Title: Host Header Injection Fix
Author: Jeff Starr
Published: <strong>6. November 2017</strong>
Last modified: 18. April 2026

---

Plugins durchsuchen

![](https://ps.w.org/host-header-injection-fix/assets/banner-772x250.jpg?rev=1759657)

![](https://ps.w.org/host-header-injection-fix/assets/icon-256x256.png?rev=1759657)

# Host Header Injection Fix

 Von [Jeff Starr](https://profiles.wordpress.org/specialk/)

[Herunterladen](https://downloads.wordpress.org/plugin/host-header-injection-fix.3.6.zip)

 * [Details](https://de-at.wordpress.org/plugins/host-header-injection-fix/#description)
 * [Rezensionen](https://de-at.wordpress.org/plugins/host-header-injection-fix/#reviews)
 *  [Installation](https://de-at.wordpress.org/plugins/host-header-injection-fix/#installation)
 * [Entwicklung](https://de-at.wordpress.org/plugins/host-header-injection-fix/#developers)

 [Support](https://wordpress.org/support/plugin/host-header-injection-fix/)

## Beschreibung

👉 Enables custom headers for WP email notifications

👉 Also provides a „set it and forget it“ security fix for WP < 5.5

👉 Uses only 50KB of code, so super lightweight, fast, and effective

**Important**

As of WordPress 5.5, this plugin no longer is necessary to fix the [host-header security issue](https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html)
reported in [Ticket #25239](https://core.trac.wordpress.org/ticket/25239) **finally**
is fixed, and mentioned in this post [WordPress 5.5 Beta 4](https://wordpress.org/news/2020/07/wordpress-5-5-beta-4/).
Thank You WordPress devs!

**Is this plugin still useful?**

Yes, it enables you to choose the „From“, „Name“, and „Return-Path“ headers for 
all WP notification emails. And for versions of WordPress less than 5.5, this plugin
continues to fix the host-header injection security issue.

**Features**

This simple plugin does three things:

 1. Sets custom From, Name, and Return-Path for WP notifications
 2. Fixes a security vulnerability in WordPress versions < 5.5
 3. Fixes a bug where invalid email addresses may be generated (in WordPress versions
    < 5.5)

Choose from the following options:

 * Use WordPress defaults (insecure for WP < 5.5)
 * Use „Email Address“ from WP General Settings
 * Use a custom name and address

Plus there is an option to use the specified From address as the Return-Path header.

**Why?**

The security issue fixed by this plugin has been known about since way back in WordPress
version 2.3. There has been some talk about fixing, but nothing has been implemented.
While the issue does not affect all sites, it does affect a good percentage of them,
including some of my own projects. So, not wanting to get hacked, I decided to write
my own solution. Hopefully this issue gets fixed in a future version of WordPress,
and this plugin will become unnecessary.

As a bonus, setting an explicit From address resolves a long-standing bug whereby
an invalid email address is generated under the following conditions:

 * A „From“ address is not set,
 * And the `$_SERVER['SERVER_NAME']` is empty

So by explicitly setting a „From“ address, we prevent this bug from happening.

**Security Issue**

What is the security issue addressed by this plugin? Follows is a quick summary.
To learn more in-depth, check out the resources linked in the next section.

 * WP uses `$_SERVER['SERVER_NAME']` to set the „From“ header in email notifications
 * This includes sensitive email notifications like password resets and user registration
 * In some cases, an attacker could modify the „From“ header and intercept the email
 * Using the intercepted email, an attacker could gain access to your site and wreak
   havoc

**More Infos**

This security vulnerability is well-known and has been around for a looong time.
To learn more, check out these articles:

 * [WP Core Trac Ticket](https://core.trac.wordpress.org/ticket/25239)
 * [Exploit Box Info](https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html)
 * [Exploit Database](https://www.exploit-db.com/exploits/41963)

**Privacy**

This plugin does not collect or store any user data. It does not set any cookies,
and it does not connect to any third-party locations. Thus, this plugin does not
affect user privacy in any way.

Host Header Injection Fix is developed and maintained by [Jeff Starr](https://x.com/perishable),
15-year [WordPress developer](https://plugin-planet.com/) and [book author](https://books.perishablepress.com/).

**Support development**

I develop and maintain this free plugin with love for the WordPress community. To
show support, you can [make a donation](https://monzillamedia.com/donate.html) or
purchase one of my books:

 * [The Tao of WordPress](https://wp-tao.com/)
 * [Digging into WordPress](https://digwp.com/)
 * [.htaccess made easy](https://htaccessbook.com/)
 * [WordPress Themes In Depth](https://wp-tao.com/wordpress-themes-book/)
 * [Wizard’s SQL Recipes for WordPress](https://books.perishablepress.com/downloads/wizards-collection-sql-recipes-wordpress/)

And/or purchase one of my premium WordPress plugins:

 * [BBQ Pro](https://plugin-planet.com/bbq-pro/) – Blazing fast WordPress firewall
 * [Blackhole Pro](https://plugin-planet.com/blackhole-pro/) – Automatically block
   bad bots
 * [Banhammer Pro](https://plugin-planet.com/banhammer-pro/) – Monitor traffic and
   ban the bad guys
 * [GA Google Analytics Pro](https://plugin-planet.com/ga-google-analytics-pro/)–
   Connect WordPress to Google Analytics
 * [Head Meta Pro](https://plugin-planet.com/head-meta-pro/) – Ultimate Meta Tags
   for WordPress
 * [REST Pro Tools](https://plugin-planet.com/rest-pro-tools/) – Awesome tools for
   managing the WP REST API
 * [Simple Ajax Chat Pro](https://plugin-planet.com/simple-ajax-chat-pro/) – Unlimited
   chat rooms
 * [USP Pro](https://plugin-planet.com/usp-pro/) – Unlimited front-end forms

Links, tweets and likes also appreciated. Thank you! 🙂

## Screenshots

 * [[
 * Host Header Injection Fix: Default Plugin Settings

## Installation

**Installing HHIF**

 1. Upload the plugin to your blog and activate
 2. Visit the plugin settings to configure options

[More info on installing WP plugins](https://wordpress.org/documentation/article/manage-plugins/#installing-plugins-1)

**Restore Default Options**

To restore default options, uninstall the plugin via the WP Plugins screen, and 
then reinstall.

**Like the plugin?**

If you like Host Header Injection Fix, please take a moment to [give a 5-star rating](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/?rate=5#new-post).
It helps to keep development and support going strong. Thank you!

**Uninstalling**

This plugin cleans up after itself. All plugin settings will be removed from the
WordPress database when the plugin is deleted via the WP Plugins screen.

## FAQ

### The bug was fixed? Is this plugin still useful?

As of WordPress 5.5, this plugin no longer is necessary. They finally fixed the 
bug reported in [Ticket #25239](https://core.trac.wordpress.org/ticket/25239), mentioned
in this post [WordPress 5.5 Beta 4](https://wordpress.org/news/2020/07/wordpress-5-5-beta-4/).
Thank You WordPress devs!

„So is the plugin still useful?“

Yes, HHIF enables you to choose the „From“, „Name“, and „Return-Path“ headers for
all WP notification emails. And for versions of WordPress less than 5.5, this plugin
continues to fix the host-header injection security issue.

### How to test if I need the plugin?

For fixing the host-header injection security issue, this plugin is necessary only
for WordPress versions less than 5.5 (they fixed the bug in WP 5.5). So if you are
running WP 5.5 or better, then you do not need this plugin. Unless you want to customize
the headers used in WP notification emails.

If you are using WordPress less than 5.5, you can find more information on testing
[here](https://www.exploit-db.com/exploits/41963) and [here](https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html).

### Does this work for WP Multisite?

Yes, if activated on an individual per-site basis. I.e., may not work properly with
network-wide activation.

### Does the plugin provide any hooks?

Yes, there are numerous hooks available for advanced customization. Refer to the
source code for details.

### What about the option for Email Return Path?

When the HHIF option, WP Notifications > „Use custom address“ is enabled, the plugin
toggles open another option called „Email Return Path“. There you can check the 
box to use the „Email From Address“ as the Return Path for all emails sent by WordPress(
e.g., new user notifications, new comment notifications, login related notifications,
etc.). So check/enable this option only if you want to use the „Email From Address“
as the Return Path for _all_ emails sent by WordPress. If in doubt, leave the option
unchecked/disabled.

### Do you offer any other security plugins?

Yes, three of them:

 * [BBQ Firewall](https://wordpress.org/plugins/block-bad-queries/) for super-fast
   firewall security
 * [Blackhole for Bad Bots](https://wordpress.org/plugins/blackhole-bad-bots/) to
   protect your site against bad bots
 * [Banhammer](https://wordpress.org/plugins/banhammer/) to monitor and ban any 
   user or IP address

Pro versions with more features available at [Plugin Planet](https://plugin-planet.com/).

### Does this plugin work with Gutenberg?

Yes, works great does not matter which editor (block or classic) is used.

### Got a question?

Send any questions or feedback via my [contact form](https://plugin-planet.com/support/#contact)

## Rezensionen

![](https://secure.gravatar.com/avatar/d0593bc3377beec757fb4b5514685a391fd0569323f0319f87db39e48082c1c6?
s=60&d=retro&r=g)

### 󠀁[Another must have from Jeff](https://wordpress.org/support/topic/another-must-have-from-jeff/)󠁿

 [Mr Tibbs](https://profiles.wordpress.org/mtibesar/) 7. August 2020

Anything Jeff Starr creates significantly enhances the security of your site.

![](https://secure.gravatar.com/avatar/45df8674fa9d89dc6ee71ac2306f6b388b1f2e510478fa2947516f00abb2ad81?
s=60&d=retro&r=g)

### 󠀁[NR1](https://wordpress.org/support/topic/nr1/)󠁿

 [mickeey](https://profiles.wordpress.org/mickeey/) 11. Juni 2020

Works perfectly and easily to install without any hassle.

![](https://secure.gravatar.com/avatar/bb844c0fce60afa149e2b47a3fcac3690dc67689abdf1575e994a823894bdec3?
s=60&d=retro&r=g)

### 󠀁[Simple fix for Great solution!](https://wordpress.org/support/topic/simple-fix-for-great-solution/)󠁿

 [lars Portman](https://profiles.wordpress.org/webppower/) 19. November 2019

GOOD! Light-smooth install for must have solution!

![](https://secure.gravatar.com/avatar/d54f2f9ef70a699e2479825d74ec805c15187c4a77cff83c2bb4006e432222cd?
s=60&d=retro&r=g)

### 󠀁[Must Use for WordPress Security Reasons](https://wordpress.org/support/topic/must-use-for-wordpress-security-reasons/)󠁿

 [warriorhelp](https://profiles.wordpress.org/warriorhelp/) 23. September 2018

The perfect solution that fixes the issue: Host Header Injection. All of Jeff Starr’s
plug-ins are highly recommended.

![](https://secure.gravatar.com/avatar/8fde0c0753414919bc9b84112333ce88cca47fb8f8109502533b349646ca3a61?
s=60&d=retro&r=g)

### 󠀁[Simple fix for known security issue](https://wordpress.org/support/topic/simple-fix-for-known-security-issue/)󠁿

 [RayBernard](https://profiles.wordpress.org/raybernard/) 3. Juni 2018

This is a simple fix for a known and understandable security issue. Thank you.

![](https://secure.gravatar.com/avatar/6692409f65e0a307a6fe226870df9c8ea35f720b7f34962d987cf175e34ba15b?
s=60&d=retro&r=g)

### 󠀁[It Works!](https://wordpress.org/support/topic/it-works-1367/)󠁿

 [Matt](https://profiles.wordpress.org/msjanoah/) 3. Feber 2018

It works.

 [ Lies alle 6 Rezensionen ](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/)

## Mitwirkende & Entwickler

„Host Header Injection Fix“ ist Open-Source-Software. Folgende Menschen haben an
diesem Plugin mitgewirkt:

Mitwirkende

 *   [ Jeff Starr ](https://profiles.wordpress.org/specialk/)

„Host Header Injection Fix“ wurde in 1 Sprache übersetzt. Danke an [die Übersetzerinnen und Übersetzer](https://translate.wordpress.org/projects/wp-plugins/host-header-injection-fix/contributors)
für ihre Mitwirkung.

[Übersetze „Host Header Injection Fix“ in deine Sprache.](https://translate.wordpress.org/projects/wp-plugins/host-header-injection-fix)

### Interessiert an der Entwicklung?

[Durchstöbere den Code](https://plugins.trac.wordpress.org/browser/host-header-injection-fix/),
sieh dir das [SVN Repository](https://plugins.svn.wordpress.org/host-header-injection-fix/)
an oder abonniere das [Entwicklungsprotokoll](https://plugins.trac.wordpress.org/log/host-header-injection-fix/)
per [RSS](https://plugins.trac.wordpress.org/log/host-header-injection-fix/?limit=100&mode=stop_on_copy&format=rss).

## Änderungsprotokoll

If you like Host Header Injection Fix, please take a moment to [give a 5-star rating](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/?rate=5#new-post).
It helps to keep development and support going strong. Thank you!

**3.6 (2026/04/18)**

 * Improves readme.txt documentation
 * Tests on PHP 8.4 and 8.5
 * Tests on WordPress 7.0

Full changelog @ [https://plugin-planet.com/wp/changelog/host-header-injection-fix.txt](https://plugin-planet.com/wp/changelog/host-header-injection-fix.txt)

## Meta

 *  Version **3.6**
 *  Last updated **vor 1 Tag**
 *  Active installations **500+**
 *  WordPress version ** 4.7 oder höher **
 *  Tested up to **7.0**
 *  PHP version ** 5.6.20 oder höher **
 *  Languages
 * [Dutch](https://nl.wordpress.org/plugins/host-header-injection-fix/) und [English (US)](https://wordpress.org/plugins/host-header-injection-fix/).
 *  [Übersetze in deine Sprache](https://translate.wordpress.org/projects/wp-plugins/host-header-injection-fix)
 * Tags
 * [email](https://de-at.wordpress.org/plugins/tags/email/)[headers](https://de-at.wordpress.org/plugins/tags/headers/)
   [injection](https://de-at.wordpress.org/plugins/tags/injection/)[notification](https://de-at.wordpress.org/plugins/tags/notification/)
   [security](https://de-at.wordpress.org/plugins/tags/security/)
 *  [Erweiterte Ansicht](https://de-at.wordpress.org/plugins/host-header-injection-fix/advanced/)

## Bewertungen

 5 out of 5 stars.

 *  [  6 5-star reviews     ](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/host-header-injection-fix/reviews/)

## Mitwirkende

 *   [ Jeff Starr ](https://profiles.wordpress.org/specialk/)

## Support

Möchtest du etwas sagen? Brauchst du Unterstützung?

 [Supportforum anzeigen](https://wordpress.org/support/plugin/host-header-injection-fix/)

## Spenden

Möchtest du die Weiterentwicklung dieses Plugins unterstützen?

 [ Für dieses Plugin spenden ](https://monzillamedia.com/donate.html)