內容簡介
啟動自訂 WP 電子郵件通知的標題
同時也是針對 WP < 5.5「設定並遺忘」的安全修復程式
重要提醒
自 WordPress 5.5 版本起,在 25239 票證 中報告的主機標題安全問題已經被修復。這個問題也在 WordPress 5.5 Beta 4 中說明了。感謝 WordPress 開發團隊的辛勞!
這個外掛還有用處嗎?
有的,它讓您選擇所有 WP 通知電子郵件的「寄件人」、「名稱」和「返回路徑」標題。而針對 WordPress 5.5 版本以下的用戶,這個外掛也可持續修復主機標題注入安全問題。
功能
這個簡單的外掛有三個功能:
為 WP 通知設置自訂的 From、Name 和 Return-Path 標題
修復 WordPress 版本 < 5.5 的安全漏洞
修復 WordPress 版本 < 5.5 的無效電子郵件生成錯誤
可以從以下選項中進行選擇:
使用 WordPress 預設 (WP < 5.5 安全漏洞)
使用 WP 一般設置中的「電子郵件地址」
自訂名稱和地址
此外,還有一個選項可以將指定的 From 標題作為 Return-Path 標頭使用。
為什麼?
這個外掛修復的安全問題早在 WordPress 2.3 版本中就已經被發現了。有些人談論過修復問題,但沒有實施。儘管這個問題不會影響所有網站,但它確實會影響其中一個相當大的比例,包括我自己的一些項目。所以我為確保不被駭客攻擊,決定自己編寫了一個解決方案。希望這個問題會在 WordPress 的未來版本中得到修復,使這個外掛變得不必要。
此外,明確設置 From 標題可解決一直存在的一個錯誤,當:
未設置「From」地址,
或 $_SERVER['SERVER_NAME'] 為空時,
會產生無效的電子郵件地址。因此,通過明確設置「From」地址,我們可以避免發生此錯誤。
安全問題
此外掛修復的安全問題是什麼?以下是摘要,如果需要更詳細了解,請查看下一節中的資源。
WordPress 使用 $_SERVER['SERVER_NAME'] 設置電子郵件通知中的「From」標頭
這包括密碼重置和使用者註冊等敏感電子郵件通知
在某些情況下,攻擊者可以修改「From」標頭並攔截電子郵件
使用被攔截的電子郵件,攻擊者可以訪問您的網站並造成大量破壞
更多資訊
這個安全漏洞是眾所周知的,已經存在了很長時間。如需更多資訊,請查看以下文章:
WP Core Trac 票證
WP Vulnerability Database
Exploit Box Info
更多資訊
外掛標籤
開發者團隊
原文外掛簡介
👉 Enables custom headers for WP email notifications
👉 Also provides a “set it and forget it” security fix for WP < 5.5
👉 Uses only 50KB of code, so super lightweight, fast, and effective
Important
As of WordPress 5.5, this plugin no longer is necessary to fix the host-header security issue reported in Ticket #25239 finally is fixed, and mentioned in this post WordPress 5.5 Beta 4. Thank You WordPress devs!
Is this plugin still useful?
Yes, it enables you to choose the “From”, “Name”, and “Return-Path” headers for all WP notification emails. And for versions of WordPress less than 5.5, this plugin continues to fix the host-header injection security issue.
Features
This simple plugin does three things:
Sets custom From, Name, and Return-Path for WP notifications
Fixes a security vulnerability in WordPress versions < 5.5
Fixes a bug where invalid email addresses may be generated (in WordPress versions < 5.5)
Choose from the following options:
Use WordPress defaults (insecure for WP < 5.5)
Use “Email Address” from WP General Settings
Use a custom name and address
Plus there is an option to use the specified From address as the Return-Path header.
Why?
The security issue fixed by this plugin has been known about since way back in WordPress version 2.3. There has been some talk about fixing, but nothing has been implemented. While the issue does not affect all sites, it does affect a good percentage of them, including some of my own projects. So, not wanting to get hacked, I decided to write my own solution. Hopefully this issue gets fixed in a future version of WordPress, and this plugin will become unnecessary.
As a bonus, setting an explicit From address resolves a long-standing bug whereby an invalid email address is generated under the following conditions:
A “From” address is not set,
And the $_SERVER['SERVER_NAME'] is empty
So by explicitly setting a “From” address, we prevent this bug from happening.
Security Issue
What is the security issue addressed by this plugin? Follows is a quick summary. To learn more in-depth, check out the resources linked in the next section.
WP uses $_SERVER['SERVER_NAME'] to set the “From” header in email notifications
This includes sensitive email notifications like password resets and user registration
In some cases, an attacker could modify the “From” header and intercept the email
Using the intercepted email, an attacker could gain access to your site and wreak havoc
More Infos
This security vulnerability is well-known and has been around for a looong time. To learn more, check out these articles:
WP Core Trac Ticket
Exploit Box Info
Exploit Database
Privacy
This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way.
Host Header Injection Fix is developed and maintained by Jeff Starr, 15-year WordPress developer and book author.
Support development
I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:
The Tao of WordPress
Digging into WordPress
.htaccess made easy
WordPress Themes In Depth
Wizard’s SQL Recipes for WordPress
And/or purchase one of my premium WordPress plugins:
BBQ Pro – Blazing fast WordPress firewall
Blackhole Pro – Automatically block bad bots
Banhammer Pro – Monitor traffic and ban the bad guys
GA Google Analytics Pro – Connect WordPress to Google Analytics
Head Meta Pro – Ultimate Meta Tags for WordPress
Simple Ajax Chat Pro – Unlimited chat rooms
USP Pro – Unlimited front-end forms
Links, tweets and likes also appreciated. Thank you! 🙂
