Add a code snippet to protect your site from zero-day vulnerability

A couple of days ago, a WordPress vulnerability was disclosed. In some cases, depending on the server configuration, an attacker might be able to play some dirty tricks with the password reset function of WordPress.
While you wait for WordPress to patch this, there’s one thing you can do now to harden your security.

WP Tavern suggests that one should simply add the following snippet:
add_filter( 'wp_mail_from', function( $from_email ) { return ''; } );

I’ll show you one easy way to do that.

  1. Install the nice plugin Code Snippets by Shea Bunge, and activate>
  2. In the main admin menu, you should now have a new entry, called “Snippets” with an icon featuring a pair of scissors. Go to Snippets -> Add new
  3. Name your snippet something like “Force email from this server to used hardcoded address as sender” and paste the code snippet into the field “Code”. Remember to edit the sender email address so that it coincides with your domain name.
  4. Under “Description” you might add more information, if needed. Here you could, for instance, paste a link to my blog post, as a reminder about what this is all about. The “Tags” field would probably be helpful if you had a lot of snippets and would need to sort them.
  5. Finally, hit the button Save changes and activate note that this snippet needs to be active for all pages, since the password reset functionality actually in itself is not a part of the admin area.

One more thing. This simple patch will hardcode a sender’s address for any email sent from you website, which may also affect emails sent from any other part of your site, like a form.

Leave a Reply

Your email address will not be published.

1 + 8 =