Is it a serious security leak for WordPress bloggers?

By WordPress default settings, anyone who knows WordPress blog administrator’s email address can put this address in comment required field, and make comment without being moderated as if he was the administrator. I think it is very bad design of authentication. It worries me a lot although none of my blog users pretend to be me so far.

I never publish my email address on the web to protect it from spam. But you can find my email address in many places – I print it on business cards, write it on CV, give it to people first met in pubs… Now I have to rethink how to use my email address.

I think password check is essential if someone is acting like the administrator in WordPress blog. If it can be bypassed, it means I have to keep my email address as my privacy.  Birthday is a privacy, residence address is a privacy. There are so many privacies to keep. And now, email address?

Authsmtp verify Return Path address as well

I use phpList to send newsletters to customers. I recently add bounced messages automatic processor, which require a seperate email address to accept bounced messages. Bounced messages are sent to From address if no Return Path is set in email envelope. Email programs such as outlook are not suitable to serve as a newsletter program because they do not have a setting for Return Path.

However, when I try to send out a test letter after I set up bounced messages in phpList, I kept receiving error messages from authsmtp saying From address was not authorised. I was confused because I had been using the same From address since I purchased authsmtp. It took a couple of hours to figure out From address referring to Return Path address.

So, I need verify the Return Path address as well before I can use authsmtp again.

PhpList Can Work With SSL POP

想要phpList process bounce messages,邮箱却只支持SSL POP (port 995, 如gmail)?没问题。

config.php 作以下设置:

$bounce_protocol = 'pop';
$message_envelope = 'username@gmail.com';
$bounce_mailbox_host = 'pop.gmail.com';
$bounce_mailbox_user = 'username@gmail.com';
$bounce_mailbox_password = 'password';
$bounce_mailbox_port = "995/pop3/ssl/novalidate-cert";

我本还担心phpList 不能从gmail上pop出bounce messages,正想着去专门建一个未经SSL处理的POP邮箱,没想到phpList轻易就达到了我的要求。

另外我还发现,按照phpList自己的说法,php必须运行在safe_mode off的环境下才能让phpList 处理bounce messages,但我亲身实验结果显示safe_mode can be on.

Use Analytics to Track Newsletter Open Rate

I realise it is NOT possible to use Analytics to track newsletter open rate. Because:

  • To track if an email is opened, you put an invisible image into the email with img src calling a tracking program.
  • If you put a web page url as img src, the javascript of the web page won’t run.

So, in order to track newsletter open rate, you must point img src to a server-side tracking program. Analytics won’t fit for this job because it is client-side script.

Actually, tracking newsletter open rate is very easy with phpList, which I have been using for long. Simply to [USERTRACK] into the body of the email.