Host Header Injection Fix


This plugin enables you to choose the “From”, “Name”, and “Return-Path” headers for all WP notification emails. In doing so, it fixes a long-standing security vulnerability.

“Set it and forget it” security fix

This simple plugin does three things:

  1. Sets custom From, Name, and Return-Path for WP notifications
  2. Fixes a security vulnerability in sending WP notifications
  3. Fixes a bug where invalid email addresses may be generated

Choose from the following options:

  • Disable fix and let WordPress decide
  • Use “Email Address” from WP General Settings
  • Use a custom name and address

Plus there is an option to use the specified From address as the Return-Path header.


The security issue fixed by this plugin has been known about since way back in WordPress version 2.3. There has been some talk about fixing, but nothing has been implemented. While the issue does not affect all sites, it does affect a good percentage of them, including some of my own projects. So, not wanting to get hacked, I decided to write my own solution. Hopefully this issue gets fixed in a future version of WordPress, and this plugin will become unnecessary.

As a bonus, setting an explicit From address resolves a long-standing bug whereby an invalid email address is generated under the following conditions:

  • A “From” address is not set,
  • And the $_SERVER['SERVER_NAME'] is empty

So by explicitly setting a “From” address, we prevent this bug from happening.

Security Issue

What is the security issue addressed by this plugin? Follows is a quick summary. To learn more in-depth, check out the resources linked in the next section.

  • WordPress uses $_SERVER['SERVER_NAME'] to set the “From” header in email notifications
  • This includes sensitive email notifications like password resets and user registration
  • In some cases, an attacker could modify the “From” header and intercept the email
  • Using the intercepted email, an attacker could gain access to your site and wreak havoc

More Infos

This security vulnerability is well-known and has been around for a looong time. To learn more, check out these articles:


This plugin does not collect or store any user data. It does not set any cookies, and it does not connect to any third-party locations. Thus, this plugin does not affect user privacy in any way.

Works perfectly with or without Gutenberg Block Editor

Support development of this plugin

I develop and maintain this free plugin with love for the WordPress community. To show support, you can make a donation or purchase one of my books:

And/or purchase one of my premium WordPress plugins:

Links, tweets and likes also appreciated. Thank you! 🙂


  • Host Header Injection Fix: Default Plugin Settings


Installing HHIF

  1. Upload the plugin to your blog and activate
  2. Visit the plugin settings to configure options

More info on installing WP plugins


HHIF cleans up after itself. All plugin settings will be removed from your database when the plugin is uninstalled via the Plugins screen.

Restore Default Options

To restore default options, uninstall the plugin via the WP Plugins screen, and then reinstall.

Like the plugin?

If you like Host Header Injection Fix, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!


Does this work for WP Multisite?

Yes, this plugin works great on Multisite.

Does the plugin provide any hooks?

Yes, there are numerous hooks available for advanced customization. Refer to the source code for details.

Do you offer any other security plugins?

Yes, check out BBQ: Block Bad Queries for super-fast WordPress firewall security, and Blackhole for Bad Bots to protect your site against bad bots. I also have a video course on WordPress security, for more plugin recommendations and lots of tips and tricks.

Got a question?

Send any questions or feedback via my contact form



June 11, 2020
Works perfectly and easily to install without any hassle.
Read all 5 reviews

Contributors & Developers

“Host Header Injection Fix” is open source software. The following people have contributed to this plugin.


Change log

If you like Host Header Injection Fix, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!

2.0 (2020/03/13)

  • Tests on WordPress 5.4

1.9 (2019/10/27)

  • Tests on WordPress 5.3

1.8 (2019/09/02)

  • Updates some links to https
  • Tests on WordPress 5.3 (alpha)

1.7 (2019/04/28)

  • Bumps minimum PHP version to 5.6.20
  • Updates default translation template
  • Tests on WordPress 5.2

1.6 (2019/03/06)

  • Adds check for admin user for settings shortcut link
  • Tests on WordPress 5.1 and 5.2 (alpha)

1.5 (2019/02/02)

  • Tests on WordPress 5.1

1.4 (2018/11/14)

  • Adds homepage link to Plugins screen
  • Updates default translation template
  • Tests on WordPress 5.0

1.3 (2018/08/17)

  • Adds rel="noopener noreferrer" to all blank-target links
  • Updates GDPR blurb and donate link
  • Further tests on WP versions 4.9 and 5.0 (alpha)

1.2 (2018/05/07)

  • Improves logic of boolean settings validation
  • Adds rate plugin link on plugin settings page
  • Generates new translation template
  • Tests on WordPress 5.0 (alpha)

1.1 (2017/11/06)

  • Preps plugin and adds to WP Repo

1.0 (2017/11/05)

  • Initial release