+1 on this. I have programmers in there working and we use the admin email address for site emails. It’s not the most secure setup, but it’s unnerving to have the password visible – regardless of the email account we are using.
+1 as well!
I also see that the password is not stored in sql with an MD5 hash. What up with that?!
Try to use a dedicated email address.
Edit line 302 of file /wp-content/plugins/wp_mail_smtp/wp_mail_smtp.php:
<td><input name=”smtp_pass” type=”password” id=”smtp_pass” value=”<?php print(get_option(‘smtp_pass’)); ?>” size=”40″ class=”code” /></td>
For me too. As I am hosting a WordPress-site together with two other people who are less digitally interested and rather trustworthy I believe this row of stars would raise the security enough.
The row of stars in Dutch law would make reading the password a ‘hack’.
Is it stored in the database as plaintext too?? Editing the input field type to password is ok for obscuring it on the front end, but I wouldn’t want it in the DB in plaintext.
And yes, I can confirm that it is stored as plaintext in the database. The Easy WP SMTP also has this security issue:
http://wordpress.org/support/topic/pwd-stored-in-the-clear
-PaulMighty
Seems like the solution for those of us who’d like better security is to allow it to be stored in wp-config.php which is much less likely to be hacked than the DB. You could still allow lay-persons to store it in their DB in plain text for simplicity but it really is best to store it in wp-config.php with the other sensitive info like Database and FTP credentials.
+9 to this. I am going to have to fork this because its a deal breaker. I will wait a week and watch this thread for a reply.
+1
I agree
Callum, you should hide password. Thanks
You can hide it by changing the following code in the PHP file (Editor manager) :
Edit line 302 of file /wp-content/plugins/wp_mail_smtp/wp_mail_smtp.php:
<td><input name=”smtp_pass” type=”password” id=”smtp_pass” value=”<?php print(get_option(‘smtp_pass’)); ?>” size=”40″ class=”code” /></td>
This answer was given 6 months ago.
@davep99
Yeah, but that just obscures it on the rendered input field (e.g. “•••••••”). The password is still in plaintext in the page source, leaving it readable to anybody with half a brain. Deleting print(get_option(‘smtp_pass’)) from the default value fixes this, although it does force you to input the password if editing the page, which might not be a bad solution.
-PaulMighty
The other issue occurs when sending a test email from the plugin’s admin config page. If the test fails, the password is again written in plaintext:
[“Username”]=>
string(17) “some-email@gmail.com”
[“Password”]=>
string(9) “mypasswordinplaintext”
-PaulMighty
Yea… this is the only negative with an otherwise very efficient plugin. +1
