In a previous post, I talked about How to Automate AWeber Opt-in for Clickbank Sales, and I mentioned that it is a good idea (silly if you don’t) protect your download pages to ensure only legitimate customers who paid for your product can download it.
When I say “protect” your download pages, I do NOT mean create a crazy looking URL hoping nobody can “guess” it. This is called “attempted security by obscurity” and it does NOT work! All it takes is for someone to post the URL to your download page somewhere on the Internet and your “supposed security” is broken! The worse part happens when that link is posted on a public page somewhere and Google finds it, indexes it, and makes it available to anyone who can perform a Google search. Still think your crazy-named download URLs are secure?
I have received many questions since I wrote my last article on how to truly protect the download page, so I decided to write this brief tutorial. Although there are several products you can purchase to protect you downloads, this method does not require that you purchase anything at all…it’s FREE!
This is not something I invented. In fact, this is clearly documented on the Clickbank site. However, sometimes it just helps if someone explains it a little differently…so here it is. 
Step 1. Setup Your Clickbank Secret Key
The “Secret Key” is used to encrypt information generated by the Clickbank shopping cart regarding the purchase so that you can validate it before displaying your download page as you will see shortly. Make absolutely certain that this key is very random and is kept very secure!!!
1. Login to your Clickbank account
2. Click on the “Account Settings” tab
3. Click “My Site” on the sub-menu, below the tabs
4. Scroll down to the “Advanced Tools” section and click “Edit”
5. Enter a random “Secret Key” (up to 16 numbers and letters in ALL CAPS)
6. Copy this key as you will need it in the next section
Step 2. Edit Your Download Page
You will need to edit your download page using your favorite text or HTML editor. In order to make life simpler and avoid additional steps, your page should have a “.php” extension. I name my pages “download.php” to make it easy to remember. Name your page whatever you think makes sense.
1. Put this code at the very top of your page
Note: I mean the VERY TOP…there should be nothing above it (not even a blank line).
<?php
function cbValid() {
$key='YOUR_SECRET_KEY';
$rcpt=$_REQUEST['cbreceipt'];
$time=$_REQUEST['time'];
$item=$_REQUEST['item'];
$cbpop=$_REQUEST['cbpop'];
$xxpop=sha1("$key|$rcpt|$time|$item");
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop) {
return 1;
} else {
return 0;
}
}
if (cbValid() == "0") {
header("Location: http://YOUR_SALES_PAGE_URL");
}
?>
2. In the sample code above, replace YOUR_SECRET_KEY with the “Secret Key” you created above
3. In the sample code above, replace YOUR_SALES_PAGE_URL with the URL you want to redirect anyone who tries to reach your download page without having purchased your product. I typically set this to my sales page URL.
4. OPTIONAL: Edit the <head> section of your page and add the following META tag to ensure the search engines don’t index it:
Note: this is optional because the search engines will never be able to reach your download page, but is just an extra measure in case “something” goes wrong.
<meta name="ROBOTS" content="NOINDEX,NOFOLLOW">
5. Save your download page and upload it to your server
6. Set the new download page URL as the “Thank You Page” in your Clickbank product configuration
Important Next Steps…
Once you implement the above procedure your download page will be secure! Anyone trying to access it without actually making a purchase will be redirected to the URL you configured in the script above. Try it yourself by just typing the URL in the browser and seeing what happens.
Protecting the download page from prying eyes is great, but you also need to protect the file download link, or that link can be shared as well and your efforts from above will be in vain. Again, there are products to do this, but with some simple PHP code, you can do it for free. I will save that tutorial for another post. However, I will tell you that I use Amazon S3 to store and deliver my downloadable products. If you are interested in learning more about how to use Amazon S3 to store and deliver content securely (including streaming video, images, downloadable files, etc), you can check out my Amazon S3 Tutorial Webinar Recording, which teaches everything you need to know about using Amazon S3 securely in just one hour.
Hi Wilson,
Very informative post. I’ve been looking for a simple method to secure my download page and I believe this is exactly what I am looking for, haven’t yet put it up but I don’t think it will take more than a few minutes.
I’ve got a secondary problem though, google and a few other search engines have indexed my pdf manual which is meant to be part of my clickbank product. I’ve created a robots.txt file (which I did not have) and commented inside the file the following lines:
User-agent: *
Disallow: /myproductebook.pdf
Now the question is using your sales page protection method along with search engines not indexing my pdf book Will this be enough to never have anyone download my product before they have paid for it?
Of course I will also change the pdf file name. It is already posted on a dozen sites, unfortunately.
Thanks a lot and keep up the good work !
Andrew,
Unfortunately, if you add the name of the PDF to the robots.txt (which anyone can view), then you are also giving away the name of the file to anyone who looks aren’t you?
Take a look at this WordPress plugin which I helped develop to protect downloadable content very easily: http://wpfilelock.com
Wil
Hey Wil…I Have Created a Clickbank Website in Xsite Pro…and use Fasthosts.co.uk to host the site…
I have Tried using this Php code to Protect my Download Page but I just keep getting fasthosts standard error page when i test the URL..
.I have tried putting the code in at the top etc even on advanced settings…
i do have feeling that i may be in the same boat as the guy who hosted with Yahoo sitebuilder…
do you know any steps that i can use for fasthosts so they will be forced to read the Php code?
Regards
Lance
Lance,
You will need to contact the hosting company to ensure they support PHP and if it needs to be enabled for your account for some reason.
Wil
Thanks for this amazing info!
I have a question though, is it possible to ask Clickbank few more fields that are needed for me: First Name, Last Name, Email of the person who bought my product?
Thank you!
Stanislav,
Clickbank does send other fields they collect from the Customer. The complete list of fields can be found here:
http://www.clickbank.com/help/account-help/account-tools/instant-notification-service/
For example, the Firstname is ccustfirstname…and you can easily use this in your PHP code on the page.
Wil
I was about to throw my PC off the window, you just saved it. It’s simple if your thank you page is a html page the trick will not work!!! Convert it to php and it will work!
Thanks!
Glad I saved your PC.
Wil
Thanks very much – I managed to get this setup within 5 minutes.
Thanks Wilson for the code and simple directions to protect a clickbank download! Exactly what I was after. Now I just need your other post that you said you’d write on protecting files!
Hi,
When I put the code in my thank you page, I won’t access it myself through any browser, right?
In this case, I must put the code after I get approved by ClickBank. If I don’t, Clickbank guys won’t be able to access the thank you page to see whether it deserves to be approved or not. Am I right?
Thanks a lot in advance!
Kip,
In Clickbank you can do a “Test” purchase before the product is active. The Clickbank folks will do exactly this, so yes, you can protect the download page even before the product is approved.
Wil
Hi Wilson
It is a great tut. I wished why Click Bank can’t be more helpful.
I am having problems with securing the down-loadable file. I know you said it depends on what system etc. Well, how about start with one now. I am with PHP. So How would I secure my download using ClickBank code above. I am sure most have PHP running and at least will help some of us as desperately trying to solve this issue.
Can I just say what a relief to find someone who definitely knows what they’re talking about on the internet. You conveniently know how to bring an issue to light and make it constructive. More people need to read this and understand this side of the story. I cant believe youre not more popular because you definitely have the gift.
Hey,
I tested this, and it IS NOT working. Anyone can access my download page.
/John
John,
Make sure you followed all the steps and did not miss anything…even a quote or dollar sign, or anything missing will break it. Probably easier to copy the code again and start from scratch. I guarantee you the above method works. I use it often and as you can see from other comments it works for other people as well.
Wil
Thanks a million Wil.
Your instructions worked perfectly.
Hi Wil,
How do you get around legitimate purchasers needing to come back to the download page a second time?
Aaron
Aaron,
If they bookmark that page, they will be able to come back to it.
If you need to deliver updates to your digital products, then the best way is to setup some kind of membership site.
Wil
Hi Wilson
But if a customer is able to bookmark the page and come back to it, then can’t that bookmarked URL be passed around to the public as well?
Jimmy
Jimmy,
Yes, but that URL is specific to a customer, and can be used to figure out WHO is posting your download link.
Wil
Hi,
Tried to impliment this code into my Clickbank thank you page in Dreamweaver. Everything is done as instructed – php at top – secret code – url named .php uploaded with ftp – changed thankyou page in CB to http://www.mysite.co.uk/thankyoupage.php and….and ….
nothing.
Just blank page
nada
tested buying product
nothing
blank page
tested putting url in by hand
nothing.
Tried six times – nothing, what am I doing wrong?
Help would be so gratefully received.
Thank you
Hazel
Hazel,
The only thing I can think of is that Dreamweaver is doing something to the code…or that you missed something. Even something small in code, like a semicolon or a quote will make a huge difference.
Do you see any errors in the server’s error log?
Wil
That is because you are not re directing to your home page. It is having a loop.
You have http://www.mysite.co.uk/thankyoupage.php
It should be ..
if (cbValid() == “0″) {
header(“Location: http://www.mysite.co.uk/“);
}
Hi Wil, this post is a god send as I was thinking abou this today. After seminar I decided to check out your blog today and I got what I was looking for. Keep up the good work!
Off the topic. I seem to get all my paid & free downloads in zip files via winrar. After a 40 day trial you still download the winrar content but can not open it (them) without a license costing from $30 to $40 just to open 1 file.
Why do the so called Gurus send out all zip files using winrar? There are so many free zip software programs that are free like Zip7 and also the free one that comes with windows called WinZip; Please answer the answer . I will be looking for your
answer……..Martin
ke an unwaranted expense to the small guy.
Is the a FREE Zipware program that will open Winrar Zip files for free. I am serious about this. Please help if you can. I am out of $1000 and do not know where to start. I am poor and can’t work. It has been 18 months since I received a pay check; so please you or 1 of your friends please come up with an annswer please;
Your help would be greatly appreciated. Thank you; Martim Fatangelo
Martin,
ZIP file are not RAR files. If when you try to unzip a file WinRAR opens up on your machine, it is because Windows has associated ZIP file with WinRAR. You can right click on a ZIP file, and select “Open With” then select the correct program and make sure to select the checkbox at the bottom that says, “Alway Open With…” and this will associate ZIP files with the other program to open them.
Wil
Hi Wilson.
Thank you for the post.
Your website promises to be very useful to me.
Best regards.
Thank you Will for sharing this info. I never thought that people could steal off my download page. I think I really have to stop being naive and start looking at ways in which some people can cheat me.
Technological ability if trying your hand at IM seems to be more than a definite requirement. Most people (like me) are unaware of just how technically able some people are and what lengths others will go to, to steal. I can only hope that Karma will catch them up one day when they least expect it.
Hey Wil,
If I’m not using Clickbank and just putting up a sales page, is there a way of securing my product download page? Thanks.
Ken,
There is always a way to do it, but how you do it depends on what system you are using to sell your product.
Wil
I hear you ARE Mr. Technology. I’ve been wondering how you embed power point .pps files into web pages. I have attempted for the past 2 weeks and it doesn’t seem I’ll ever figure this out.
Got an easy solution?
Cheryl,
You can export PowerPoint presentations as Web Pages, right from PowerPoint…Save As..
Wil
I tried clicking on the Amazon S3 link and got a message “the connection is untrusted”. Don’t know if your aware of that. It spooked me but I would still like to check out the webinar if you think its safe.
I’m using firefox browser.
Pat,
Link has been fixed!
Wil
Hi Wilson,
Thanks for a great post – one question that I have is if you can do something similar with download pages where your customers are receiving your free gifts for opting into your list?
Thanks for your insights,
Janina
Janina,
Yes, I have done something like this. You can basically check if there is a variable being passed in the URL. If there isn’t then redirect them somewhere. If there is, them let them see the page. You can use your autoresponder to pass the correct URL with the parameter. This is not real security…it is obscurity, but keeps “most” people away.
Wil
Dear Wil,
Now, I´m not that much technical skilled, however, when you DO believe it works, I take it for granted. Does exist some way for free test for a couple of days or so? Thanks for a reply, in advance. Have a nice day.
Best regards,
Slavoj Vlcek
cindypes123@gmail.com
You can test for free by setting up your Clickbank product as a test product and then making test purchases.
Wil
Hi Wilson,
Thanks for the great info.
I put the code on the very top of the page but got an error message on the very top of the redirected page ( which is my sales page): “Warning: Cannot modify header information – headers already sent by (output started at …..)”
Why is it?
Thanks!
Alex,
This means some information was already sent to the browser. Are you sure you added this to the very top and are there any errors that you are seeing?
Wil
I cant change my yahoo to .php in the yahoo site builder. It makes the page dissappear. Im lost. I put the code at the top of my page in “insert html” box. i also put the Meta tag into the page properties header section. So done and done. The only part I cannot do is change the thankyou.html to thankyou.php because the main page is called index.html… I even tried renaming it index.php but then go to publish the site and warns me because my page is named index.php. I dont want it to erase it so I cancel the publish. I use yahoo sitebuilder. I dont know how to continue. Please help, thank you Mr. Wilson.
I have never used Yahoo Site Builder, so I cannot tell you exactly how to do this. Web servers do not usually process PHP code in .html files. One way around this is to create a .htaccess file to force the server to parse PHP code in .html files as well as .php files. You can try and add this to the .htaccess file for your server….note, this does not work for all hosting providers, so if it break something, remove the code and check with their helpdesk how to do it.
AddHandler application/x-httpd-php htm html php
Wil
Hey Wil,
Just wanted to thank you for your script, just wanted to point out that you’re missing the closing bracket for your cbValid function.
Took me awhile to figure out why it wasn’t working for me!
Thanks,
Justin
@Justin,
Thanks for pointing that out. I just updated it.
Wil
Very practical and useful information. I’m glad I found your blog. Be on the lookout for my purchase request for the S3 Flow Shield.
Hey Wilson,
Thanks for this post and your last post. I was able to get your last post working, but not this one. Couple questions.
1. When might you be putting out your 3rd post on protecting the download link?
2. When you say put the code at the top of your page, I assume you mean in the top of the template page, but the very top would be at the top of the header.php document. I tried in each location, but got syntax errors each time pointing to the last line of html of each document –which stumped me.
Thanks,
Mike
Mike,
1. Protecting download links can be done in a number of different ways. It depends on how you are hosting your downloads. I will write an article soon on how to do this with Amazon S3, my platform of choice for storing and delivering digital content.
2. I mean at the top of the page that is loading. Since you mentioned header.php I assume you are using some kind of framework or maybe even WordPress? You can put the code there. If you are putting the sample code inside PHP tags already, then remove the starting and ending php tags from the sample code, otherwise you will get the behavior you mentioned.
Wil
Great info here. I’m also interested in your tutorial for protecting the actual download link. Is there any solution for us who want to keep the files on our server instead of using Amazon S3??
I guess it will be nice to find a php scrip that will mask the downland link with random urls but will allow the file to be downloaded if it recognizes the secret key we get from clicbank.
Efrain,
Not long ago, I helped come out with an AWESOME solution, which you can find here. It integrates perfectly with Clickbank (+ other solutions) and your autoresponder to deliver content while making sure it is secure: http://wpfilelock.com
Wil