Host Header Injection Fix

Host Header Injection Fix

Wordpress plugin

Install on Wordpress

App Details

Enables custom headers for WP email notifications
Also “set it and forget it” security fix for WP < 5.5

Important

As of WordPress 5.5, this plugin no longer is necessary to fix the host-header security issue reported in Ticket #25239 finally is fixed, and mentioned in this post WordPress 5.5 Beta 4. Thank You WordPress devs!

Is this plugin still useful?

Yes, it enables you to choose the “From”, “Name”, and “Return-Path” headers for all WP notification emails. And for versions of WordPress less than 5.5, this plugin continues to fix the host-header injection security issue.

Features

This simple plugin does three things:

  1. Sets custom From, Name, and Return-Path for WP notifications
  2. Fixes a security vulnerability in WordPress versions < 5.5
  3. Fixes a bug where invalid email addresses may be generated (in WordPress versions < 5.5)

Choose from the following options:

  • Use WordPress defaults (insecure for WP < 5.5)
  • Use “Email Address” from WP General Settings
  • Use a custom name and address

Plus there is an option to use the specified From address as the Return-Path header.

Why?

The security issue fixed by this plugin has been known about since way back in WordPress version 2.3. There has been some talk about fixing, but nothing has been implemented. While the issue does not affect all sites, it does affect a good percentage of them, including some of my own projects. So, not wanting to get hacked, I decided to write my own solution. Hopefully this issue gets fixed in a future version of WordPress, and this plugin will become unnecessary.

As a bonus, setting an explicit From address resolves a long-standing bug whereby an invalid email address is generated under the following conditions:

  • A “From” address is not set,
  • And the $_SERVER['SERVER_NAME'] is empty

So by explicitly setting a “From” address, we prevent this bug from happening.

Security Issue

What is the security issue addressed by this plugin? Follows is a quick summary. To learn more in-depth, check out the resources linked in the next section.

  • WordPress uses $_SERVER['SERVER_NAME'] to set the “From” header in email notifications
  • This includes sensitive email notifications like password resets and user registration
  • In some cases, an attacker could modify the “From” header and intercept the email
  • Using the intercepted email, an attacker could gain access to your site and wreak havoc

More Infos

This security vulnerability is well-known and has been around for a looong time. To learn more, check out these articles:

Privacy

This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way.

Host Header Injection Fix is developed and maintained by Jeff Starr, 15-year WordPress developer and book author.

Support development

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

Links, tweets and likes also appreciated. Thank you! 🙂

Pricing

Starting from $0 per month.

Check Out the Business Listings Widget

By Common Ninja

Business ListingsTry For Free!

App Info

Rating

Reviewers

6 reviews

Tags

email
headers
injection
notification
security

Developed By

Jeff Starr

Quick & Easy

Find the Best Wordpress plugins for you

Common Ninja has a large selection of powerful Wordpress plugins that are easy to use, fully customizable, mobile-friendly and rich with features — so be sure to check them out!

Testimonial

Testimonial plugins for Wordpress

Galleries

Galleries plugins for Wordpress

SEO

SEO plugins for Wordpress

Contact Form

Contact Form plugins for Wordpress

Forms

Forms plugins for Wordpress

Social Feeds

Social Feeds plugins for Wordpress

Social Sharing

Social Sharing plugins for Wordpress

Events Calendar

Events Calendar plugins for Wordpress

Sliders

Sliders plugins for Wordpress

Analytics

Analytics plugins for Wordpress

Reviews

Reviews plugins for Wordpress

Comments

Comments plugins for Wordpress

Portfolio

Portfolio plugins for Wordpress

Maps

Maps plugins for Wordpress

Security

Security plugins for Wordpress

Translation

Translation plugins for Wordpress

Ads

Ads plugins for Wordpress

Video Player

Video Player plugins for Wordpress

Music Player

Music Player plugins for Wordpress

Backup

Backup plugins for Wordpress

Privacy

Privacy plugins for Wordpress

Optimize

Optimize plugins for Wordpress

Chat

Chat plugins for Wordpress

Countdown

Countdown plugins for Wordpress

Email Marketing

Email Marketing plugins for Wordpress

Tabs

Tabs plugins for Wordpress

Membership

Membership plugins for Wordpress

popup

popup plugins for Wordpress

SiteMap

SiteMap plugins for Wordpress

Payment

Payment plugins for Wordpress

Coming Soon

Coming Soon plugins for Wordpress

Ecommerce

Ecommerce plugins for Wordpress

Customer Support

Customer Support plugins for Wordpress

Inventory

Inventory plugins for Wordpress

Video Player

Video Player plugins for Wordpress

Testimonials

Testimonials plugins for Wordpress

Tabs

Tabs plugins for Wordpress

Social Sharing

Social Sharing plugins for Wordpress

Social Feeds

Social Feeds plugins for Wordpress

Slider

Slider plugins for Wordpress

Reviews

Reviews plugins for Wordpress

Portfolio

Portfolio plugins for Wordpress

Membership

Membership plugins for Wordpress

Forms

Forms plugins for Wordpress

Events Calendar

Events Calendar plugins for Wordpress

Contact

Contact plugins for Wordpress

Comments

Comments plugins for Wordpress

Analytics

Analytics plugins for Wordpress

More plugins

plugins You Might Like

Discover Apps By Platform

Discover the best apps for your website

WordPress
Wix
Shopify
Weebly
Webflow
Joomla
PrestaShop
Shift4Shop
WebsiteX5
MODX
Opencart
NopCommerce

Common Ninja Search Engine

The Common Ninja Search Engine platform helps website builders find the best site widgets, apps, plugins, tools, add-ons, and extensions! Compatible with all major website building platforms - big or small - and updated regularly, our Search Engine tool provides you with the business tools your site needs!

Multiple platforms