MailWizz Security Hardening — Protecting Your Installation from Unauthorized Access

SEPTEMBER 2024 · MAILWIZZ TECHNICAL REFERENCE

A MailWizz installation manages large volumes of subscriber personal data and controls significant email sending infrastructure. Security hardening protects against unauthorized access, data breaches, and hijacking of the sending infrastructure for spam.

Restrict Backend Access by IP

# Nginx: Restrict /backend/ to specific IPs
location /backend/ {
    allow 203.0.113.0/24;  # Management IP range
    allow 10.0.0.0/8;       # Internal network
    deny all;
    
    try_files $uri $uri/ /index.php?$query_string;
}

SSL Enforcement

# Redirect all HTTP to HTTPS
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

# Enable HSTS after verifying HTTPS works
add_header Strict-Transport-Security "max-age=31536000" always;

File Permissions

# Application files should not be writable by web server
chown -R root:www-data /var/www/mailwizz
chmod -R 750 /var/www/mailwizz

# Runtime directories must be writable
chmod -R 770 /var/www/mailwizz/apps/common/runtime
chmod -R 770 /var/www/mailwizz/apps/frontend/runtime

# Config files should not be world-readable
chmod 640 /var/www/mailwizz/apps/common/config/main.php

API Key Security

  • Generate separate API keys per integration — never share one key between applications
  • Assign minimum required permissions per key (read-only if write is not needed)
  • Rotate API keys periodically and immediately if a key may have been exposed
  • Monitor API key usage in MailWizz backend logs for unusual access patterns

Protecting the Tracking and Subscription Endpoints

MailWizz's public-facing endpoints (subscription forms, tracking pixel, click redirects, unsubscribe URLs) are intentionally accessible without authentication. Protect against abuse with rate limiting at the web server level.

# Nginx rate limiting for subscription endpoints
limit_req_zone $binary_remote_addr zone=subscriptions:10m rate=5r/m;

location ~* /(lists|frontend)/.*subscribe {
    limit_req zone=subscriptions burst=10 nodelay;
}

The most common MailWizz security incident is not a vulnerability in MailWizz itself — it is weak admin credentials combined with the backend login page being accessible from the internet. At minimum, require strong passwords (15+ characters) and restrict the /backend/ URL to known management IPs.

Troubleshooting Common Issues

Production MailWizz deployments encounter predictable issues at predictable stages. Understanding the diagnostic workflow for the most common problems in this configuration area saves time and prevents the escalating complexity that comes from applying fixes to a misdiagnosed problem. The diagnostic approach is always the same: identify the symptom precisely (not just "it's not working"), isolate the layer where the failure occurs (MailWizz application, delivery server connection, DNS, ISP rejection), and fix at the correct layer.

Systematic Diagnosis Approach

Check MailWizz logs first (available in Backend → Misc → Application Logs), then check the delivery server SMTP logs, then check the PowerMTA accounting log. Most issues surface in one of these three places. A problem that does not appear in any of these logs is almost always a configuration issue — the system is not attempting what you expect it to attempt.

# MailWizz diagnostic log locations:
# Application logs: Backend → Misc → Application Logs
# Delivery logs: Backend → Campaigns → [Campaign] → Delivery Logs
# Bounce logs: Backend → Bounce Servers → [Server] → Logs

# Server-side logs:
# MailWizz application: /path/to/mailwizz/apps/common/runtime/application.log
# PowerMTA delivery: /var/log/pmta/pmta.log
# PowerMTA accounting: /var/log/pmta/accounting.csv

Performance Optimization for Production Scale

MailWizz performance at scale depends on three infrastructure layers: the web application server (PHP/nginx or Apache), the database (MySQL — query optimization is critical at high subscriber counts), and the delivery infrastructure (PowerMTA connection pool sizing). Performance problems in any of these layers manifest as slow campaign sends, delayed processing, or timeouts that appear unrelated to the specific configuration area being managed.

The most common performance constraint in production MailWizz environments is MySQL query efficiency. As subscriber lists grow beyond 500,000 records, unoptimized database queries for segmentation, bounce processing configuration, and campaign statistics become significant bottlenecks. Ensure that subscriber tables have appropriate indexes on email, status, date_added, and any custom field columns used for segmentation.

# MySQL optimization for large MailWizz installations
# Check slow query log:
SHOW VARIABLES LIKE 'slow_query_log%';
SET GLOBAL slow_query_log = 'ON';
SET GLOBAL long_query_time = 1;  # Log queries over 1 second

# Key indexes to verify exist:
SHOW INDEX FROM mailwizz_lists_subscribers;
# Should have indexes on: email, status, date_added, list_id

# Add missing index if needed:
ALTER TABLE mailwizz_lists_subscribers 
  ADD INDEX idx_email_status (email, status);
  
# Campaign sends table — index on campaign_id + subscriber_id:
ALTER TABLE mailwizz_campaigns_tracking_opens
  ADD INDEX idx_campaign_sub (campaign_id, subscriber_id);

Security Considerations

MailWizz installations handling production sending volumes are valuable targets. Key security practices: use HTTPS for all MailWizz access (including tracking and unsubscribe links), restrict Backend access to authorized IP ranges via web server configuration, rotate API keys periodically and revoke unused keys, maintain regular database backups (automated, offsite), and ensure PHP and MailWizz are kept current with security patches.

The tracking domain (used for open and click tracking) requires special attention: it must have a valid SSL certificate (Let's Encrypt is acceptable), and its DNS records must point exclusively to your MailWizz server. A compromised tracking domain can redirect recipients to malicious sites or reveal subscriber click data to third parties.

Campaign Analytics Integration

Track this MailWizz configuration area through two complementary metric layers: MailWizz campaign statistics (open rate, click rate, bounce rate, unsubscribe rate) and PowerMTA accounting log data (ISP-specific deferral rate, bounce classification, queue depth). Gaps between the two layers reveal delivery problems invisible to MailWizz statistics alone — high MailWizz "sent" counts with elevated PowerMTA deferral rates indicate a queue buildup that campaign dashboards don't surface.

Review campaign metrics against your own historical baselines rather than industry benchmarks. Your list composition, acquisition source, and engagement history define what normal looks like for your environment. Use rolling 7-day and 30-day averages to distinguish trend changes from campaign-specific variance.

Implementation Checklist

Before deploying this configuration to production MailWizz, verify: delivery server connection test passes in Backend → Servers → Delivery Servers, cron jobs are running on the correct schedule, bounce server mailbox is accessible and IMAP credentials are valid, tracking domain has valid SSL and loads within 500ms, and PHP memory limit is set to at least 256MB.

After deploying, send a test campaign to a controlled list of seed addresses across Gmail, Outlook, and Yahoo. Verify Authentication-Results headers show dkim=pass and spf=pass in the received messages. Check that open and click tracking are registering correctly in MailWizz statistics. Confirm bounce processing is updating subscriber status within 15 minutes of a test bounce event.

For managed MailWizz environments operated by Cloud Server for Email, these verification steps are performed automatically after any configuration change. The managed service includes continuous monitoring of delivery server health, cron job execution, and tracking domain availability. Contact infrastructure@cloudserverforemail.com for information about managed MailWizz hosting.

MailWizz Security Hardening

Security checklist: restrict Backend access to authorized IP ranges in Nginx/Apache configuration; configure API keys with IP whitelist restriction where possible; disable PHP display_errors in production; keep MailWizz and all extensions current with security patches; use HTTPS for all MailWizz access including tracking and API endpoints.

File Upload Security

MailWizz validates file uploads by type and size. Verify that uploaded files are stored outside the web root or in a directory configured with deny-execute permissions. An improperly configured upload directory that allows web execution of uploaded files is a critical security vulnerability. Test by attempting to upload a PHP file — MailWizz should reject it; the webserver should also deny execution even if somehow uploaded.

Need managed MailWizz infrastructure? We operate fully managed MailWizz and PowerMTA environments for high-volume senders.