Support » Plugin: WP Mail SMTP by WPForms » Password stored in plain text

  • This is crazy, password in database as stored in plain text.

    Even if you add password in wp-config (not a good solution by the way) it will store password as plain text in options table, wp_mail_smtp field

Viewing 3 replies - 1 through 3 (of 3 total)
  • Roy

    (@lev0)

    Then use a service that uses voidable tokens for passwords.

    How exactly would email get sent if WordPress couldn’t access the password? You can’t store an encrypted password that needs to be used in its plain text form unless you also store a decryption key, which defeats the purpose.

    Plugin Support Jess Quig

    (@jquigam)

    Hi lightseeker19772,

    I apologize for my delayed response here!

    When using the wp-config method, please be sure to not add your password to the plugin settings (in WordPress under WP Mail SMTP > Settings). If you already did this, you can adjust it by temporarily removing your password code from wp-config.php, which will enable this password field again so you can delete the value there.

    This being said, we definitely recommend that you consider a more secure mailer. The “Other SMTP” mailer you’re describing here is the least secure option, exactly because of this password issue. If you use any of the other mailers, none of these will require adding your email logins to WordPress. Instead, they all operate over APIs.

    In case it helps, here are tutorials for the other mailer options available with our free version:

    Mailgun
    SendGrid
    Gmail

    I hope this helps! I also hope you’ll consider revising your review.

    And if you have any questions, please know we offer limited complimentary support over in our WordPress.org support forum. Thanks!

    Plugin Support Jess Quig

    (@jquigam)

    Quick update to my response above 🙂

    For WP Mail SMTP version 1.5 and newer, the plugin will actually remove the password value from the database for you when you use the wp-config method.

    All you have to do is:
    1) Add the line of code to your site’s wp-config.php file.
    2) Save the WP Mail SMTP settings.

    When you click that Save button in the WP Mail SMTP settings, your password value will be removed from the database (no extra steps needed).

    So while I’d still recommend using one of the API-based mailer options whenever possible, as they don’t require entering a password in the site at all, this does at least provide a way to get the password completely out of the site’s admin area (and database) when using the Other SMTP mailer.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this review.