FooEvents PDF tickets use an “unlisted link” model (similar to Google Drive’s “anyone with the link” sharing). Ticket file names are generated using an algorithm that produces obscure file names, making them non-sequential and extremely unlikely to guess, even with knowledge of how FooEvents generates these file names.
Assuming directory listing is disabled on your server (standard practice, but we add a blank index file to the PDF-Tickets folder as well, just in case), the folder cannot be browsed and files are only accessible with the exact filename.
If you would like to add an additional layer of protection to your PDF tickets folder, you can manually block direct web access to the stored PDF tickets folder on Apache by adding an .htaccess Datei.
This is an advanced option intended for site owners who want to further reduce the chance of ticket links being shared and prefer tickets to be distributed via controlled channels (for example, email delivery only).
Manual Protection (Apache) #
What this does #
Apache servers can enforce folder-level rules using an .htaccess file. By placing an .htaccess file inside the PDF ticket storage directory, you can deny all direct HTTP access to stored ticket PDFs. Any direct ticket URL should then return 403 Forbidden (or sometimes 404, depending on your host/security layer).
Folder location #
FooEvents stores PDF tickets here:
wp-content/uploads/fooevents/pdftickets/
Steps #
- Connect to your site via FTP/SFTP or your host’s file manager.
- Navigate to:
wp-content/uploads/fooevents/pdftickets/ - Create a file named:
.htaccess - Add the following contents to the file:
# FooEvents PDF Ticket folder protection.
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
- Save the file.
Notes / gotchas #
- Some hosts block or override .htaccess rules in wp-content/uploads/. If your rules don’t apply, ask your host whether .htaccess is allowed in uploads directories.
- If your WordPress install uses a custom uploads path, the folder may differ.
Before You Enable This #
This is an advanced security option, and enabling it means:
- Customers will no longer be able to download PDF tickets from the My Account section. Ensure the FooEvents > Einstellungen > PDF-Fahrausweise > PDF-Ticket-Downloads aktivieren option is disabled. If it is enabled, FooEvents adds a Tickets page to the My Account section where users can download PDF tickets, but the links will not work once folder access is blocked.
- Administrators will no longer be able to download PDF tickets from the Tickets screen in the WordPress admin area.
- This approach works on Apache only. If your site is hosted on Nginx, you must add an Nginx rule instead (Nginx does not read .htaccess).
Nginx (Manual Configuration) #
Ähnlich wie WooCommerce, if your site uses Nginx, add a rule to deny access to the PDF ticket folder in your server block:
location ^~ /wp-content/uploads/fooevents/pdftickets/ {
deny all;
}
If your WordPress installation uses a custom uploads path or lives in a subdirectory, adjust the location path accordingly.
Verification #
After adding protection:
- Find a known PDF ticket URL (one that previously downloaded successfully).
- Visit it in your browser.
- You should get a 403 Forbidden (or a 404 depending on your host/security layer) instead of a download.