from many directions and takes several forms. Bad actors doesn’t refer to menacing thespians. It refers to individuals who are acting against your interests. they’re not limited to strangers on the internet who stumble across your site and attack it or try to steal your content.

Most often, the attack comes from the inside – from your paying customers or even your own staff. This really isn’t a new problem. Brick and Mortar stores have long factored things like spoilage, breakage, and shrinkage into their cost of doing business. The internet is no different.

The attacks on your site take several forms, which include but are not limited to:

Shared logins

One of the downsides of having good content is that your users will genuinely want to share this content with their family, friends, and co-workers. It’s in our human nature to want to spread goodwill and beneficial things to those in our circles of care.

There are several ways to combat this both technologically and behaviorally, and there are even opportunities to use this to increase your bottom line profits. Keep reading for strategies…

Sharing download links

Shared download links are one of the low hanging fruits of sharing. If you provide links to MP3s, PDFs, PowerPoints, or other documents for download, those links can be easily shared on other sites, through email, or chat. This has the extra costs of putting you in the position of footing the bill for the stolen bandwidth, as well as additional load on your server to serve the files to your new-non-paying customers.

This one is easy and inexpensive to solve with some simple technology that Memberium provides for you.

Deep Linking or Hot Linking

This is a variation on download link sharing, and most commonly happens when another website links directly to an image or file on your website.

Like download link sharing, deep linking is very easy and inexpensive to prevent. Regardless of anything else you do, you should consider a strategy to protect against deep linking to protect your server’s performance. Click here for a solution to hotlinking provided by Siteground.

Content copying

Once you’ve protected your other avenues, the remaining one is the actual duplication and distribution of your content. There’s really nothing that can be done to prevent this. You can make it more difficult for them, but you cannot stop them. This attack has a higher cost to the attacker because now THEY have to make the effort to distribute your content. While this is easy to use with tools like Dropbox, it’s more likely to be done between friends and not a wide distribution unless your content truly has a broader interest.

While you can’t stop this you can raise the bar to make it more difficult with varying levels of effort. Don’t get sucked into fighting this tooth and nail because for every step you take, your bad actor can match you.

Strategies

Now that we’ve identified the different methods of attacks, there are several tools that you can use to raise the bar and add some speed bumps to the thieves get-away car.

What you Shouldn’t Do

DON’T host your valuable or large files yourself on your WordPress server. WordPress’s media library isn’t designed for security, and adding a security layer on top of it is inefficient and will slow down everything on your server.

DON’T attack your users with lawyers. Ask the MPAA and RIAA how well that worked for them. Hint: It didn’t. Defendants who share files often have limited or no assets to seize and the only one who gets rich is the lawyer, not to mention the burden of proof is on you to prove their guilt.

Protecting Your WordPress Hosted Server Files

This is typically done in your .htaccess file, and any reputable webhost can help you do this quickly and easily. You can read more about the technical aspects of preventing deep linking. Depending on your web server and hosting environment these guides may not work for you. Don’t struggle with this, work with your web host to implement deep linking protections on your site.

Hosting Your Files Outside of WordPress

Large files should be hosted outside of WordPress regardless of how much protection they need. It’s just the Right Thing To Do. For file hosting, we recommend Amazon S3 as we have an integration with them…

Amazon S3, when used with Memberium, will allow you to create single-use or time-limited links that can’t be shared. Memberium adds additional features on top of Amazon that ensure your links can only be used on your site.

Click here for our full Amazon S3 tutorial [Video Guide]

DON’T put your files in Dropbox

Dropbox is not designed as a mass file sharing service. Your Dropbox account will be flagged and blocked for abuse of the service.

Protecting Your Video

Alongside not hosting your own video files, we recommend using a dedicated video hosting service such as Vimeo to host your video. Vimeo makes it harder for your video to be downloaded and reduces the load on your server by offloading the resource-intensive tasks of storing and delivering streaming video to their network. It’s a classic Win-Win-Win.

You can use services like Youtube as well, but Vimeo has specific tools to domain restrict playback of your videos only to your domain. Otherwise, your bad actor can simply copy your embed codes and place them wherever they wish, even if your video is on Youtube and is unlisted.

Click here for an overview of various video hosting providers.

Wistia would work equally well but is far more expensive for bulk video storage and delivery.

Memberium also provides a shortcode that integrates with Amazon S3 allowing you to stream video from Amazon S3. If you’re already using S3, this might be a good choice. Our shortcode pulls in the video from S3 and displays it inside a secure video player. 

Stamping and Watermarking

Place your site information into your content. If your content does make it’s way out of your walled garden and onto the information superhighway, at least give your readers an easy way to find their way back to you. They may like your content so much that they choose to signup for your service.

Watermarking is a similar concept, where each download or copy of your content distributed has a visible or hidden mark identifying the user who downloaded it. This used to be more popular online but is fading out as a protection mechanism. The movie industry still uses this. Bad actors can remove or obscure watermarks, but it will help deter the casual user.

DON’T…

  • restrict your PDF files with passwords or limits.
  • require personalized passwords for your PDF files.
  • prevent them from printing. This just punishes your honest customers. Besides, nobody mass distributes content on paper, it’s just too expensive and inconvenient.

Member Restrictions

Once you have your backend attack surfaces above addressed, you can start looking at locking down your user access. There are several tactics and tools to help you with this.

IP Address and Time Limits

You can limit the number of IP addresses that your users are allowed to login from during a given time frame.

Typical protection settings for a B2C site would be that any single user cannot log in from more than two different IP addresses in an 8 or 16-hour period. This gives most people the flexibility to use their mobile device or work device and their home computer.

Typical protection settings for a B2B site would be that any single user can only log in from up to two different IP addresses in a 24-hour period, their work computer and their home computer.

You’re not limited to only those options. You can set the IP address count and time frame as it best fits your customers’ needs. You can learn more about Memberium’s Maximum Login IPs feature here…

Simultaneous Login Limits

You can disable simultaneous logins to make it more inconvenient for someone to share their password. With this setting on, each time a user logs in, if that user is already logged in, the first login will be disconnected. This doesn’t prevent account sharing, but it does make it more annoying and inconvenient.

You can learn more about preventing simultaneous logins here…

Use Generated Passwords

Don’t let your members pick their own passwords, if possible.

When given the opportunity, people will do one or more of the following things that will put their login at risk: they’ll use a common password like “love”, they’ll re-use the same password they use on other sites, or they’ll choose something easy to hack like “11111111”. Use the auto-generated passwords which are random.

Memberium has tools to help you auto-generate passwords for your members. Learn more about those here…

Login Log

Memberium has a built-in database of login history with the time, username, and IP address that the user logged in with. By default this is turned off, but you can turn it on and write your own code to analyze the results to look for abuse. An example would be to look for user logins with wildly different IP addresses that are far apart geographically.

Creating Personalized Value

By personalizing the user experience you decrease the value of sharing it. An example would be a testing and certification system with per-user progress tracking, scoring, and awards. Sharing this sort of account may give some value to the recipient, but in the end they don’t reap the benefits of the system or the certification.

You can do easily add certifications, tests, and tracking by using a Learning Management System like LearnDash.

Fair Pricing and Availability

The tighter you hold onto your content the more you incentivize your good customer to become a bad actor.

A common cause of content sharing is for your customer to want to make your content available to their family/friends or coworkers. This is a great opportunity for you as the site owner to extend your reach if you’re not greedy about it. Look at this an opportunity for an upsell, not to double your income. Be generous and your customers will be generous with you.

Memberium’s Pro version has the capability to implement Umbrella Accounts, where a single paying customer can create sub-accounts that share the same access (by default) as the main account. This allows you to add value to your membership (a selling point) while reducing the chances someone will share their login.

Consider selling your customers additional logins at a reduced rate or including the ability to “add 3 team members” to their account using Umbrella Accounts.

  • Was this Helpful?
  • YesNo