Host Header Injection Fix
Sets custom headers for WP notification emails. Also fixes a security issue with WP versions < 5.5.
5(6 reviews)
·500 active installs·Updated 1 week agoAs of April 2026, Host Header Injection Fix is a WordPress email plugin with 500 active installations and a 5/5 rating from 6 reviews. It has been downloaded 25K+ times in total. Requires WordPress 4.7+ and PHP 5.6.20+. Available on WordPress.org since 2017. Actively maintained — updated within the last month. Top alternative: WP Mail SMTP by WPForms – The Most….
5/56 reviews
500active installs
25K+total downloads
9 yearssince 2017
Overview
👉 Enables custom headers for WP email notifications
👉 Also provides a “set it and forget it” security fix for WP < 5.5
👉 Uses only 50KB of code, so super lightweight, fast, and effective
Important
As of WordPress 5.5, this plugin no longer is necessary to fix the host-header security issue reported in Ticket #25239 finally is fixed, and mentioned in this post WordPress 5.5 Beta 4. Thank You WordPress devs!
Is this plugin still useful?
Yes, it enables you to choose the “From”, “Name”, and “Return-Path” headers for all WP notification emails. And for versions of WordPress less than 5.5, this plugin continues to fix the host-header injection security issue.
Features
This simple plugin does three things:
- Sets custom From, Name, and Return…
Screenshots
Ratings & Reviews
56 reviews
5 ★
6
4 ★
0
3 ★
0
2 ★
0
1 ★
0
Compatibility
| WordPress | 4.7+ requiredTested up to 7.0 |
| PHP | 5.6.20+ required |
Top Alternatives to Host Header Injection Fix
Frequently Asked Questions
Changelog
If you like Host Header Injection Fix, please take a moment to give a 5-star rating. It helps to keep development and support going strong. Thank you!
3.5 (2026/01/29)
- Improves readme.txt documentation
- Tests on PHP 8.4 and 8.5
- Tests on WordPress 6.9
Full changelog @
Contributors
Plugin data sourced from WordPress.org. Analysis and metrics by PluginSift.