Securing Your WordPress Event Ticketing Website

If you’re running an event ticketing business, you probably collect a lot of important information from attendees on your website. This may include:

  • Usernames and passwords.
  • Payment information (credit card numbers, bank details)
  • Billing information (street address, phone numbers)

As a business owner, it’s important to make sure your event ticketing website is secure and protected against threats. By doing so, you can rest assured that your website will continue to run without any hiccups and your attendees’ personal information will be secure. 

In this article, we take a look at some of the steps you can take to keep your event ticketing website secure. We’ll explain why it’s important and recommend some plugins and tools to help you get started with a step in the right direction. Finally, we’ll cover some WordPress security plugins that you can use to add an additional layer of security to your ticketing website.

Let’s begin.

7 Steps to Secure Your WordPress Event Ticketing Website

Internet security is an ever-evolving process and it is a good idea to take steps preemptively to ensure that you are protected against online threats.

Aside from performing regular backups  and making sure your theme, plugins, and WordPress core are updated, here are some of the ways you can increase your event ticketing website’s security:

#1: Install an SSL Certificate

A secure socket layer (SSL) certificate is essential for your website if you’ll be offering any sort of on-site payment options. Having an SSL certificate decreases the likelihood of a data breach by keeping the connection between your attendees’ web browser and the server secure and encrypted.

Be sure to check out our quick tutorial on Securing Your Registration and Payment Pages for step-by-step instructions on how to set up an SSL certificate on your Event Espresso-powered website.

#2: Set Up Two-Factor Authentication

Two-factor authentication is an easy way of making sure that only authorized users have access to your site’s back-end. Once an admin or user logs into their account by entering their login credentials they’ll be prompted to authenticate using a second set of credentials such as a phone number or an email.

This makes it much more difficult for unauthorized personnel to gain entry to your WordPress event ticketing website since they will not only need the user’s login credentials but also have access to their phone or email.

#3: Change the Default “admin” Username

When you install WordPress (manually or using a 1-click installer), you’ll be asked to select a username for the administrator user role or go with the default “admin” username. If you’re creating a new WordPress website for your event ticketing business, remember to change the default username to something other than “admin”.

However, if you already have your event ticketing site set up, you can change the default username by updating it from phpMyAdmin or creating a new user (with the admin user role) and deleting the old one.

It is a good idea to replace the default username with something that’s difficult to guess. By doing so, you’ll be reducing the risk of a brute force attack.

#4: Limit Login Attempts

Limiting login attempts is an easy way to secure your event ticketing website from hacking attempts. By doing so, you’ll be able to effectively reduce the risk of brute force attacks. It also gives you an additional layer of security protecting your site against unauthorized access.

The Login LockDown plugin automatically records the IP addresses and timestamps of failed login attempts. The plugin can also detect if there have been multiple failed login attempts over a short period of time from the same IP range. If so, it’ll disable the login function for that range.

#5: Log Out Idle Users Automatically

If a logged in user is inactive for a certain amount of time on your event ticketing website, it gives hackers an opportunity to virtually hijack their browsing session.

The solution is to set an idle session period after which all logged in users will automatically be logged out of your ticketing website. You can protect your event ticketing website from session hijacking using the Inactive Logout plugin.

#6: Hide wp-config.php and .htaccess Files

Your event website’s wp-config.php file stores the login credentials to your web host  and your site’s database. And the .htaccess file holds information about your site structure that hackers could potentially use to break into your website.

For this reason, it’s a good idea to hide both the wp-config.php and .htaccess files. Open up the .htaccess file in a text editor of your choice and add the following lines of code to it:

For hiding your site’s .htaccess file:

<files .htaccess>

order allow,deny

deny from all


And for hiding your site’s wp-config.php file:

<files wp-config.php>

order allow,deny

deny from all


Pro tip: We recommend creating a backup of your .htaccess file before making any changes to it.

#7: Disable File Editing

While we are still tinkering with the default WordPress options, let’s get another security risk out of the way. By default, you have the ability to edit your theme and plugin files directly from your WordPress admin area. This direct access from within your WordPress dashboard makes your site vulnerable to hackers who can gain access and make changes to your site files.

To disable file editing, make a backup of your event ticketing site’s wp-config.php file and add the following line of code to it:

define(‘DISALLOW_FILE_EDIT’, true);

After adding this line of code to your wp-config.php file, you will have to edit your theme and plugin files using an FTP application like FileZilla.

Recommended WordPress Security Plugins and Tools

The WordPress core has security measures in place and rolls out new updates regularly. That said, there are a number of free and premium WordPress security plugins out there that can help you take your site’s security to the next level. These plugins offer features like security monitoring, malware scanning, firewalls, post-hack cleanups, and much more.

#1: Sucuri

Sucuri is an all-in-one security tool for WordPress and it comes in both free and premium version. You can install it on your event ticketing website as a plugin and it will monitor and scan your site for any kind of security risks or malware.

Key Features:

  • Variety of SSL certificates available based on your requirements.
  • Instant notification in case of security threats.
  • Protection from DDoS attacks.
  • Multiple customer support channels.

#2: iThemes Security

iThemes Security brings some serious internet security options and configurations to the table. The service provides different tools and services to protect your website from unauthorized access. It also protects against security vulnerabilities such as defective files or plugins.

Key Features:

  • WordPress database backups.
  • Add Google reCAPTCHA to your login.
  • Scanning core WordPress files for malicious code.
  • Detects changes in files and sends out notification if such a case occurs.
  • Identification of errors e.g. 404 errors.

#3: Wordfence Security

Wordfence Security gives you some of the most advanced online security services on the market. Not only that but the free version also comes bundled with enough options for most small websites.

Key Features:

  • Offers a firewall with DDoS protection, real-time threat monitoring, and web application security.
  • Has options for manual blocking and country blocking.
  • Monitoring of all traffic – bots as well as human visitors.
  • Keep track of all login and logout information.
  • Built-in spam filter.


Repairing your website after it’s been hacked can take several hours (or even days). Not to mention, you could potentially lose all of your data or, worse, your attendees’ personal information could be compromised.

Taking appropriate measures to secure your event ticketing website ensures that you’re able to keep your attendees’ data safe and protect your business.


Share a Reply or Comment

Your email address will not be published.

Need help with Event Espresso? Create a support post in our support forums

Event Espresso