Hello @laserstore !
I’m very sorry to hear that you’ve experienced this issue while using our plugin!
Just to confirm – in the Notifications section you have the notifications set to use a different address but the site still sends those using the default email?
2- Defender doesn’t have a specific feature for preventing SQL injections because those are very difficult to protect against from inside the WordPress code – if a plugin has a vulnerability of this kind, it’s most commonly due to incorrect coding which doesn’t use WordPress functions – those functions are designed in a way to prevent injection attacks through filtering. But if a plugin uses custom database access methods (custom unsafe queries), then there’s hardly anything that can be done to filter this out.
Due to this, the recommended way to handle those kinds of vulnerabilities is to use a server-side Web Application Firewall because it will be able to detect bad requests and prevent them from ever reaching WordPress. Your hosting may offer this kind of feature or you can use the free CloudFlare plan which adds a protection layer to your site.
On the Defender’s side you can still enact some protections which will help prevent those kinds of attacks, especially using the features in the Firewall section. For example you can ban bots which try to scan your site for vulnerabilities before trying out an attack – they will often get caught and get blocked before they are able to cause any harm. Same goes for login protection as some of the db injections can only be attempted when being logged in.
Best regards,
Pawel
Hi Pawel! @wpmudev-support9
Thanks for the excellent answer! The plugin is excellent and we plan on migrating to a premium plan soon. I’m using all the resources you mentioned and I feel excellent protection.
Regarding the email, it is configured to send alerts, but when sending it does not use the website’s default email address. He “created” the noreply@ address and tries to send through it, but that email address doesn’t exist.
See image of an email log:
View post on imgur.com
The email ends up not being sent because the sender address does not exist. I don’t know where it’s configured to use that email that doesn’t exist. Default wordpress email is nuno@mydomain.
If there’s anything possible I can do, let me know.
Thank you very much!
-
This reply was modified 4 years, 3 months ago by
laserstore.
Hi @laserstore
I hope you are doing well.
This should be from WordPress itself, had you tested this plugin to check if makes any difference?
https://ww.wp.xz.cn/plugins/cb-change-mail-sender/
Another alternative is trying to configure an SMTP plugin like https://ww.wp.xz.cn/plugins/branda-white-labeling/ https://wpmudev.com/docs/wpmu-dev-plugins/branda/#smtp
Let us know the result you got.
Best Regards
Patrick Freitas
@wpmudevsupport12 Hi!
All emails from the site are sent normally, including those referring to the store. All use the default email registered in the wp smtp mail plugin. Only Defender insists on using an email address that doesn’t exist as a sender. There is no email [email protected]. The site’s default email is different.
See the image of the email log generated by the wp smtp mail plugin.
View post on imgur.com
I can’t understand why Defender “created” or assumed the site’s default email is [email protected]
Thank you!!
Hey there @laserstore
This is actually a default address that is used in Defender, but it doesn’t actually mean that these emails are getting sent by that address. It is more about masking them in the frontend of email clients, as in the background it is the same method that sends the emails (whatever you use, native wp_mail() or SMTP).
This is something common in plugins and Defender also provides some hooks to actually customize the noreply emails, like:
wd_subscribe_noreply_email
wd_unsubscribe_noreply_email
wd_confirm_noreply_email
wd_lockout_noreply_email
Here you can find an example that you could use in a MU plugin or functions.php file of your child-theme:
https://wpmudev.com/docs/api-plugin-development/defender-api-docs/#filter-wd_subscribe_noreply_email
Let us know if more assistance is needed.
Thank you,
Dimitris
Hi Dimitris! @wpmudev-support6
Unfortunately the snippet it didn’t work. But I found another way. I created the noreply@mydomain account and then emails are sent normally. I’ll leave it that way, but I think it shouldn’t be that way, because it’s not always possible to create an extra email account. Anyway, I really appreciate your help and support.
Bye!
