When we started selling WordPress plugins and themes, we used Easy Digital Downloads with its Software Licensing extension. It worked — until it didn’t. Here’s why we built a custom license server and what we learned along the way.
The problem with EDD
EDD is excellent for simple digital downloads. But as our product catalog grew, we needed features it couldn’t provide: HMAC-signed requests for tamper-proof activation, per-domain license tracking, multi-product license management from a single dashboard, and real-time analytics on activation patterns.
Rolling our own
Our license server is a standalone PHP application that sits at /api/licenses/. It uses MySQL for storage, HMAC-SHA256 for request signing, and a clean admin panel for management. The entire system is under 700 lines of PHP — no framework, no dependencies, no bloat.
Key design decisions
Every activation request includes a timestamp and signature. The server verifies both before processing. This means even if someone intercepts a valid request, they can’t replay it after the 15-minute window expires. The response is also signed, so the plugin can verify it wasn’t tampered with in transit.
We also built the admin panel as a single HTML file with vanilla JavaScript. No React, no Vue, no build step. It loads instantly, works offline (after initial auth), and the entire admin weighs under 15KB gzipped.