Support » Plugin: WP Mail SMTP by WPForms » Plugin is good but API Key is visible on setting

  • I tested it with sendgrid and the API KEY is visible on the setting page after saving it.
    I do not recommend to use this plugin at this moment because of this.
    The API KEY should be stored encrypted and not being able to read, nor in the dashboard or the database.

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Slava Abakumov

    (@slaffik)

    @darkpollo, your review is a bit unfair.

    API key can’t be stored encrypted, because it needs to be sent to the 3rd party service (SendGrid or Mailgun) in clear text. Reversible encryption is useless for open-source software.
    Also, that API key can’t be used outside of your site, as it is tightly connected to your domain, when you retrieve the API key and set up the email sending using those services.

    So it’s ok to store it in plain-text because:
    1) it can be used only when emails are sent from your domain with proper MX/etc records;
    2) it must be sent in plain-text to a 3rd party API.

    I do not think you could be serious with this.
    Are you telling me that there is not way to encrypt and hide the key on the dashboard and database?
    I know that anyone checking the code and the database will be able to decrypt it, but from that to show it on plain text on the admin there are a lot of options.

    It is not OK at all, and if you check the sendgrid plugin, you will see that they at least do not show it on the dashboard to everyone to see.

    PD: a review is not fair or unfair. I value my keys a lot, so my review is fair for me. You do not value them, so that is the reason you think is unfair. I am sorry but I am not changing this review, because with the Key issue I cannot recommend this to anyone, so the 1 star is what it deserves (imho)

    • This reply was modified 1 year, 12 months ago by darkpollo.
    • This reply was modified 1 year, 12 months ago by darkpollo.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Plugin is good but API Key is visible on setting’ is closed to new replies.