Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

New WordPress Security Plugin: Host Header Injection Fix

[ HHIF (Host Header Injection Fix) ]

Since version 2.3, WordPress has been vulnerable to a Host Header Injection attack in certain server environments. Over the years, there has been some discussion about fixing the vulnerability, but as of WP 4.9 (beta) nothing has been implemented. So to help those in the WP community who may be concerned (including myself), I developed a new security plugin that fixes the issue: Host Header Injection Fix (HHIF).

“Set it and forget it” security fix

How it works

The HHIF plugin enables you to choose the “From”, “Name”, and “Return-Path” headers for all WP notification emails. In doing so, it fixes a long-standing security vulnerability, whereby an attacker can intercept sensitive email notifications (like password reset, user registration, et al). More specifically, this simple plugin does three things:

  1. Sets custom From, Name, and Return-Path for WP notifications
  2. Fixes a security vulnerability in sending WP notifications
  3. Fixes a bug where invalid email addresses may be generated

To accomplish this, the plugin provides the following options:

  • Disable fix and let WordPress decide
  • Use “Email Address” from WP General Settings
  • Use a custom name and address

Plus there is an option to use the specified From address as the Return-Path header.

Here is a screenshot to give you a better idea:

[ HHIF Settings ]

As you can see, the plugin is very simple. Install, activate, choose your “fix”, and done. From there, you can relax knowing that your site no longer is vulnerable to the lingering host-header injection attack. HHIF works silently behind the scenes to make sure all WP email notifications are safe and secure.

Why?

The security issue fixed by this plugin has been known about since way back in WordPress version 2.3. There has been some talk about fixing, but nothing has been implemented. While the issue does not affect all sites, it does affect a good percentage of them, including some of my own projects. So, not wanting to get hacked, I decided to write my own solution. Hopefully this issue gets fixed in a future version of WordPress, and this plugin will become unnecessary.

As a bonus, setting an explicit From address resolves a long-standing bug whereby an invalid email address is generated under the following conditions:

  • A “From” address is not set,
  • And the $_SERVER['SERVER_NAME'] is empty

So by explicitly setting a “From” address, we prevent this bug from happening.

More infos

What is the security issue addressed by this plugin? Follows is a quick summary. To learn more in-depth, check out the resources linked in the next section.

  • WP uses $_SERVER['SERVER_NAME'] to set the “From” header in email notifications
  • This includes sensitive email notifications like password resets and user registration
  • In some cases, an attacker could modify the “From” header and intercept the email
  • Using the intercepted email, an attacker could gain access to your site

Again, this security vulnerability is well-known and has been around for a looong time. To learn more, check out these articles:

Download

To learn more about the plugin and download, check out Host Header Injection Fix at the WordPress Plugin Directory. Tip: If installing the plugin from inside of the WP Admin Area, try searching for “HHIF”, should be the first result :)

About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
.htaccess made easy: Improve site performance and security.

4 responses to “New WordPress Security Plugin: Host Header Injection Fix”

  1. Kristian Adolfsson 2017/11/06 11:59 pm

    Thanks again Jeff for making WP safer.

  2. Thanks for this Jeff. And you other posts on security.

    We’re recent converts to WordPress having previously used Joomla for some years. (Own site only.) It is an absolute pain being hacked and having to rebuild a site. Happened to us a couple of years ago and as the person that gets nominated to “fix things” I’m sure keen for it not to happen with WordPress.

  3. Why a security issue as grave as this hasn’t been fixed all this years is beyond me.

    Never knew this existed. So going to install the plugin on all my sites right away.

    Thanks Jeff.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.