• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Protect sendmail from spam abuse on Wordpress

X

Xavier12

Regular Pleskian
Hey guys,

Hope you're well. In the past we disabled sendmail in Plesk to prevent spam from using the contact form of Wordpress sites to send unauthorized spam emails. Because of this, password reset emails do not work.

A few questions:
1. Is it safe to enabled sendmail for scripts in Plesk?
2. If its best to disable it, what is the solution for enabling Wordpress password reset without the need of using send mail?

One site was hacked, but I am not sure if Wordpress send email can be manipulated from outside the Wordpress site, or if it happened because the outside user brute forced their way into the admin to send these spam emails.

Here is the Wordpress error that came up when resetting the password to a username:

The e-mail could not be sent.
Possible reason: your host may have disabled the mail() function.

Please advise, thanks
 
This seems to be a bit of an extreme approach for preventing spam generated by WordPress. The better question might be how is the spam even getting generated from Wordpress (i.e. are you referring to contact forms or things of that nature)?

If you're running a dedicated or VPS instance (assuming that you have SMTP open relay turned off), you should be able to use a combination of plugin and good configuration practices at the WordPress level to prevent it from being abused by spammers. For example your wp-config.php file enables you to turn off theme file editing from the WP management interface (so if your installation was breached, it could help to limit the fallout). Consider better application level security as Plesk shouldn't be used as a stopgap against a poorly configured WordPress install.
 
Hi Pleskpanel,

Thank you very much for reaching back. Yes, outside users seem to be manipulating the Wordpress contact form to send spam via their domain.com email. This makes sense. If you have any further suggestions, it would be greatly appreciated :)
 
Here are a few places to start:

- Check your plugins (see what kind of contact form you are running) - Are they using it to send email to third parties or is it just spam sent to you in which case a decent captcha plugin should help to stem the flow of spam?
- Do you think that your site has actually be compromised? (in which case this would warrant a much closer investigation into determining the source of the breach and cleaning it up)

The positive point of this is that if it's your site and NOT Plesk, you may not need to address a security incident at the Plesk level since this sounds like a WordPress issue
 
Hi Pleskpanel,

Thanks for reaching back. It seems the plugin for contact form is contact form 7. Not sure if the customers site is compromised, will need to look further into the issue in this case. Thanks!
 
Contact 7 has a built in captcha (it's very basic but it provides a basic stop gap for the most basic spam).

Try re-enabling the mailer and then adding captcha to your form(s).
 
Hi PleskPanel,

Are you speaking of spam as in users who send an email to the website owner via contact form, or are you speaking of protection from outsiders who will try to manipulate the form to send spam by using a fake [email protected]?
 
That's the question for you! If you're referring to contact form spam that's where a captcha can help but if you're referring to spam that is generated from your install and being sent to third parties, then it's an entirely different story. If you have copies of the spam in question (check your spool or mail delivery logs for more insight) it may help to narrow that down.

In a scenario with everything working correctly, you shouldn't have to disable the php mailer wrapper at all.
 
Hi Pleskpanel,

Thanks for reaching back. Yep, its spam being generated from Wordpress via the contact form. They have sent bogus/spam emails from the domain.com email address that doesn't exist and it has gone through our mailing relay, which is Mandrill. Not sure if its the Wordpress user that is compromised, or they are able to gain access easily from outside.
 
You must log in or register to reply here.

Similar threads

V
Issue Smarthost + SRS = relay?
Replies
2
Views
866
vanlier
V
E
Issue Mails from MAILER-DAEMON go to spam
Replies
0
Views
1K
empty
E
S
Question Spam Protection Web Host?
Replies
2
Views
1K
ronanmarco
ronanmarco
M
Issue Removal of -bs option from plesk-sendmail-wrapper
Replies
7
Views
2K
IgorG
IgorG
Pau1Phi11ips
Forwarded to devs Removal of -bs option from plesk-sendmail-wrapper
2 3
Replies
40
Views
13K
Pau1Phi11ips
Pau1Phi11ips
Back
Top