Emails are everywhere. They have become one of the most common methods of communication among people over the Internet. WordPress administrators and website owners use emails for various purposes, such as personal and professional communication, marketing, recruitment, and more.
Emails can also contain sensitive information that you use to authenticate your users or allow them to take certain actions, such as resetting a password, etc. In this tutorial, we will discuss everything that website owners need to know about email security in WordPress.
Let’s begin the discussion with the need for securing your WordPress website emails. Keeping your emails secure helps with a lot of things, such as:
- Protection of sensitive information — As mentioned earlier, you will often send emails that can contain sensitive information. This can include things like the login credentials of your users and personal information related to their health or finances. In any case, you need to make sure that no one with malicious intent can intercept this information.
- Delivery of emails — Spam is a big issue on the internet. We are sure that you have also received your fair share of spam emails. They are annoying in the best-case scenario and can lead to more drastic consequences in other cases. One way email servers deal with potential spam is by not sending emails that are not up to standards at all. Similarly, emails that might be considered spam by different email clients will be marked as such and put in a separate folder away from the main inbox.
- Maintaining brand reputation — Your brand reputation might be on the line if you don’t take WordPress email security seriously. Think about it, how would you feel about a brand whose emails are constantly stuck in the spam filter or a brand whose lack of security results in the leaking of your personal information?
- Prevention of email-based attacks — People with malicious intent can use email phishing to either gain access to your website or to have access to user data. This can pose all kinds of security issues. In either case, you need to take appropriate measures to secure WordPress email.
Sending secure emails in WordPress
WordPress has a built-in wp_mail() function that it uses to send emails. This function relies on the popular free and open-source PHPMailer library to send all your emails.
One advantage of using the library is that it has an integrated SMTP client that allows you to send emails on all platforms without needing a local mail server.
The term SMTP stands for Simple Mail Transfer Protocol. An SMTP client is a program we can use to send emails from one server to another. The client does many valuable things, such as establishing a connection with the email server, authentication of the sender, and email transmission.
Using the wp_mail() function is not an automatic guarantee that your email reception was successful. It will return true once the request is successful, regardless of the delivery status of the email. Therefore, you will have the make sure that the emails you sent are delivered.
You can add your SMTP-related settings inside the wp-config.php file by adding a few lines of PHP to the existing source code. However, a much easier option is to use a plugin.
You can use one of the many free WordPress SMTP plugins that will help you configure all your settings to effectively and securely send your emails. We have already covered WordPress email deliverability in great detail in the past.
Setting up an SMTP plugin
It is worth mentioning that there are multiple SMTP plugins that you can use on your website. You can give them a try to see which one suits you best. One of the most popular ones is the WP Mail SMTP plugin.
Any plugin that you use will ask you to choose an SMTP mailer for your website. There are several options available such as SendLayer, Postmark, SendGrid, Zoho Mail, etc. The setup wizard will help you with the initial configuration, where you provide all the needed information, such as the API key, etc. All these settings for different plugins will be available in the WordPress dashboard.
There are two important things that you should keep in mind while setting up these plugins:
- Make sure that you are sending emails over SSL with your SMTP client. This will help in preventing the emails from being intercepted while they are in transit. many services like SendLayer etc., will automatically handle SSL/TLS encryption for you. However, you can also manually provide information about the SMTP host, port number, encryption, etc. if you select Other SMTP as your SMTP Mailer.
- You might also want to disable email logging if you send sensitive information through email. This will prevent any unwanted data leaks if something goes wrong. It is fine to have this option turned on while testing, but it should ideally be off in other cases.
Common email security frameworks
Installing and using SSL certificates for sending emails will ensure that the email content is safe while in transit between the email client and the email server. This becomes possible by prevention of any unauthorized access or interception of the email during transmission.
The next step in improving WordPress email security involves using encryption so that only the intended recipient can read the contents of the email sent to them.
There are many different email security frameworks that you can use to secure emails on your WordPress site. The term email security framework refers to a set of guidelines and standards that are in place to ensure that all your email communication stays safe from security risks such as spam, phishing, and unauthorized access.
Different SMTP servers might use a combination of multiple email security frameworks to achieve their goal of securing emails. Let’s learn about some of them.
Sender Policy Framework
Sender Policy Framework, also known as SPF, is an email authentication framework that allows the recipient’s email server to check if an email came from a legitimate source.
In short, SPF works by checking the DNS (Domain Name System) record of the sender’s domain to verify that the sender’s IP address matches the authorized IP addresses for that domain.
Once an email is sent, the mail server on the recipient’s end will check the SPF records to figure out if the email was indeed sent from an authorized mail server on the sender’s end. The SPF record will contain information about all the IP addresses and domains which can send an email on behalf of a particular domain. Any mismatch will result in marking the email as suspicious.
SPF helps combat spam and phishing attacks where someone will pretend to be what they are not.
DomainKeys Identified Mail
The DomainKeys Identified Mail (DKIM) framework relies on using digital signatures to verify that the email’s sender is someone legitimate. It also ensures that the contents of the email are unaltered while transmitting the email.
The digital signature is nothing but a cryptographic value generated using a private key associated with the legitimate domain name. The email message contains the cryptographic value as a DKIM-Signature field in its header.
The mail server on the recipient’s side can access the public key of the sender’s domain from the DNS records. The email system uses the public key to decrypt the signature to verify the authenticity of the sender. The system delivers the email to the recipient’s mailbox after validating the sender’s authenticity.
The secret here is that the private key is used to generate the cryptographic signature, and this signature can only be decrypted by the corresponding public key. This means that a matching value in the generated hash values with the private and public keys guarantees the authenticity of the email.
Domain-based Message Authentication, Reporting, and Conformance
The previous two frameworks allow you to validate that the sender of an email is someone that they claim to be. This helps prevent spam and phishing attacks.
What if an email fails SPF or DKIM checks?
You might be wondering how could a legitimate email fail SPF or DKIM checks. This can happen in a variety of situations, such as misconfigured SPF or DKIM records, invalid timestamp due to a longer than usual transit time, and email forwarding where the forwarding server is not authorized to send emails on behalf of the original sender’s domain.
The Domain-based Message Authentication, Reporting, and Conformance (DMARC) framework comes to your rescue in this case.
Domain owners can add a DMARC policy to their DNS records to specify what should happen to any email messages that fail the SPF or DKIM authentication checks.
Once an email fails these checks, the recipient’s email server will look for the DMARC policy of the sender’s domain. The DMARC policy will specify if the email should be rejected, quarantined, or delivered to the recipient’s mailbox.
Besides checking for the legitimacy of the sender, DMARC includes mechanisms to report to domain owners all the information about emails sent from their domain. Access to this information can help domain owners identify potential email spoofing or phishing attacks. This ultimately results in increased email security.
Pretty Good Privacy
Pretty Good Privacy, or PGP, is another interesting email security framework that provides end-to-end encryption for your emails, ensuring that only the intended recipient can read your emails.
The PGP security protocol relies on a pair of public and private keys for its cryptography system. All users of the PGP protocol will have their own public and private keys. PGP uses the public key for encrypting email messages and the private key for decrypting them. Everyone who wants to communicate with the user has access to the public key. The private key stays with the user.
Let’s say you want to send an email to someone. As a sender, you will use the public key provided by the recipient to encrypt your message. This makes sure that only the recipient can decrypt the message because only they will have the private key.
PGP also uses digital signatures to verify the authenticity and integrity of an email and to make sure that there was no tampering during transmission.
The private key proves useful for generating the digital signature, which verifies the authenticity of the sender. The private key is used to create a hash of the email message. Since PGP works on the principle of sharing public keys, the recipient of the email will have access to the public key of the sender. This public key is useful for decrypting the hash, which verifies that the message is unchanged.
Another important aspect of PGP is the “web of trust” system, where different users can sign each other’s public keys to indicate that they have verified the key owner. This makes it even more difficult for someone with malicious intent to impersonate a user.
Implementing email security on your WordPress site
We will now learn how to implement different email security frameworks on your website.
Sender Policy Framework
As mentioned in the previous section, SPF works by checking the DNS record of the sender’s domain. It checks if the IP of the sender matches the authorized IP addresses for that domain.
We can test this using wpwhitesecurity.com as an example. All we need to do is use the nslookup command as follows:
nslookup -type=txt domainname
The result tells us which systems we use to send emails.
v=spf1 a mx include:_spf.google.com include:relay.kinstamailservice.com include:servers.mcsv.net include:helpscoutemail.com include:sendgrid.net ~all
If an email you receive from us is not from any of these systems, it is, therefore, likely that it is not legitimate.
All we need to do to implement SPF is add a TXT record to the domain’s DNS zone file. A TXT record can contain arbitrary text that you want to associate with a domain name. In this case, it will contain the SPF information.
The first step is to log in to whatever service you use to manage your DNS records. In this case, we will be using Cloudflare. Therefore, we first log in to the Cloudflare account and select the domain whose DNS records will be edited.
You should see the option to change DNS Settings either in the left sidebar or under Quick Actions if you are using Cloudflare. Click on it to add a DNS record. There will be an Add Record button on the next page. Click on it, and you will see the following screen.
Select TXT under the Type dropdown. Set the name to your domain root. Keep TTL to Auto and set the value of Content to v=spf1 mx a ip4:XXX.XXX.XXX.XXX -all. Use the screenshot below for reference.
The DNS record consists of different parts. Let’s see what they mean one at a time:
- v=spf1 — This part specifies the version of the SPF protocol in use. In this case, the SPF version is 1.
- mx — This part authorizes the domain’s MX records to send emails on behalf of the domain.
- a — This part authorizes the domain’s A records or its ipv4 addresses to send emails on behalf of the domain.
- ip4:XXX.XXX.XXX.XXX — You can add this part to add a specific IP address to the whitelist for sending emails.
- -all — This part specifies what should happen to emails that don’t match any of the authorized domains or IP addresses.
Make sure you replace XXX.XXX.XXX.XXX with the IP address that you want to whitelist. You don’t need to add this part if you only plan on sending email addresses from your domain. However, you should include the IP address of your mail servers here to prevent any spoofing.
DomainKey Identified Mail
The DKIM framework also relies on values stored in DNS records to verify the authenticity of the sender of an email.
The primary difference is that while SPF relies on checking IP addresses in the DNS records to make sure that some authorized sent the email, DKIM relies on the use of public and private keys.
If you are using Cloudflare to manage your domain, you can add a DNS record, as we did in the previous section. However, it is also possible for you to update DNS records from your hosting provider’s dashboard.
Here is a screenshot of a current DKIM TXT record in the cPanel of a hosting account. You can find these options after logging into your cPanel account and then checking Email Deliverability.
The name of the DKIM record is set to default._domainkey to make sure that it can be located easily by different email service providers.
The content of the DKIM record consists of several parts, as explained below:
- v=DKIM1 — This part specifies the version of the DKIM protocol in use.
- k=rsa — This part specifies that the public key we are using is an RSA key.
- p=KEY_VALUE — This part is the Base64 encoded public key.
Domain-based Message Authentication, Reporting, and Conformance
We will now learn how to add a DMARC policy to our DNS TXT record. The process of adding a DNS record will stay the same here. The only thing that changes is the name of the record and its contents.
The name of our DNS TXT record will be _dmarc.yourwebsite.com, where yourwebsite.com is your actual website. Again, this is just a standard convention in place for easy identification of the DMARC policy.
You can add a total of 11 tag-value pairs as the content of the DMARC policy DNS TXT record. You can read about them on this page that thoroughly describes a DMARC DNS TXT record.
Let’s use the newly introduced wizard in Cloudflare to add a DMARC policy.
Once you click on the wizard link, you will see the following screen. Just click the Add button, and you are good to go.
We will now learn what the content inside the DMARC record means:
- v=DMARC1 — As usual, this specifies the version of the DMARC protocol in use.
- p=none — This part specifies that no policy action takes place for failed checks. You can also set this value to quarantine or reject. Setting the value to quarantine will mark the email as potentially suspicious but still deliver it to the spam folder of the recipient mailbox.
- rua=mailto:report_dmarc@website.com — This part specifies the email address which receives the reports. The reports will contain information about the email messages that passed or failed the DMRC checks.
Securing emails for better security
As the old adage goes, a chain is only as strong as its weakest link. This is very true when it comes to security, which requires WordPress administrators and website owners to look beyond securing WordPress and address the supporting/surrounding infrastructure.
Email security tends to get overlooked; however, as we have just seen in the article, securing email is relatively easy and very accessible. From configuring DNS records to encrypting emails, not only will this ensure better customer and user reach, but drastically minimize security risks.
More tips to improve WordPress security
Making your emails secure is just one part of overall website security. Here are some general tips to improve the all-around security of your website.
- Update Regularly — It is important to keep all your WordPress themes or plugins updated. Updates will usually add new features as well as fix known vulnerabilities.
- Use Strong Passwords — You should use strong and unique passwords for all your website-related accounts this includes the web host, database, FTP accounts, WordPress admin accounts, etc. This will prevent brute force attacks from cracking your password. You can use the Melapress Login Security plugin to follow all the best login security practices, such as strong passwords, block too many failed login attempts, etc.
- Install Security Plugins — You should also consider installing a security plugin. Some of the most popular options are Wordfence, iThemes Security, All-In-One security, etc. You can also install plugins like WP Activity Log to log all changes that happen on your WordPress website.
- Use Two-Factor Authentication — You can use two-factor authentication to add an extra layer of security. Free plugins such as WP 2FA can help you do it with ease.
- Take Regular Backups — You should also take regular backups of your website. This will help you get your website online quickly in case of a security breach or other issues.
- Use a Reliable Web Host — Make sure that you are using a reputed and reliable web host to host your website. The web host will be responsible for several things, such as securing the web server, updating it, taking its backups in the backend, etc.
- Use a Firewall — Installing a firewall will prevent unauthorized access while protecting against common security threats and DDOS attacks. It is possible to install a firewall on the server level by your web host or on the website level by you as a WordPress plugin. The good news is that plugins like Wordfence etc., already offer a firewall and will protect you from malware.
- Limit Login Attempts — Another security measure that you can take is limiting the number of failed login attempts to prevent brute-force attacks by bots.
