Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » SMTP Plugin and Getting Alerts for Events Opted Out Of

  • Resolved howardmat

    (@howardmat)


    Hi, I’m currently using the Postman SMTP plugin which conflicts with Sucuri. I get a message saying “You have installed a plugin or theme that is not fully compatible with our plugin, some of the security alerts (like the successful and failed logins) will not be sent to you. To prevent an infinite loop while detecting these changes in the website and sending the email alerts via a custom SMTP plugin, we have decided to stop any attempt to send the emails to prevent fatal errors.” on the Settings > Alerts > Security Alerts page.

    I was able to resolve the infinite loop problem by disabling the “Postman Sent Mail” Post-Type Alert.

    I still see the error but I’m assuming it’s not a problem because I still get email notifications from Sucuri. The problem I’m facing now is that I’m getting emails for events that I’ve opted out of. For example, I currently have “Receive email alerts for failed login attempts including the submitted password” unchecked, but I still receive an email for every failed login attempt. How can I fix this?

    The page I need help with: [log in to see the link]

Viewing 13 replies - 1 through 13 (of 13 total)
  • The message should only be visible if the Postman SMTP plugin is active, you can see the code that is making the message visible here [1] notice how the function built-in WordPress function “is_plugin_active” is used to determine if the plugin is still running or not.

    Regarding the alerts that you are still receiving, notice that there are two options to control the notifications for the failed logins, you can see them below. The first option is the one that controls the alerts, if you disable that one it will automatically assume that you have disabled the second one, however, if you only disable the second one the plugin will only stop appending the password used in the login attempt into the message, but will continue sending you the failed login alerts. Please uncheck both options.

    • Receive email alerts for failed login attempts (you may receive tons of emails)
    • Receive email alerts for failed login attempts including the submitted password

    Marking as resolved, feel free to re-open if you need more information.

    [1] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/settings-alerts.php#L407-L424

    Thread Starter howardmat

    (@howardmat)

    I’m currently using version 1.8.8 and I don’t see both options. In the previous version, both options you describe were definitely there. The only option I see related to failed logins now is “Receive email alerts for failed login attempts including the submitted password” which is unchecked. I should also note that the email I’m receiving does indeed have the password included.

    Regarding the SMTP plugin, is it just the Postman SMTP plugin that causes problems with Sucuri? Is there a different SMTP plugin you’d recommend?

    Thread Starter howardmat

    (@howardmat)

    My apologies, I just checked again and the emails I’m getting don’t contain the password. But I still do not see the “Receive email alerts for failed login attempts (you may receive tons of emails)” option.

    Please send a screenshot of the whole “Security Alerts” panel to [removed] (email removed to avoid spam) and upload a copy of this file [1] into this website [2] so I can verify if the version of the code that you have is corrupt or not. You will probably need to reinstall the plugin in that case because the option really exists as you can see here [3].

    [1] /wp-content/plugins/sucuri-scanner/src/settings-alerts.php
    [2] https://pastebin.com/
    [3] https://github.com/Sucuri/sucuri-wordpress-plugin/blob/13de2f4/src/settings-alerts.php#L387-L388

    Thread Starter howardmat

    (@howardmat)

    Thanks for your response. My apologies for the confusion, when I disabled the Postman SMTP plugin, I was able to see the “Receive email alerts for failed login attempts (you may receive tons of emails)” option. Thank you for your help with this.

    My only remaining question is what SMTP plugin should I use to avoid conflicts with Sucuri?

    […] what SMTP plugin should I use to avoid conflicts with Sucuri?

    I don’t know what features does the Postman SMTP offers that the other SMTP plugins cannot do. So far, people have only reported problems with Postman SMTP so I guess you could use any of the other plugins available here [1] but I haven’t tested any of them yet.

    The incompatibility between the Sucuri plugin and Postman SMTP only affects the notifications for the successful and failed logins. It was originally affecting the notifications for changes in the posts/pages but I applied this patch [2] to fix that problem. If you want you can keep using that plugin, I will try to fix the incompatibility in a future version of the Sucuri plugin.

    Marking as resolved, feel free to re-open if you need more information.

    [1] https://wordpress.org/plugins/search/smtp/
    [2] https://github.com/Sucuri/sucuri-wordpress-plugin/commit/350c074

    Thread Starter howardmat

    (@howardmat)

    Good to know it’s only the Postman plugin that has been reported to you so far. I’ll try one of the other popular SMTP plugins.

    Thanks for all your help!

    For what it’s worth, we did extensive testing of multiple SMTP plugins and chose Postman SMTP for reliability and e-mail encoding. All SMTP plugins are not the same, so do your testing before choosing one. Changing to another SMTP plugin was not an option for us.

    Thanks to this thread figured it out.

    Sucuri – you shouldn’t be hiding those options if they’re enabled.

    Check if Postman is active, but also check if those options are enabled before determining to set them non-visible. Otherwise, we have no (easy) way to see they’re enabled and disabled them. We’ve been trying (lazily) to figure out WTH we were still getting login notifications across a dozen sites we just installed Sucuri on last week in spite of disabling ALL the notifications we could see.

    FYI, we too find Postman SMTP _by far_ the best SMTP/API email plugin out there. It supports a lot of things the others don’t (AWS SES, APIs) and has been priceless in debugging email issues (logging).

    @deeveedee@jb510 — thank you for your comment. I didn’t know how popular Postman SMTP was, but I guess I should send them a message and see if there is a way to fix this incompatibility, which I cannot fix alone in our code, they have to modify some things in their plugin as well in order to have a real solution. I will read their code to have a better understanding of why and how they are creating those temporary objects in the posts table, which is what is creating the infinite loop with the Sucuri plugin.

    @yorman – well 100k active installs isn’t chump change 😉 It’s much more useful than one Syed’s team just bought. Thiers is great if all you need is basic SMTP setup, but lacks the advanced features of Postman SMTP. Supposedly they’ll be adding features, we’ll see…

    I get there are incompatibilities with Postman SMTP, but just wanted to reiterate the issue here isn’t the incompatibility it’s that Sucuri is _hiding options_ that without taking into account if they’re checked or not. So if they are/were checked by default we have no way to uncheck them…

    As a user we look at that alert form and see _everything_ as unchecked and ask “WTH are we still getting notifications?”. That’s bad UX.

    All you’d need to do in the interim is to show those options if they are active, regardless of whether PostMan SMTP is installed. Only hide them (which seems unnecessary to me, but OK) if Postman SMTP is active _and_ the options are set to false.

    @jb510 — I don’t believe in those numbers.

    Take a look at Sucuri’s stats [1] it says +300,000 active installations but every time a new version is released only +25,000 downloads are reported for 1-2 days and then it goes down again to the average 3,000 downloads per day. If there really were +300,000 active installs, we would see the same amount of downloads either the same day a new version is released or across the week after that release. I don’t know where WordPress gets those numbers from, but they are certainly NOT accurate. In comparison, Postman SMTP has an average of downloads of 500 per day [2].

    What I will do for now is to automatically disable those two options when the Postman SMTP plugin is active, I will remove the hidden status and include a message explaining why they cannot be enabled. Hopefully this will get a real fix in the future. Thank you for the suggestion.

    [1] https://wordpress.org/plugins/sucuri-scanner/advanced/
    [2] https://wordpress.org/plugins/postman-smtp/advanced/

    Sounds good.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘SMTP Plugin and Getting Alerts for Events Opted Out Of’ is closed to new replies.