poppydev
Forum Replies Created
-
Hi there, this is correct for the custom email. I wont share it on here for security reasons but see screenshot where this is added:
https://www.awesomescreenshot.com/image/57906581?key=d9c081e74f723f2c5796b83dde401994
As before my from address is a forwarder in the host, then sent to our 365 outlook inbox which both are setup correctly to communicate and receive emails. It worked before but stopped after WordPress 6.9. Maybe there is something I am missing in the hosts DNS setup. Will have to investigate further.
Either way the code above that I used on all website functions.php has allowed my emails that didn’t come through by Solid Security to work again. Now this might have been the same issue with other plugins as I have noticed new notification emails I have never seen before since this code was applied.
- This reply was modified 5 months, 3 weeks ago by poppydev.
Very interesting read – thank you.
Very silly of WordPress updating the core function that effects the mailing system, more so if thousands of plugins rely on it for admin or mailer responders.
They do need to resolve this in a patch as most users might rely on this method of contact by security plugins and or internal communication if logging errors etc. Forcing users to install additional plugins is just a poor excuse, and ads bloat. Or they need to setup SPF policies with the host (which I would be surprised if not already).I know my mail boxes are setup correctly for each domain, both by the host and office 365. The issue I have is I am using a forwarder to another email from my host mailbox to my 365 mailbox. All have their SPF setup correctly for all domains or I wouldn’t have been getting emails at all in 365.
So the best solution for me (and possibly many others) is this
function use_no_sender( $phpmailer ) {
$phpmailer->Sender = “”;
}add_action( ‘phpmailer_init’, ‘use_no_sender’ );
It now allows me to receive emails from WordPress when using Solid Security and have a custom email for the authenticator. Same goes for other plugins I use that send reports. These stopped until the above was added in a function.php.
I know many cannot do this out of the box but Solid Security should have an option to allow this to be added if users are not receiving emails all of a sudden, rather then adding additional plugins or expecting someone to know where this goes.
I can assume WordPress have had a large amount of complaints since this has been removed. I get they have made it secure but not all hosts/plugin developers have catered for this change yet, or aware of it effecting them.
Nice to see them caring but at the same time also being careless.- This reply was modified 5 months, 4 weeks ago by poppydev.
Thank you for getting back to me. Somewhat quicker then Solid Security themselves :/.
I have a custom email (Security > Settings > Notifications) setup for 2FA email authentication and been working fine up until WordPress 6.9. Nothing has changed in Solid Security settings, or had any plugin updates since WordPress 6.9.
This is effecting 18 of our websites so far. The only way in at the moment is by the authentication app on a mobile device. Just need the email method to work again as this was easier for my team to access these sites, and for me to monitor access.
Based on the changes made to WordPress’s wp_mail() in 6.9, even with a dedicated mailbox by the host or Office 365, I am unable to receive anything from Solid Security. Even file scan change reports do not come through anymore.
Just a shame the Solid Security team take ages to come back to FREE user support. I can rule this out as a non isolated issue as it use to work before WordPress 6.9 update, and is effecting all sites not just one.- This reply was modified 6 months ago by poppydev.
Hi,
I have confirmed a reproducible issue affecting Solid Security’s email-based 2FA after updating WordPress to version 6.9.Summary of the Issue
After updating to WordPress 6.9, Solid Security’s email authentication / 2FA emails no longer send, even when:
- The domain has correct SPF, DKIM, and DMARC
- The mailbox exists and receives normal emails
- WordPress core emails (password reset etc.) work
- Other plugins using SMTP (e.g., Piotnet Forms) send emails successfully
- The hosting provider (Fasthosts) confirms no mail blocks or filtering
This issue occurs across multiple websites and is isolated only to Solid Security’s 2FA email method.
Technical CauseWordPress 6.9 includes a major update to PHPMailer, introducing stricter RFC compliance for sending emails.
Specifically:1. The “From” address must match the authenticated mailbox
PHPMailer now rejects or blocks emails when the plugin sets:
- A dynamic From address
- A From address that does not match the authenticated mailbox
- A From address without explicit
$phpmailer->Sender
Solid Security’s 2FA email currently relies on WordPress’ default
wp_mail()without setting an aligned, authenticated From address.2.$phpmailer->Senderis now required for many hostsWordPress 6.9’s PHPMailer enforces that the Sender address must be explicitly set.
Solid Security does not set this, so mail hosts (including Fasthosts, SiteGround, IONOS, GoDaddy, Hostinger, etc.) reject the message entirely.3. Other plugins work because they set proper SMTP headersForm builders and SMTP plugins correctly set:
- The authenticated sending mailbox
- The From address
- The Sender header
- SPF/DKIM-aligned headers
Solid Security’s 2FA email does not, which is why only this feature fails after WP 6.9.
Why This Is a Solid Security Compatibility BugThis is not a hosting, server, WordPress, or user configuration issue.
It is a plugin-level compatibility issue caused by Solid Security continuing to rely on older PHPMailer behaviour that WordPress 6.9 no longer supports.
To restore functionality, Solid Security needs to:
$headers[] = ‘From: “Site Security” [email protected]‘;
$phpmailer->Sender = ‘[email protected]’;
Or provide a setting to force a specific From/Sender mailbox.- This reply was modified 6 months ago by poppydev.
I was wrong with this.
I have done a few tests, and checked with another site using WordPress 6.9
My emails where using a forwarder rather then a dedicated mailbox.
Changed this to a dedicated mailbox and still not getting anything through when using the email method to get the authentication code.
Same for another site. Before the WordPress recent update it was working. Updated this and emails from your plugin have stopped working. Same error as above. Even when I create a dedicated mailbox for this they still don’t come though.
To rule out any mailboxes quarantining emails I did blanket tests to the email I use on your plugin when sending authentication responses and they come through when I email from an external resource, or from the host mailbox . This rules out any issues from the email itself.Any ideas to why this isn’t working. Using Two-Step authentication app works fine, just not emails.
Spoke to soon. The bug has come back again. Thought it might have been the link I mentioned previously.
Just to add to this.
I think have found what might be causing it. You have a link top right called “Expand Details” and when clicked “Collapse Details“, but when clicked it doesn’t do anything.
I clicked this when I did a search for “Shop” under ‘Pixels‘. Before I clicked this it didn’t work, after I clicked it all search results started to load more images when I scrolled. The same goes for the other stock libraries.
This link is for the ‘Media‘ section and it might be effecting how your plugin allows for search results. Just a guess but odd that it works when I clicked this.You’re welcome. Look forward to the update :).
Created a ticket to trigger their support. Disabling the latest version and re-enabling it doesn’t work for me like it might for others.
Rank Math support! You need to be on it with this issue. It effects thousands of users. Reverting back is the answer for now but you haven’t been pro-active in mentioning this or asking for data from people.
Not a good start to support, more so when your free userbase is probably larger then you pro’s
I have the same problem with WPBakery as well as other theme builders.
Revert back to the previous version in the settings and everything will work as expected:
- Go to your WordPress dashboard and navigate to Rank Math SEO → Status and Tools → Version Control.
- Under the Version Control tab, you should see the currently installed version of Rank Math, the latest version available, and a Rollback option.
- Click the drop-down in the Rollback version option to select the version you want to rollback to.
- Click the “Install Version” button to start the rollback process.
Just to add to this: Turn off ‘Auto Update’ on the same settings near the bottom. You should never rely on auto update on any plugin for this reason.
Forum: Fixing WordPress
In reply to: Footnote (empty Metadata)Thank you for this. I have requested a ‘Feature’ under GitHub and just copied my original issue on here, that explains the problem, solution and potential request.
Ok I got it working by disabling all plugins and activating one at a time, starting with yours, then security plugins and all others.
The only issue I have found on your plugin is when I try and flush the cache with the green cloud icon on WP top menu.
When I hover over the icon and click on “Purge whole cache”.
URL on link: /wp-admin/admin.php?page=super-page-cache-settings#
I get the error: “Error: undefined Cannot read properties of null (reading ‘innerText’)”
Same for “Purge this page only” link.
Everything else looks to be working for now.
Forum: Plugins
In reply to: [File Manager Pro - Filester] Removed access to .htaccess for admin roleThank you for the prompt reply.
Please do consider the password option. I get the security around this and the abuse that could happen but that rule follows with any file in the hosting platform. Not just .htaccess.
It has to be down to the user to secure their processes when relying on your plugin. Adding the password option allows you to add another level without compromising in accessibility.
Forum: Plugins
In reply to: [File Manager Pro - Filester] Removed access to .htaccess for admin roleWhy not follow the route below to secure this without removing access to .htaccess etc:
- Role-Based Access Control
Only allow access to sensitive files like.htaccess,wp-config.php,.env, etc., for users with theadministratorrole or a custom capability (e.g.,filester_manage_sensitive_files). - Optional Password Prompt (Re-authentication)
Prompt users to enter their WordPress password before accessing/editing protected files. This is a common pattern in WordPress (e.g., exporting personal data or changing site settings). - Developer Override (for advanced users)
Add a constant or filter to allow controlled override, like: phpCopyEditdefine('FILESTER_ALLOW_HTACCESS_EDIT', true);or phpCopyEditadd_filter('filester_allow_htaccess_edit', '__return_true');
This approach keeps things locked down by default for most users but still provides developers and advanced admins with the flexibility they need — especially since files like
wp-config.phpare still editable in the current version.- This reply was modified 1 year ago by poppydev.
- This reply was modified 1 year ago by Jan Dembowski.
Forum: Plugins
In reply to: [PixMagix - WordPress Image Editor] Google fonts not allowing variantsOk I spoke to soon. This doesn’t work for all fonts taken from Google fonts. I cannot get any kind of variant to show.
I have checked to see if the API is pulling in all variations by using function:
if (!empty($data) && isset($data[‘items’])){
$items = $data[‘items’];
}
if (defined(‘WP_DEBUG’) && WP_DEBUG) {
file_put_contents(DIR . ‘/debug-montserrat.txt’, json_encode($items, JSON_PRETTY_PRINT));
}/wp-content/plugins/pixmagix/includes/rest-api/debug-montserrat.txt
I am currently debugging editor.build.js as there is a bug or something in the code that is preventing the variants from loading on the UI.Regards