WordPress Security

WordPress Security for Event Calendar and Ticketing Websites

Protect event calendar WordPress sites with ticket fraud prevention, attendee data security, and calendar abuse protection.

Sarah Chen

August 31, 2025

9 min read

2,297 views

Security guide for WordPress event calendar and ticketing sites

Introduction

Event calendar and ticketing websites process payments, store attendee information, and manage capacity-limited events. Security breaches can result in ticket fraud, personal data exposure, and event disruption.

Security Risks for Event Sites

Event platforms face unique threats:

Ticket scalping bots - Automated mass ticket purchases
Payment fraud - Chargebacks and stolen cards
Fake events - Scammers creating fraudulent listings
Attendee data theft - Personal information exposure
Calendar spam - Unauthorized event submissions
QR code forgery - Fake tickets and entry passes

Protecting Ticket Sales

Prevent automated purchasing and fraud:

Bot Protection for Ticket Pages

// Detect and block ticket bots
function protect_ticket_purchase() {
    $ip = $_SERVER['REMOTE_ADDR'];

    // Check purchase velocity
    $key = 'ticket_purchase_' . md5($ip);
    $recent_purchases = get_transient($key) ?: 0;

    // Allow max 4 purchases per hour per IP
    if ($recent_purchases >= 4) {
        wp_die('Purchase limit reached. Please try again later.');
    }

    // Detect bot characteristics
    $user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
    $bot_signatures = array('curl', 'wget', 'python', 'scrapy', 'bot');

    foreach ($bot_signatures as $sig) {
        if (stripos($user_agent, $sig) !== false) {
            error_log("Bot ticket attempt from {$ip}");
            wp_die('Access denied.');
        }
    }

    // Verify JavaScript execution (bots often skip JS)
    if (!isset($_POST['js_verification'])) {
        wp_die('Please enable JavaScript to purchase tickets.');
    }

    set_transient($key, $recent_purchases + 1, HOUR_IN_SECONDS);
}
add_action('wpfs_before_ticket_purchase', 'protect_ticket_purchase');

// Add JS verification to ticket forms
add_action('ticket_form_footer', function() {
    ?>
    <script>
    document.addEventListener('DOMContentLoaded', function() {
        var form = document.querySelector('#ticket-form');
        var input = document.createElement('input');
        input.type = 'hidden';
        input.name = 'js_verification';
        input.value = '';
        form.appendChild(input);
    });
    </script>
    <?php
});

Secure QR Code Tickets

Generate tamper-proof digital tickets:

Cryptographic Ticket Validation

// Generate secure ticket code
function generate_secure_ticket($order_id, $event_id, $attendee_email) {
    $secret_key = defined('WPFS_TICKET_SECRET') ? WPFS_TICKET_SECRET : AUTH_KEY;

    $ticket_data = array(
        'order_id' => $order_id,
        'event_id' => $event_id,
        'email' => $attendee_email,
        'issued' => time(),
        'nonce' => wp_generate_password(8, false),
    );

    $payload = json_encode($ticket_data);
    $signature = hash_hmac('sha256', $payload, $secret_key);

    return base64_encode($payload) . '.' . $signature;
}

// Validate ticket at event check-in
function validate_ticket_code($ticket_code) {
    $secret_key = defined('WPFS_TICKET_SECRET') ? WPFS_TICKET_SECRET : AUTH_KEY;

    $parts = explode('.', $ticket_code);
    if (count($parts) !== 2) {
        return array('valid' => false, 'error' => 'Invalid ticket format');
    }

    $payload = base64_decode($parts[0]);
    $provided_signature = $parts[1];

    // Verify signature
    $expected_signature = hash_hmac('sha256', $payload, $secret_key);

    if (!hash_equals($expected_signature, $provided_signature)) {
        return array('valid' => false, 'error' => 'Invalid ticket signature');
    }

    $ticket_data = json_decode($payload, true);

    // Check if ticket already used
    $used = get_post_meta($ticket_data['order_id'], '_ticket_used', true);
    if ($used) {
        return array('valid' => false, 'error' => 'Ticket already used');
    }

    return array('valid' => true, 'data' => $ticket_data);
}

// Mark ticket as used
function mark_ticket_used($order_id) {
    update_post_meta($order_id, '_ticket_used', current_time('mysql'));
    update_post_meta($order_id, '_checked_in_by', get_current_user_id());
}

Event Submission Moderation

Prevent calendar spam and fake events:

// Moderate event submissions
add_action('save_post_event', function($post_id, $post, $update) {
    // Skip if updating existing approved event
    if ($update && get_post_status($post_id) === 'publish') {
        return;
    }

    // Auto-reject suspicious submissions
    $spam_indicators = 0;

    // Check for excessive links
    $link_count = preg_match_all('/https?:///', $post->post_content);
    if ($link_count > 3) {
        $spam_indicators++;
    }

    // Check for spam keywords
    $spam_keywords = array('casino', 'pharmacy', 'bitcoin', 'crypto');
    foreach ($spam_keywords as $keyword) {
        if (stripos($post->post_content, $keyword) !== false) {
            $spam_indicators += 2;
        }
    }

    // Check organizer history
    $author_id = $post->post_author;
    $author_event_count = count_user_posts($author_id, 'event');
    if ($author_event_count === 0) {
        $spam_indicators++; // First-time event creator
    }

    // Require moderation if suspicious
    if ($spam_indicators >= 2) {
        wp_update_post(array(
            'ID' => $post_id,
            'post_status' => 'pending',
        ));

        // Notify admin
        wp_mail(
            get_option('admin_email'),
            'Event requires moderation',
            "Event "{$post->post_title}" flagged for review. Spam score: {$spam_indicators}"
        );
    }
}, 10, 3);

Attendee Data Protection

// Encrypt attendee personal information
function store_attendee_data($attendee_info) {
    $key = defined('WPFS_ENCRYPTION_KEY') ? WPFS_ENCRYPTION_KEY : AUTH_KEY;

    $sensitive_fields = array('phone', 'dietary_requirements', 'medical_info');

    foreach ($sensitive_fields as $field) {
        if (isset($attendee_info[$field])) {
            $iv = openssl_random_pseudo_bytes(16);
            $encrypted = openssl_encrypt(
                $attendee_info[$field],
                'AES-256-CBC',
                $key,
                0,
                $iv
            );
            $attendee_info[$field] = base64_encode($iv . $encrypted);
        }
    }

    return $attendee_info;
}

// Restrict attendee list access
function can_view_attendee_list($user_id, $event_id) {
    // Only event organizer and admins
    $event = get_post($event_id);

    if (current_user_can('manage_options')) {
        return true;
    }

    if ($event->post_author == $user_id) {
        return true;
    }

    return false;
}

Payment Fraud Prevention

Verify billing address matches card
Enable 3D Secure for high-value tickets
Set purchase limits per customer
Monitor for velocity anomalies
Require email verification before purchase

Conclusion

Event websites must protect against ticket fraud, secure attendee data, and moderate submissions. Cryptographic ticket validation, bot protection, and proper access controls ensure successful and secure events.

Written by Sarah Chen

WP Folder Shield Team