Our customer - Allan Bolton is a health professional who has taught himself how to build websites for projects that he's personally involved with as a full or part-owner and developer.
Allan uses LearnDash (LD) - a top Learning Management System (LMS) WordPress plugin to build and sell his online courses. His eLearning content is developed and then published to .zip files using Articulate Storyline 3 (SL3).
His team uses Uncanny Owl (UCO) LearnDash Tin Canny Reporting Plugin to track user progress and completion of the SL3 eLearning content to WordPress LD Lessons and Topics. They also make use of Tin Can xAPI so that only logged-in users have access to the content.
Allan was looking for a better way to protect his eLearning content, i.e., story.html, story_html5.html and story_flash.html against unlogged-in users.
Challenges: Protect LearnDash eLearning content without breaking Tin Can xAPI learner progress tracking
However, after purchasing and installing the UCO LD Reporting Plugin, it became immediately clear that the provided protection does not meet his "primary requirement", i.e. protecting the eLearning module URLs.
In fact, according to its documentation, the plugin only offers basic content protection that restricts viewing of the content to signed-in users only.
Allan gives us a specific example. After adding or importing the eLearning content to an LD Lesson via a .zip file, the UCO LD Reporting plugin will generate a resultant button link code. And it looks like the following:
[vc_snc embed_type="_self" item_id="1" item_name="LMS Protection Session 1" button="medium" href="https://your-domain.com/~protection/wp-content/uploads/uncanny-snc/1/story.html"]
Basically, this shortcode generates and embeds a link as plain text into your course content.
Here is the URL that appears in the browser address bar after clicking the button link to open the eLearning content for the user:
Aside from the basic "nonce" protection provided by the nonce information, those actual absolute content URLs are vulnerable to exploitation via a basic copy and paste.
From the above address bar nonce protected URL the following can clear for all to see and they launch content easily in the browser.
The story.html above is the first target file, this looks at the viewing device to determine which is the best file of the following 2 is best to serve up the content:
Basically, anyone who knows the filing convention can access all eLearning content with ease by changing uncanny-snc/1/story.html to uncanny-snc/2/story.html and so on.
Is "Nonce" protection the solution?
Allan even goes further and shares with us his email outreach to the Developers at UCO.
He expresses his disappointment with the lack of protection provided given the rest of their software functionality is superb. Allan then asked if there is any way they can improve the protection via the .htaccess file, for instance.
He provides an example of how this can be achieved using Paid Memberships Pro. In this case, Allan has protected PDF files that are available only to registered members:
RewriteBase / RewriteRule ^wp-content/uploads/(.*\.pdf)$ /wp-content/plugins/paid-memberships-pro/services/getfile.php [L]
Allan has also used the GrassBlade Tin Can xAPI. Although it's not attractive to the eye, it does block access to Tin Can content for non-logged in users. He believes this system generates a .htaccess rule on the fly.
The UCO Tin Canny Reporting plugin developers replied as follows:
"Right now, URLs generated to show content are protected by "nonce" - an arbitrary number to make each request unique. When they're shared as is, users cannot use them because of the nonce check. If the user hasn't signed in, they can't see protected ones at all. And if a user strips some of the URL to get something potentially shareable, it won't link to Tin Canny.
.htaccess is not reliable enough as not every host supports it. This approach was really our happy medium of convenience and making it at least more difficult for unauthorized users to get content."
According to UCO Tin Canny developers, that basic "nonce" protection is enough. But Allan wonders whether there is a better solution.
Folder Protection: an Effective Way to Protect SCORM/Tin Can Modules
The challenge for us is to find a way to protect the eLearning content URL, and at the same time, display the original URL e.g.,
https://your-domain.com/~protection//wp-content/uploads/uncanny-snc/1/story_html5.html, in the Browser address bar.
This is required for the eLearning content to be tracked using Tin Can xAPI for student attendance and completion.
Since Prevent Direct Access (PDA) Gold only protects file uploads to the WordPress Media library, we need to find another way to protect these eLearning Articulate Storyline HTML files. The feature should allow users to select which folders to protect as well as supporting both Apache and Nginx servers.
Here’s our we handle it:
- Extend our file protection provided by our PDA Gold so that it could protect all files on selected folders under WordPress
- Set a custom File Access Permission for the folder protection, e.g. accessible to logged-in users only
All of this is done through our Access Restriction extension.
Now the HTML files generated by SL3 are protected against unauthorized direct access. In other words, if users are to share the eLearning files with others, they won't be able to access them directly without logging in.
Better yet, this doesn't interfere with the default UO Tin Canny tracking at all.
The Results: Well-Protected eLearning Content & Happy customer
Allan feels "very happy so far" that the PDA Gold and Access Restriction are working correctly to protect his eLearning content. He even offers to connect us with Ryan and Ken, the developers of UO Tin Canny tracking plugin.
Allan believes we've done what they should have and that we can explore the possibility for some form of a mutually beneficial business relationship.
"I have found a tested content protection solution that works well alongside UO LD Reporting. Prevent Direct Access provides robust protection for SCORM/Tin Can Modules." Allan told the developers.
Content protection is a big issue on WordPress sites, especially those that has been University assessed like
"Without the PDA solution, it's more than likely we would have had to cancel our UO subscriptions on expiry and seek an alternate delivery solution. I can assure you I don’t want to go there!"
“I found working with the BWPS team to be great. The BWPS Customer Support Supervisor Tim Alan is fantastic. He is reliably responsive and very easy to work with.”
While the collaboration doesn't become a reality, Allan leaves us a very kind review on WordPress.