Title: Shocking security vunerability Last modified: August 22, 2016 --- # Shocking security vunerability * [guylevi](https://wordpress.org/support/users/guylevi/) * (@guylevi) * [11 years, 4 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/) * Hi * I am shocked to say the least that the password field that you enter your smtp information in is not encrypted and of a simple text field type. * If someone hacks my wordpress site and gets into the dashboard they can easily see what my smtp login credentials are. * I work with freelancers and subcontractors so this is not ideal. Other than that I love the plugin. * Can you provide instructions on what file I need to edit to change the text field from a simple text field to a password text field. * This is quite alarming you didn’t think to do this. I don’t want anyone but me knowing my sendgrid smtp login details * [https://wordpress.org/plugins/wp-mail-smtp/](https://wordpress.org/plugins/wp-mail-smtp/) Viewing 12 replies - 1 through 12 (of 12 total) * [homerecords](https://wordpress.org/support/users/homerecords/) * (@homerecords) * [11 years, 4 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679666) * HOly MOlY!!! Thanks for the warning mate! * I was just checking a friends blog … * Thread Starter [guylevi](https://wordpress.org/support/users/guylevi/) * (@guylevi) * [11 years, 4 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679672) * How do we fix this? It’s a simple case of changing the html field type but i don;t know what file to amend? * What is the plugin developer thinking!!!!!! * [trex005](https://wordpress.org/support/users/trex005/) * (@trex005) * [11 years, 4 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679714) * Changing it to a password field is not going to stop anyone who is able to hack into your server. Thinking this is any help is misguided. * However, if you insist, the file to change is : wp_mail_smtp.php line 305 * Thread Starter [guylevi](https://wordpress.org/support/users/guylevi/) * (@guylevi) * [11 years, 4 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679819) * haha trex i didn’t say that!!! * It stops freelancers and fellow co workers who are helping on a site build from seeing my password. * Listen pal its basics. If your going to have a password you use a password field for it. Don’t be clever for no reason we both know its good coding practise and should be fixed and updated on the next version. * Can you actually think of a sensible reason why it shouldn’t be a password field? * Thanks for the help btw * Thread Starter [guylevi](https://wordpress.org/support/users/guylevi/) * (@guylevi) * [11 years, 4 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679820) * We all know nothing is fool proof but the name of the game is making it as difficult as possible not “hey folks you cant stop the hackers lets just stop attempting to prevent it attitude” * [trex005](https://wordpress.org/support/users/trex005/) * (@trex005) * [11 years, 4 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679881) * Reasons for plain text: - Easier to verify data accuracy. (Can be helpful when having sending errors) - Disposable sending account and you lost/forgot the password. (Bad reason, but one nonetheless) * Certainly you want to make it harder to crack, I’m just stating that making it a password field doesn’t really do that for any remotely savvy attacker. To make it (slightly) harder you need to either send an encrypted version (or hashed) to the config page, or a default value. Then on save check to see if that value is altered, and only if it is, update the password. * This clearly won’t protect you from someone who gets access to your database, but it is a good first step. To protect the database, you could encrypt with a seed, but if the attacker was able to find the seed, you’re still out of luck. * [mikakaltoft](https://wordpress.org/support/users/mikakaltoft/) * (@mikakaltoft) * [11 years, 3 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679986) * Hi, * I totally agree!! * 1) The password input should permanent be changed to type=”password” * 2) The password should be encrypted so it is not exposed in the database! * Sincerely, Mika * [Endymion00](https://wordpress.org/support/users/endymion00/) * (@endymion00) * [11 years, 3 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679989) * Even after changing the input to password on line 305, I could still see the password if I Inspected Element on the input in the Value. So I ended up removing the php outputting of the password as well with a note to enter it each time when making changes. Like so: * ``` Enter Password For Every Change ``` * Here’s hoping the developer encrypts it in the database and stops displaying it on the page. * [Jason Hendriks](https://wordpress.org/support/users/jasonhendriks/) * (@jasonhendriks) * [11 years, 3 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679990) * The SMTP protocol requires that your password be sent in plaintext (or base-encoded). If the plugin was to one-way hash the password, it would not be readable to submit to the SMTP server. If the plugin was to encrypt or encode the password, anyone could look through the source code of the plugin to get the decryption method. * If you are that concerned about password security, use OAuth 2.0 instead. * [Endymion00](https://wordpress.org/support/users/endymion00/) * (@endymion00) * [11 years, 3 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5679991) * I more concerned about it being exposed in the admin. Maybe just don’t fill in the password and have the system assume that the password hasn’t changed if the field is blank and only update the password if a new one is typed in. * [Jason Hendriks](https://wordpress.org/support/users/jasonhendriks/) * (@jasonhendriks) * [11 years, 2 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5680006) * But the password is still saved in the database. And if the plugin can get it, and decrypt it, anyone can get it, and decrypt it. * _You’re trying to get a car to fly when you should be using an airplane_. * [Jason Hendriks](https://wordpress.org/support/users/jasonhendriks/) * (@jasonhendriks) * [11 years, 2 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5680007) * [http://blog.varonis.com/giving-away-your-passwords/](http://blog.varonis.com/giving-away-your-passwords/) Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘Shocking security vunerability’ is closed to new replies. * ![](https://ps.w.org/wp-mail-smtp/assets/icon-256x256.png?rev=1755440) * [WP Mail SMTP by WPForms - The Most Popular SMTP and Email Log Plugin](https://wordpress.org/plugins/wp-mail-smtp/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-mail-smtp/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-mail-smtp/) * [Active Topics](https://wordpress.org/support/plugin/wp-mail-smtp/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-mail-smtp/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-mail-smtp/reviews/) * 12 replies * 6 participants * Last reply from: [Jason Hendriks](https://wordpress.org/support/users/jasonhendriks/) * Last activity: [11 years, 2 months ago](https://wordpress.org/support/topic/shocking-security-vunerability/#post-5680007) * Status: not resolved