Works As It Should

  • But the password field is not hashed let alone hidden. Anyone with Admin control can view the email password. That alone makes this plug-in unusable.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Ewout

    (@pomegranate)

    hiding the password field is easy, just change type=text to type=password, but I too would like to see the password saved more securely. I have no idea if most SMTP servers accept a hashed password, perhaps it could be an option?

    This is a very commonly quoted issue, and it’s 100% nonsensical.

    Let’s think this through. In order to send an email WordPress needs to know the password. Therefore, we need to store the password so that WordPress can use it later in plain text. So, it’s not possible to encrypt it, secure it, or otherwise hold it “safely” short of some incredibly complex solution which won’t work on shared hosting, would require extensive server configuration, etc.

    Thus, as the plugin developer, I have 2 choices. Choice one, I could put add the type=”password” and then the ignorant user thinks, oh awesome, my password is “safe”. But anyone who looks at the source code of the page, or at the /options.php page easily finds the password. Or, I could simply leave the password in plain text as it must be stored anyway.

    I’m about to release a new version which makes it clear on the admin page to avoid this issue. Seems like many people don’t bother looking up or thinking through the issue and just complain.

    @callum Macdonald

    I am totally with you on this one. Besides, even if this was a defect, it’s not as a big one to rate 2 stars.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Works As It Should’ is closed to new replies.