Lamest excuse ever?

I know I rail about WHMCS and their horrible culture, and I know you think I am exaggerating, but this will put your mind at rest and once again I get to be right.

I misunderstood some instructions from a customer and included some extra things in an order I placed on their behalf. Let’s pretend the total of the order was $232.50 (which it was).

This is what it looks like in the orders list

What if I told you that the order was then edited via the “proper” way to do it, a bunch of items were removed so that the total was now $55, but it still shows $232.50

Any rational business owner…nay, human, would say “there is something wrong here”…or is it me?

It must be me, because despite the order only being for $55 worth of items, WHMCS insist that it is correct. What is great about this is the support ticket exchange and the ultimate excuse for why they do it:

I had an order to the value of $232.50

The order needed to be modified so some items were deleted and the invoice modified to now be $55.

However the order s still showing the original amount...why - see attached (with a screenshot like that above)

The order record provides a static record of the details at the time of ordering. You can certainly adjust the service First Payment Amount/Recurring Amount values and the invoice directly to change how much the client is actually charged. But the order total will always reflect the total of the order at the time of ordering.

Statement of fact…I want to know why and I am beyond expecting anything rational, so I get off to a good start

That is madness beyond what is typical for WHMCS

Please explain the logic behind an order being changed but the value of the order not being changed.

The value of the invoice or services can be changed, but that doesn’t change the value at the time the order was placed. WHMCS provides a mechanism to track all these values.

Still not answering the unanswerable…I push on

Please explain under what circumstances a person might want to keep track of the value of an order "when it was placed" when the ultimate value of the order was changed?

Because I can't, for the life of me, imagine such a situation.

It is valuable to know the price your customer saw in the shopping cart and checkout pace prior to placing their order, so that you can know their price expectations and how they might react to an increase or decrease vs that price.


Apart from not really making sense, it doesn’t make any sense at all. Here is where this is at right now…

LOL...that is the most ridiculous thing ever John. THAT is why I would want to not see the true value of an order? You are joking, right?

I know you have to struggle to defend many of WHMCS quirks, but that one is worth sharing.

They are truly bizarre, and can produce a mostly workable product, but seem to have no idea how people run a business.

How to monetise a WordPress plugin

In about 2010 I adopted an abandoned WordPress plugin that was really useful, but needed some TLC. I tried really hard to contact the original author but I am not sure they used their real name. So I forked their plugin to create an improved version – I could never have written it from scratch. Since then I have spent countless hours improving the plugin, the original author would hardly recognise it.

My plugin had always been free to use and I asked for donations. Between 2010 and 2022 I received less than $500 in donations for the “countless hours” I had put into the plugin. I actually didn’t have a problem with that. But then on two separate occasions, people asked for a complex feature to be added, promising a donation, and then never following through. It pissed me off and I felt they had taken advantage of me.

Rather than not keep working on the plugin (my first reaction), I decided it was time to get a reasonable return for my work. But finding information on how to monetise a WordPress plugin was pretty much impossible. There are a couple of commercial licensing solutions, but they are quite expensive.

I started with WooCommerce (WC) and the License Manager for WooCommerce plugin. WC is a no brainer, it works, is easy to set up. The License Manager also works really well, but it didn’t do some things I wanted, especially being able to get the license key in plain text to add to a database.

So after spending too much time trying to solve that, I decided to create my own API, then I could do whatever I wanted with the data. I am a hack PHP developer, I can do stuff, but I am sure that any “expert” would have a bit to say about my code. But I got this done and I hope my solution helps you.

My plugin is really useful for community and activist groups, and having run a (successful) campaign I know that usually money comes out of an individual’s pocket. So for me personally, it was important that there be a very usable free version as well as an incentive to upgrade.

I wanted a solution that

  • Worked
  • Is easy for the user to manage
  • Is easy for me to manage i.e. automated
  • Is difficult enough to circumvent – but nothing is impossible to get around
  • Is fairly priced and didn’t use a subscription model (which I regard as gouging)

Before getting into the details, here is an overview of the process, step by step.

  1. Customer purchases a license via WooCommerce
  2. If PayPal payment succeeds WC order is automatically processed
  3. A database is updated with license details
  4. License key is sent to customer in a custom email, not from WC or a license plugin


  1. Customer inserts key into a form in the plugin
  2. Data are submitted via a custom API
  3. Database is checked and updated if the key is valid
  4. API responds with the status of key
  5. Assuming valid, a cURL request is sent to update a file so that all features are enabled

I am going to assume you have a reasonable level of competency so I will skip mundane stuff e.g. setting up WC.

A few things have to happen when a customer places an order and pays. The first hurdle was that WC will leave an order as “processing” until it is manually changed to “complete”. Since I wanted this to be automated and instant, I had to find a way to have the status change on payment. The Autocomplete WooCommerce Orders plugin does exactly what it says.

To make it work you add a function to your theme-child functions.php – assuming you know at least as much PHP as me, this should be enough to go on.


function payment_complete($order_id)

// get the order and the order data
$order = wc_get_order( $order_id );
$data = $order->get_data(); 
// this is the magic
$order->update_status( 'completed' );

// generate a license key
    $characters = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ'; 
    // I don't include I/L/1 and 0/O to avoid typos in some fonts = saves work for me solving this for a customer.
    $licenseKey = ""; 
    $blockLength = 4; // how many characters in a block
    $blockCount = 6; // how many blocks
    $blockDelimiter = "-";

    for($x = 0; $x < $blockCount; $x++){
        for ($i = 0; $i < $blockLength; $i++) { 
        $index = rand(0, strlen($characters) - 1); 
        $licenseKey .= $characters[$index]; 
        if( $x < ( $blockCount - 1 ) ) $licenseKey .= $blockDelimiter;
    // this produces a key something like CXK8-YHVX-G9Z6-JRWS-JF78-X2N3

// set up your PDO connection here

// save the data to the verification db
$sth = $conn->prepare("INSERT INTO licenses(licenseKey, licenseName, licenseEmail, licenseOrderID, licenseCreated) VALUES(?, ?, ?, ?, ?)");

$sth->execute(array( $licenseKey, $data['billing']['first_name'] . " " . $data['billing']['last_name'], $data['billing']['email'], $data['id'], date("Ymd-H:i:s")));

// email the key to buyer
$to = $data['billing']['email'];
$subject = 'Plugin License Key';
$from = '';

$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'From: '.$from."\r\n".
'Bcc:' . "\r\n" .
    'Reply-To: '.$from."\r\n" .
    'X-Mailer: PHP/' . phpversion();
$message = '<html><body>';
$message .= "<p >Hi " .$data['billing']['first_name'] . '</p>';
$message .= '<p >Your license key is:</p>';
$message .= '<h2 >' . $licenseKey. '</h2>';
$message .= '<p >Add it at <em>dashboard</em> > <em>plugin</em> > <em>settings</em> </p>';
$message .= '</body></html>';
  // Sending email
  if(!mail($to, $subject, $message, $headers)){
    mail("", "Plugin Email Fail - functions.php", $to . " :: " .  $message);


OK, so now we have our order set to completed, we have save the data to our license database and we have sent the key to the customer. So far, so good. Now we need to handle what happens when they apply the key to upgrade to your Pro version.

On a page in the plugin I have a form to enter the key

The “click here” link goes to a page with info about the license and how to order.

When they click verify it calls some jQuery

jQuery('#licenseKeyButton').click( function () {
	var licence_key = jQuery("#license_key").val();
           type: "POST",
           url: "<?php echo admin_url('admin-ajax.php'); ?>",
           data: {action:'plugin_verify_key',key:licence_key},   
           cache: false,
           success: function(response){
                response = jQuery.parseJSON(response);
                if(response.status == "valid"){
                    //do some things e.g. change button to green
                    // do some other things e.g. change button to red      

The most important part of this is the line data: {action:'plugin_verify_key',key:licence_key}, we are using ajax to trigger a function and send the license key.

So far, so good. But before doing anything, we need to create an API. I had never done anything like this before and I was surprised that it wasn’t too complex.

I created a subdomain but you can do it any way you like, simply change URLs to suit.

The most important bit to note in the code below is "returnFile"=> "mycode" where “mycode” is part of the name of your file that is being upgraded. In this case it would be mycode.php.

To explain: When someone upgrades with their key, a cURL call is made (we’ll get to that) and the contents of a file (mycode.php) are replaced with code that doesn’t have any limitations on features. But I don’t want people to easily figure out which file that is. By passing the file name in the API response it isn’t in plain sight. But I am under no illusion that this fools everyone.

Also, there is a step for where people can revoke their key. Maybe they want to move the license to a new site. I’ll leave it to you to figure out how to grab the code from the WordPress plugin SVN to replace the Pro code with the original plugin code and do some other work. It is all based on other actions you’ll find in the code here.

// stop any casual visitors
if( !isset($_GET["key"]) ){
    echo "Thanks for visiting";

// set up your PDO connection here

// check that the key is valid
$sth = $conn->prepare("SELECT * FROM licenses WHERE theLicenseKey= :key ");
$sth->execute([':key' => $_GET["key"]]);

//get our status
if ($sth->rowCount() == 1) $status = "valid";
if ($sth->rowCount() == 0) $status = "key fail";
if ($sth->rowCount() > 1) $status = "multiple results";
if ($_GET["action"] == "revoke") $status = "revoke";

// At this point you may want to log whatever happens - I do, but you need to do some work yourself

//based on our status, if failed
if($status == "key fail"){ 
    echo "Thanks for visiting";
    mail("","API error - key fail", "Key fail for  " . $_GET["key"] . " from " . $_SERVER['REMOTE_ADDR']  );
elseif($status == "multiple results") {
// if the key exists multiple times in the database - this is incomplete so far, but is to prevent the same key being used on multiple sites
    echo "Thanks for visiting";
    mail("","API error - multiple for license", "Multiple records returned for " . $_GET["key"] . " from " . $_SERVER['REMOTE_ADDR'] );

// Update our license in the database - you remember it was added when the customer paid.  Now they are activating, we need to add that data to the record.

// first we check if they are revoking the key, if so, revert the data record
if(isset($_GET["action"]) && $_GET["action"] == "revoke" ){

    $sth3 = $conn->prepare("UPDATE licenses SET licenseActivated=0, licenseActivatedDate='', licenseDomain = "" , licenseIP='" . $_SERVER['REMOTE_ADDR'] . "' WHERE licenseKey= :key ");
    $sth3 ->execute([ ':key'=>$_GET["key"]]);
    $object = [
        "status"=> "revoked",
         "returnFile"=> "mycode"
    //send response
    header("content-type: application/json");
    // send the status and file name back
    echo json_encode($object);
// if we get this far, success.

// update the record then do more stuff
    $sth3 = $conn->prepare("UPDATE licenses SET licenseActivated=1, licenseActivatedDate='" . date("Ymd-H:i:s") . "', licenseDomain = :domain , licenseIP='" . $_SERVER['REMOTE_ADDR'] . "' WHERE licenseKey= :key");
    $sth3 ->execute([ ':domain'=>$_GET["domain"], ':key'=>$_GET["key"]]);

// create our response
while ($thekeys = $sth->fetch(PDO::FETCH_ASSOC)){
    $object = [
       "id" => $thekeys['licenseID'],
        "key"=> $thekeys['licenseKey'],
        "domain"=> $thekeys['licenseDomain'],
        "status"=> "valid",
        "returnFile"=> "mycode"

//send response
header("content-type: application/json");
echo json_encode($object);

Whew…so now we have some code waiting to receive data, test if it is valid or not and send back a response. Let’s do that.

The function to send the data is in a separate PHP script that you can name anything, so let’s call it processkey.php.

This is where our action plugin_verify_key is triggered

// you will substitute your plugin context for "plugin"
add_action('wp_ajax_plugin_verify_key', 'plugin_verify_key');
add_action('wp_ajax_nopriv_plugin_verify_key', 'plugin_verify_key');

// notice it is passing the value of "action"
function plugin_verify_key($action) {
    // check if the license key was sent, or if it already exists as an option
        $license_key_value = $_POST['key'];
        $license_key_value = get_option( 'plugin_license_key' );

    // allow for plugin upgrade, we'll get to that later
    if($action == "upgrade"){        
        $license_key_value = get_option( "plugin_license_key" );       

    //if there is no license key, stop the function
    if ($license_key_value == "" ) return; 
    $curl = curl_init();

    // set up our API call
    $url = "" . $license_key_value ."&domain=" . $the_domain . "&action=upgrade&version=" . get_option( 'plugin-version' );
    curl_setopt_array($curl, array(
        CURLOPT_URL => $url,
        CURLOPT_ENCODING => "",
        CURLOPT_MAXREDIRS => 10,
        CURLOPT_TIMEOUT => 30,

    // get our API response
    $response = curl_exec($curl);
        //The API returns data in JSON format, so first convert that to an array 
        $responseObj = json_decode($response, true);

    if ($responseObj["status"] == "valid"){  
            //get the name of the file from the response
            $filename = $responseObj["returnFile"] ;
            //build our URL to get the Pro version file
            $incomingURL = "" . $filename . ".txt";
            //get the contents of that file
            $getFile = file_get_contents($incomingURL);
            // where are we going to write those contents
            $thefile = dirname(__FILE__) . "/" .$filename . ".php";
            $doWrite = fopen( $thefile , "w");
            fwrite($doWrite, $getFile); 
        // obfuscate what has been done by touching each file in the directory
        $files = scandir(dirname(__FILE__));
        foreach($files as $file) {
          touch(dirname(__FILE__) . "/" .$file);

// if it is a plugin upgrade, not a new key, quit the function here
if($action == "upgrade"){ return; }

// otherwise it is a new license activation so create an array 
$response = array();

$response["status"] = $responseObj["status"];
$response["license_key"] = $responseObj["key"];
$response["licence_key_verified"] = "1";

// add some values to the wp_options table
if($response["status"] == 'valid'){
    update_option('plugin_license_key', $response["license_key"]);

// and then send our data back to the page
echo json_encode($response);

As I am creating this page, I see how complex this is. That it works is impressive…to me.

So…now they have entered their license key and clicked to verify. Assuming a valid key: the jQuery code makes an ajax call to processkey.php which sends data via cURL to Based on the result of a database lookup (Does the key exist? Only once?), the database is updated, some options are set and a file is over-written with “Pro version” code. Then a response is sent back to processkey.php which passes data back to the original page. Making sense so far? If I was reading this, I am sure at this point I would have to go back and read the code again.

Back in our form we give the user a nice response after the ajax success event. I change the colour of the button to green, the text to “verified”, disable it and hide the key with “*******”. Plus I add a message thanking people for upgrading.

The last thing to cover is if people have upgraded and I am releasing a new version of the plugin. When this happens, the entire plugin is replaced with the new version, over-writing my Pro code.

I handle this in the install function

     // whenever I do an upgrade I have to remember to change the version number here
     if ( version_compare( $installed_version, '1.0.0', '<' ) == 1 ) {
        // if it is already verified, run the function, passing the "upgrade" value
        if( get_option( 'license_key_verified' ) == 1 ){

Jump back to processkey.php and at about line 15 see if($action == "upgrade"){. This is inside a call to the plugins_loaded action and is run every time wordpress is loaded. But it checks version numbers.

Assuming it is a new version, after the plugin is updated there is the same call to re-write the file with the Pro version code but then the function stops running if($action == "upgrade"){ return; } before updating options or returning a response. So the Pro users have an upgraded plugin and still have all the features.

I am aware of a potential security issue and am working on digitally signing the files that are downloaded to upgrade to Pro.

The result of all this has been a spectacular success. I had an upgrade target for the first 2 months. Maybe I was being modest, but I have hit double that number.

Thanks for reading this far, I hope it has helped you, just like code others have shared helped me.

I wish you success with your plugin.

Another crack at reducing spam

There are pathological people who are quite happy to spoil something good for everyone else if it is to their advantage. The internet in general is a great example of that and spam in particular.

On a good day, I receive about twice as many spam emails as legitimate emails. On a bad day it is worse.

Add to that there are constant attacks on the server and websites by people who are trying to hack a site so it will send spam, adding to the problem, and it is an ongoing pain in the arse.

RBL SPAM filtri | DNSBL | DNS blacklist |
It makes a blog post more interesting to have some sort of image, but don’t be fooled, this is grossly inaccurate. The ratio of spam to legitimate email (for me) should be reversed.

In an effort to reduce the incoming spam count I have enabled one of the RBL’s (Realtime Black Lists).

The risk is always that it causes too many false positives – marking legit email as spam – and becoming a headache in itself.

If this works, it should be obvious within a day or so. Stand by for an update 😛 is live

It has been a long time coming but finally direct .au domains are available.

As well as having or, I now have the short, sweet and cool (I think)

Map of Australia with .au superimposed

The process to register a direct .au domain is a little confusing, here is the (hopefully) understandable version.

If you want to register you can try as long as there is no other example.??.au domains registered.

If a domain does already exist such as then there is a specific procedure to register The first and most important thing is for the owner of the to get a token from These tokens prove that you are the owner of the

If you are the only person who has example.??.au then you will get the direct .au immediately.

However if someone else has then this page explains the process to sort out who gets the direct .au.

Should you own and then the trick is to apply for .au with one of them and decline to apply with the other.

Let’s add one more thing…if you don’t own example.??.au and want and no one else applies for it. you can register it after September 20th. I can help you get to the front of the queue.

Yeah it is complex and confusing. I am wrapping my brain around it and can help, contact me at (see what I did there?)

cPanel phishing scam

No matter who you are hosted with, please don’t be taken in by a new phishing scam trying to get your cPanel login.

It is a pretty convincing copy of a genuine notification that you have filled your disk space and has the subject WARNING The domain “(example)” has reached their disk quota.

At first I thought the 123host server was sending them, so I was confused as the accounts weren’t full and the date was wonky. I eventually discovered that one of the links in the email is to a site with a fake cPanel login (the pink highlight). 

A good thing to help spot a fake, though they may fix this, is that the dates are inconsistent (yellow highlight).

Screenshot of fake cpanel email

Four customers had contacted me asking why their disk is full, in each case it wasn’t.  So this is definitely a thing.  I have since had a bunch more reports of the same thing.

You can always check how much disk space you are using in cPanel.

If you receive one of these ignore it.  If you are a customer you can send it to me to double check for you if you want.

If you have received it, clicked the link and entered your cPanel login details, you need to let me (or your hosting service) know URGENTLY so your cPanel password can be changed.


WooCommerce oops!

A critical vulnerability has been discovered in WooCommerce prior to version 5.5 (the current version). You can read about it here, but they don’t give much info on what might happen.  I dug into the code and I think that if someone exploited this on your store, they could have access to order, customer, and administrative information via a cleverly crafted search string.

CloudLinux - CloudLinux Blog - New vulnerability discovered - the fix for  CVE-2016-8655 for CloudLinux OS 7 is here with KernelCare

It is extremely important that if you have WooCommerce installed you upgrade to 5.5.1 as a matter of urgency.  Once these vulnerabilities become public, the baddies know about and start using them.Please don’t ignore this.  And while you are at it, check that WordPress is at version 5.7.2

If you subscribe to the 123Host WordPress Management service, I have already upgraded WooCommerce for you.

What is an IP address?

From: Mozilla, the makers of FireFox

Every time you are on the internet, IP addresses are playing an essential role in the information exchange to help you see the sites you are requesting. Yet, there is a chance you don’t know what one is, so we are breaking down the most commonly asked questions below.

What is an IP address?

Your IP address is a unique identifier, kind of like a mailing address, associated with your online activity. Any time that you use the internet (shopping online, sending emails, streaming TV), you’re requesting access to a specific online destination, and in return, information is sent back to you. How does that work? Well the IP stands for Internet Protocol, which lays out the standards and rules (yes, otherwise known as the protocol) for routing data and connecting to the internet. This protocol is a set of rules each party needs to follow to allow for a bi-directional flow of data.

Does it travel with you?

No. Your IP address is only associated with one location unless you are using a VPN (we will get more into that later). When you are at your home and connecting to the internet you pay for, you are using one. However, if you check your email at home in the morning, then scan the news at a local coffee shop while waiting for your coffee, and then work from an office, you will have used different IP addresses at each location.

Does your IP address change?

Yes. Even if you are only using the internet at home, the IP address for your home can change. You can contact your internet service provider (ISP) to change it, but even something as routine as restarting your modem or router because of internet connection problems could result in a change. You can find out your current IP address here.

Can more than one device have the same IP address?

This is a bit of a tricky question — the answer is both yes and no. More than one device can share the same external (public) IP address, but each device will have its own local (private) IP address. For example, your ISP (internet service provider) sets your home up with one external IP address. Since your router is what actually connects to the internet, the IP address is assigned to your router. Your router then assigns a local IP address to each device that is connected to the internet at a time. The external IP address is what is shared with the outside world. Your local IP address is not shared outside of your private home network.

Can we run out of them?

When the Internet was first designed it used ‘version 4’ addresses. These are 32 bits, which means that we could have up to 4.2bn addresses. This seemed like enough at the time, but is nowhere near enough in a world where the average U.S. household had 11 connected devices.

We now have version 6 IP addresses, which have 128 bits per address. Unfortunately, version 4 and version 6 can’t talk to each other directly, so people are going to need version 4 addresses for a long time.

Should you hide your IP address?

You don’t need to hide your IP address, but there are some times where you may want to. The most common reason is privacy. In the U.S., Congress overruled privacy regulations designed to protect the privacy of broadband users. Internet service providers can see your browsing habits, what you are using the internet for, and how long you spend on each page. This communication is not encrypted, so third-parties can see what website you’re visiting. One way to combat this is DNS-over-HTTPS (DoH). This encrypts your DNS (Domain Name System) traffic, making it harder for ISPs to see the websites you are trying to visit. For US Firefox users, by default your DoH queries are directed to trusted DNS servers, making it harder to associate you with the websites you try to visit.

There are also situational reasons to hide your IP address. You may want to hide it when traveling. A VPN will also give you more privacy when connecting to WiFi to stream and shop while you explore the world.

Reaching the limits

A few months ago I set a challenge to beat the 123host support ticket response time of 51.7% within 1 hour and 82.7% within 4 hours.

Thank you so much for getting back to me so quickly!! Legendary as always. Katherine M-S.

It isn’t like all stops have been pulled out to try to beat earlier metrics, but those stats keep tumbling.

Steve!! It worked!! Thank you!!! I really appreciate how patient you’ve been with me. Sally S.

January 2021 – almost 69% of customer support tickets answered within an hour! That’s unheard of!

Within 4 hours, 95.4% of the 83 support tickets opened during the month had been answered.

It is getting harder to get better, but we’ll keep trying.

My word, you are a superstar! Thank you dearly!!!!! Nelle G.