I am using SMTP to send email through WordPress, however this requires using plain text password. What if this password is stored in wp-config.php? Very similar to this. Why this topic differs from the linked one: the nature of the password. This password can be used for spam mass mailing, and may require additional protection steps and considerations.

I am using SMTP to send email through WordPress, however this requires using plain text password. What if this password is stored in wp-config.php? Very similar to this. Why this topic differs from the linked one: the nature of the password. This password can be used for spam mass mailing, and may require additional protection steps and considerations.

• password
• wp-config
• smtp

Share Improve this question edited Jun 21, 2019 at 16:57 Nicolai Grossherr 18.9k88 gold badges6464 silver badges109109 bronze badges asked Jun 21, 2019 at 15:47 RiccardoRiccardo 97111 gold badge1818 silver badges3737 bronze badges

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 3

I am not sure where you else you would store the SMTP credentials? I am not comfortable storing those credentials in the Database because of the trouble you mentioned you could get into if they got out. Or putting them in a theme file. Like they mentioned in the other thread, if Apache gets screwed up and that files gets processed as plain text. Your credentials get exposed. If your DB is setup to only accept localhost connections or a specific IP, that could save you. But if your SMTP credentials get out, you might not have those luxuries.

If your setup looks like: (And your public website lives inside of public_html)

/home/user/public_html/
  \__ wp-config.php

I would store a file in: (Which is not public facing at all)

/home/user/smtp-connect.php

And then include() or require_once() that smtp-connect.php file when you need it. Have your credentials stored in there and your connection script in there as well.

The article you referenced has some good points about locking up your wp-config file. Here is another article that I think could shed some more light on the security of wp-config.php and some work arounds to help secure it if you decide to setup some PHP Constants for your SMTP Credentials: https://www.wpwhitesecurity/protect-wordpress-wp-config-php-security/

If you want to make it a bit safer, save the password into the database. Making additional steps necessary to access the SMTP data. You should store sensitive data encrypted, of course.

Besides that, someone malignant having access to your wp-config.php, is pretty much the worst case scenario anyway. So it is of utmost importance to make sure to keep your security up-to-date. So apply all updates for security fixes, WordPress, PHP, simply any software on your server that could be used as attack vector. Furthermore, harden your WordPress and server setup, e.g. file access, access to database and so on.

Generally speaking, to answer your question, if your server is secure, then it's safe to store the SMTP data into the wp-config.php.