Topics

⌘K
  2. Home
  4. Topics
  6. Tickets
  8. PDF tickets
  10. PDF Ticket Folder Protection

PDF Ticket Folder Protection

FooEvents PDF tickets use an “unlisted link” model, similar to Google Drive’s “anyone with the link” sharing setting. Ticket file names are generated using an algorithm that produces obscure, non-sequential names, making them extremely difficult to guess, even if someone understands how FooEvents generates them.

Assuming directory listing is disabled on your server, which is standard practice, the folder cannot be browsed and files are only accessible if the exact file name is known. FooEvents also adds a blank index file to the pdftickets folder as an extra precaution.

Advanced Folder Protection #

You can add an extra layer of protection to your PDF tickets folder by blocking direct web access to the directory where ticket PDFs are stored. The methods below outline different ways to do this, depending on your server configuration. These are advanced options intended for site owners who want to further reduce the risk of ticket links being shared and prefer tickets to be distributed through controlled channels, such as email delivery only.

Please note that when direct access to the PDF tickets folder is restricted:

  1. Customers will no longer be able to download PDF tickets from the My Account section. Make sure the FooEvents > Settings > PDF Tickets > Enable PDF ticket downloads option is disabled. If it remains enabled, FooEvents will add a Tickets page to the My Account section where users can attempt to download PDF tickets, but those links will no longer work once folder access is blocked.
  2. Administrators will no longer be able to download PDF tickets from the Tickets screen in the WordPress admin area. If you want to view a PDF ticket, rather ‘resend’ the ticket to your email address and download the PDF from there.

Folder Protection Setting (Apache) #

This is a built-in option and can only be used on Apache servers, as it relies on an .htaccess file to restrict access to the PDF tickets folder.

Apache servers can enforce folder-level rules using an .htaccess file. By placing an .htaccess file inside the PDF ticket storage directory, you can deny all direct HTTP access to stored ticket PDFs. Any direct ticket URL should then return a 403 Forbidden response, or sometimes a 404, depending on your host or security layer.

To enable folder protection and automatically add the necessary .htaccess file to your pdftickets folder, please follow these steps:

  1. Log in to your WordPress website.
  2. Go to FooEvents > Settings > PDF Tickets.
  3. Enable the Enable PDF ticket folder protection setting.
  4. Find a known PDF ticket URL, one that previously downloaded successfully.
  5. Visit it in your browser.
  6. You should receive a 403 Forbidden response, or a 404 depending on your host or security layer, instead of a download.

Manual Protection (Apache) #

If the PDF ticket folder protection setting does not take effect, try manually placing the .htaccess file in the PDF tickets folder.

Please follow these steps to manually add the .htaccess file to your pdftickets folder:

  1. Connect to your site via FTP, SFTP, or your host’s file manager.
  2. Navigate to: wp-content/uploads/fooevents/pdftickets/
  3. Create a file named .htaccess.
  4. Add the following contents to the file:
# FooEvents PDF Ticket folder protection.
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
	Deny from all
</IfModule>
  1. Save the file.
  2. Find a known PDF ticket URL, one that previously downloaded successfully.
  3. Visit it in your browser.
  4. You should receive a 403 Forbidden response, or a 404 depending on your host or security layer, instead of a download.

Notes / Gotchas #

  • Some hosts block or override .htaccess rules in wp-content/uploads/. If your rules do not apply, ask your host whether .htaccess files are allowed in uploads directories.
  • If your WordPress installation uses a custom uploads path, the folder location may be different.

Nginx (Manual Configuration) #

Similar to how the WooCommerce uploads folder can be protected on Nginx, if your site uses Nginx, you can add a rule to deny access to the PDF ticket folder in your server block. If you are not sure how to do this, ask your hosting company to assist you.

location ^~ /wp-content/uploads/fooevents/pdftickets/ {
	deny all;
}

If your WordPress installation uses a custom uploads path or is installed in a subdirectory, adjust the location path accordingly.

Once the deny-access rule has been added, verify that it is working by following these steps:

  1. Find a known PDF ticket URL, one that previously downloaded successfully.
  2. Visit it in your browser.
  3. You should receive a 403 Forbidden response, or a 404 depending on your host or security layer, instead of a download.

How can we help?