Variable Values are Displayed (Greyed Out) in WP Admin Settings Page

I’ve put this on the enhancement lists on GitHub (#147).

FYI, the password field is not displayed, so while an admin can see some details they do not have the complete set.

Curious as to what condition a user has administrative access but them seeing the SMTP server is a concern?

• This reply was modified 1 year, 2 months ago by Casey.

Hi Casey,

Thank you for adding this as an enhancement request.

I would like to clarify that at no time does your plugin show the password. It is just the fact that all the other details (username, server, port etc) are disclosed. So, if choosing to use environment variables to try to hide these values it would be better that they are not displayed.

A user with admin access should not necessarily have total access. It would be possible to set up roles and responsibilities and prevent access to the WP Simple SMTP setting page but I feel that would be unnecessary if the options were offered.

Someone who has access as an “admin” in WordPress does not (or should not) necessarily have admin access to the whole server. Therefore, if some secrets should be stored as environment variables (outside of document root – and with WP plugin install disabled!) then there is no need for a WP admin to know/have access to the settings. Of course, that would be different if you want to store the credentials in the database.

You can have a WordPress Admin, who is not a server admin, with different access and responsibilities is what I am trying to say.

Kind regards,

Sorry, also wanted to add that in the event of any SQL Injection or new account creation attack, that any other credentials should be protected as much as possible.

So, the situation should cover not necessarily a trusted admin, but a falsely created account, an admin leaving the company etc…

Your main e-mail communication channel should be quite important to keep secure.

Thank you again for considering this.

Kind regards,