I am currently converting a client booking system I created into a WordPress plugin. It uses the PHPMailer library to send emails. I am using SMTP security to send the emails and thus need the email account and password. I am currently encrypting the passwords in a database and decrypting them when I need them. Everything works fine and I have no problem doing that.

If I were to make this into a plugin that would end up in the repository is this an okay practice? Is there a more secure method? It seems WordPress would like to use their options system for most things.

Also, it seems that I would just have to hope that who is ever using this plugin that their web server has an email service running. Maybe I should allow an option for non SMTP email sending. Although this makes it way more likely it will end up in a spam folder.

The guidelines are not very clear about things like this. I have been programming for years but this is my first WordPress plugin.

Any suggestions or guidance would be much appreciated! Thank you!