I'm along the way of making a payment gateway for drupal / wordpress / magento. I curently have clients who wish to use my wordpress plugin. Since this is a compensated good article, I wish to safeguard it from getting used on other websites.

I've also seen that lots of suppliers who sell styles, modules and plug ins are needed to set up the API key.

How do i perform the same. Exactly what do I want on my small server side. I understand how to produce modules, but I'm not sure to market them safely and deliver regular updates.

If there's a magazine regarding this please tell me.

I am unfamiliar with any books about them, but I'll let you know what I have seen among a founders of the component / plug-in marketplace which has many such plug-inches.

You will find a couple of approaches -

  1. Some plug ins don't require an API key whatsoever. Either the plug-was only accessible after purchase, or has some restrictions around the free downloadable version that encourages people to cover the commercial version. This method relies more about individuals integrity and low motivation to hack the free version in to the commercial one, especially if they're not technical customers (as numerous Content management systems customers are).
  2. Setup a cheque against your server that occurs periodically. You don't need a complete blown API with this, just setup an endpoint in your server the plug-in can send the API key and based on the response enables using the plug-in. You have to plan it to ensure that this check does not happen each time the plug-was run, particularly if it a plug-for the reason that works on the public site and with the administration panel - it'll seriously degrade the performance from the site utilizing it and make unnecessary strain on your server. Apply certain type of time based checked - either absolutely or from the moment from the last check.
  3. Additionally to or rather than doing an API check, many people will obfuscate their code to really make it harder to change and bypass the check. This frequently mandates that the server includes a module installed that may parse the obfuscated files - this requirement frequently causes it to be less viable for most of us. You can observe some good examples of obfuscators in another question.

Personally, I lean more toward the very first option, as someone determined enough will break whatever protection you place (people break a lot more complicated solutions very quickly). This is among the problems of delivering source-code rather than binaries (and individuals are damaged just like easily by more knowledgeable cyber-terrorist). Let individuals who're willing pay, and also the others just allow them to do what they need while you will not have the ability to create something truly secure anyway.