Two-Factor stopped working since WordPress 6.9

Hi,

I have confirmed a reproducible issue affecting Solid Security’s email-based 2FA after updating WordPress to version 6.9.Summary of the Issue

After updating to WordPress 6.9, Solid Security’s email authentication / 2FA emails no longer send, even when:

• The domain has correct SPF, DKIM, and DMARC
• The mailbox exists and receives normal emails
• WordPress core emails (password reset etc.) work
• Other plugins using SMTP (e.g., Piotnet Forms) send emails successfully
• The hosting provider (Fasthosts) confirms no mail blocks or filtering

This issue occurs across multiple websites and is isolated only to Solid Security’s 2FA email method.

Technical Cause

WordPress 6.9 includes a major update to PHPMailer, introducing stricter RFC compliance for sending emails.

Specifically:1. The “From” address must match the authenticated mailbox

PHPMailer now rejects or blocks emails when the plugin sets:

• A dynamic From address
• A From address that does not match the authenticated mailbox
• A From address without explicit $phpmailer->Sender

Solid Security’s 2FA email currently relies on WordPress’ default wp_mail() without setting an aligned, authenticated From address.2. $phpmailer->Sender is now required for many hosts

WordPress 6.9’s PHPMailer enforces that the Sender address must be explicitly set.
Solid Security does not set this, so mail hosts (including Fasthosts, SiteGround, IONOS, GoDaddy, Hostinger, etc.) reject the message entirely.3. Other plugins work because they set proper SMTP headers

Form builders and SMTP plugins correctly set:

• The authenticated sending mailbox
• The From address
• The Sender header
• SPF/DKIM-aligned headers

Solid Security’s 2FA email does not, which is why only this feature fails after WP 6.9.

Why This Is a Solid Security Compatibility Bug

This is not a hosting, server, WordPress, or user configuration issue.

It is a plugin-level compatibility issue caused by Solid Security continuing to rely on older PHPMailer behaviour that WordPress 6.9 no longer supports.

To restore functionality, Solid Security needs to:

$headers[] = ‘From: “Site Security” [email protected]‘;
$phpmailer->Sender = ‘[email protected]’;

Or provide a setting to force a specific From/Sender mailbox.

• This reply was modified 6 months, 1 week ago by poppydev.

Thank you for getting back to me. Somewhat quicker then Solid Security themselves :/.

I have a custom email (Security > Settings > Notifications) setup for 2FA email authentication and been working fine up until WordPress 6.9. Nothing has changed in Solid Security settings, or had any plugin updates since WordPress 6.9.

This is effecting 18 of our websites so far. The only way in at the moment is by the authentication app on a mobile device. Just need the email method to work again as this was easier for my team to access these sites, and for me to monitor access.

Based on the changes made to WordPress’s wp_mail() in 6.9, even with a dedicated mailbox by the host or Office 365, I am unable to receive anything from Solid Security. Even file scan change reports do not come through anymore.

Just a shame the Solid Security team take ages to come back to FREE user support. I can rule this out as a non isolated issue as it use to work before WordPress 6.9 update, and is effecting all sites not just one.

• This reply was modified 6 months ago by poppydev.

Very interesting read – thank you.

Very silly of WordPress updating the core function that effects the mailing system, more so if thousands of plugins rely on it for admin or mailer responders.

They do need to resolve this in a patch as most users might rely on this method of contact by security plugins and or internal communication if logging errors etc. Forcing users to install additional plugins is just a poor excuse, and ads bloat. Or they need to setup SPF policies with the host (which I would be surprised if not already).

I know my mail boxes are setup correctly for each domain, both by the host and office 365. The issue I have is I am using a forwarder to another email from my host mailbox to my 365 mailbox. All have their SPF setup correctly for all domains or I wouldn’t have been getting emails at all in 365.

So the best solution for me (and possibly many others) is this

function use_no_sender( $phpmailer ) {
$phpmailer->Sender = “”;
}

add_action( ‘phpmailer_init’, ‘use_no_sender’ );

It now allows me to receive emails from WordPress when using Solid Security and have a custom email for the authenticator. Same goes for other plugins I use that send reports. These stopped until the above was added in a function.php.

I know many cannot do this out of the box but Solid Security should have an option to allow this to be added if users are not receiving emails all of a sudden, rather then adding additional plugins or expecting someone to know where this goes.

I can assume WordPress have had a large amount of complaints since this has been removed. I get they have made it secure but not all hosts/plugin developers have catered for this change yet, or aware of it effecting them.

Nice to see them caring but at the same time also being careless.

• This reply was modified 6 months ago by poppydev.