Email security in WordPress

  • Hi,

    I am wondering how to handle email security. I see two general areas which could possibly be vulnerabilities:
    *Wordpress sending emails as [email protected] (e.g. for new user registration)
    *Contact Form 7 sending emails (e.g. you can set [email protected]

    It seems to me these are both insecure, and Outlook365 was picking up the emails from Contact Form 7 as spam.

    What do people do to make sure their security is not compromised?

    Thanks a lot for any input.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    How exactly do you feel those are security concerns, and what would separate them from how password resets emails are handled by Facebook and Google (for example)?

    What you’re currently describing isn’t really a security concern. If you mean email addresses can be spoofed, you are correct, but that’s just an issue inherent in email itself. Many reputable companies and organizations still trust email for password resets.

    Thread Starter ausalive

    (@ausalive)

    Thanks for your reply.

    I do see it as a security concern at the moment, but maybe you can help me to understand.

    With facebook and google, the never send emails from your domain without permission (e.g. [email protected]). They always send it from their own secure server.

    The issue I see with wordpress, is that it can “pretend” to be any email address on your domain (e.g. [email protected]) – having the ability to do this is what I see as a concern.

    Moderator James Huff

    (@macmanx)

    Ah, ok, but how do you see that as a security concern?

    What you’re describing is just normal email operation, anything can be put in the “from” field, just usually it’s a valid email address.

    For example, where would you like it to be sent from? Let’s same the same [email protected] you put into Settings -> General. That would seem the most logical, but then you run into the problem where lots of spam filters discard emails both sent from and received by the same email address, which is what would happen in that case.

    WordPress avoids this by sending as [email protected] which again is really just normal email operation. Normal, not common, but normal.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Email security in WordPress’ is closed to new replies.