Password Stored in Plain Text in wp_options

  • Resolved Brian P

    (@bburgay)


    5 years, 11 months ago

    Hi,

    After going through a DB export I noticed the wp_mail_smtp option stores our WP Admin username and password in plain text. This is in the serialized array with autotls, host, port, encryption, user, pass, and auth.

    I am using the Gmail API method so I don’t see why this needs to be saved in the database and why it’s saved in plain text. This is a major security concern as anyone who grabs a db export has the admin login right there.

    Please advise.

    Thanks,
    Brian

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Slava Abakumov

    (@slaffik)

    Hi

    Gmail API does NOT store any email login/password at all. Only tokens.
    You can see SMTP login and password if you previously saved them there. To remove that – just clear those values inside the “Other SMTP” mailer options, switch to Gmail mailer and click Save. After that “Other SMTP” will save data without login/pass for SMTP connection, and Gmail API will be used to send emails.

    Plain password for “Other SMTP” mailer is needed to be able to connect to SMTP server. There is no other way around, as data should be sent to that server in plain text. We have a comment right under the SMTP Password field with a recommendation to use a constant in your wp-config.php file, so it won’t be stored in DB.

    Thread Starter Brian P

    (@bburgay)

    Hi Slava,

    What concerns me is that these are new sites I’m looking at where I never entered any Other SMTP info. I set these up with the GMail API initially so don’t understand why this info was saved here in the first place. Maybe a bug in an older version?

    Thanks for the info and I will clear them out manually.

    -Brian

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Password Stored in Plain Text in wp_options’ is closed to new replies.

Tags