Cannot remove SMTP username/password

@cag8f,

Not sure I would need time (sorry but I have no time) to test it.

Any way: those data is saved in your WordPress so if you have filled it, it will be shown if you login there.

>> those data is saved in your WordPress so if you have filled it, it will be shown if you login there.

I’m not sure what you mean by this. Are you saying the contents of those fields are stored within WordPress for this site, and will be auto-filled any time any user logs in to WordPress? If so, that is quite different from what you were indicating earlier.

• This reply was modified 7 years, 4 months ago by cag8f.

@cag8f,

Sorry but I have no much time to explain you.

I will try to do it:

• Data is saved in options table inside WordPress
• Some browsers also save this data in their auto fill forms
• This can be confusing but this is the way it works as many other forms into a WordPress dashboard
• Problem here is that username, password… are also used in other different forms so the problems starts here

As I will remove it soon, I won’t give much support about it.

I prefer to use my efforts in improve other things from the plugin.

>> As I will remove it soon, I won’t give much support about it.

I understand that, and that is fair. But currently it seems as if my personal Google credentials are available for any WordPress user to see. I’m just trying to be sure that when you ‘remove the feature,’ those credentials will also be removed.

>> Data is saved in options table inside WordPress

So when you ‘remove the feature’ from your plugin, will you also ensure the username/password combination stored in the options table is also removed? That is what I am concerned about. I can’t control who has access to this table in the future.

@cag8f,

You are misunderstanding:

• Noone can see your Google credentials stored if they log in… I cannot exlain exactly the way it works with no time. But no worries.
• All this data will be removed from option table

>> Noone can see your Google credentials stored if they log in…

Right. But if the data is in the database, people with admin access can see it, correct? In the future, I cannot control who has admin access to this database.

>> All this data will be removed from option table

This is re-assuring, thank you.

@cag8f,

All data stored in wp_options would be accesible for every WordPress administrator and for any who has an user in the database with the correct GRANT.

But this is the same here and in any other technology which use database.

Please help us with a little donation or a review… we cannot give good support if almost none help us.

>> All data stored in wp_options would be accesible for every WordPress administrator and for any who has an user in the database with the correct GRANT.
But this is the same here and in any other technology which use database.

Right O, I get all that. But in this case, is there any way for me to delete that information from the database, other than using a direct database edit tool (e.g phpmyadmin)?

@cag8f,

No, you would need to code some PHP script.

phpMyAdmin would be easier.

Gotcha.

I know you say you will remove the feature, and remove the info from the database. If you do that, indeed the issue will be moot. And I know I should be more careful with the data I enter into WordPress. But at the same time, it seems to me a little careless for your plugin to easily save sensitive data like this to the database via the WP back-end, but offer no method of expunging it from the database via the WP back-end. Maybe next time offer a mechanism in the WP back-end to remove that info easily from the database, just like Chrome offers a feature to delete form auto-fill data.

It’s just constructive criticism–I’m not sure how to say it without sounding mean or upset. And maybe I’m still misunderstanding something.

@cag8f,

This plugin do the same than any other plugin that manage SMTP credentials.

I think you don’t know how all this kind of issues works… if we encode it for example, we also need to include the key to encode… so it is easy to discover.

I don’t know how many plugins or systems have you developed but yes, this is the way to do it.

If you know something better, tell every plugin that save this kind of data in database and needs to send it later.

OK.

>> If you know something better, tell every plugin that save this kind of data in database and needs to send it later.

I’m not saying don’t save it to the database. I’m saying make it easier for us to delete it from the database. As it stands, I can save critical data just by pressing ‘Save’ in your plugin. But to remove it, I have to write PHP code, or dive into PHPMyAdmin.

I fully acquiesce though that this is a bit out of my area of expertise. If this is standard practice, then I guess it’s lesson learned on my end.

edit: I’m really not trying to argue with you, or antagonize you. I’m sorry if it’s coming across like that. I’m not sure how to discuss this without giving off that vibe.

• This reply was modified 7 years, 4 months ago by cag8f.

I have to check but if you deactivate from plugin, I guess it deletes it.

I am unable to edit the password at all. I have tried three different browsers, turned off auto fill and cleared the cache. How can I change the password if it is grayed out and not editable??

I found the answer here. I needed to edit the config file
https://wpforms.com/docs/how-to-set-up-smtp-using-the-wp-mail-smtp-plugin/

• This reply was modified 7 years ago by graphmaster.

@graphmaster,

Which password field are you referring to? In this plugin there is only one and it is deprecated, the one which exists in the SMTP Settings.

SMTP settings will be removed in next version.