Mdthbs

How to split an equation over two lines?

How do I make a very short story impactful?

Are there any vegetarian astronauts?

Smooth Julia set for quadratic polynomials

Why is Madam Hooch not a professor?

Is this one of the engines from the 9/11 aircraft?

Animation advice please

In the Marvel universe, can a human have a baby with any non-human?

Can ADFS connect to other SSO services?

Does squid ink pasta bleed?

How to reply to small talk/random facts in a non-offensive way?

Do French speakers not use the subjunctive informally?

Impossible darts scores

Catching generic Exception in a toString implementation - bad practice?

Change CPU MHz from Registry

Why do some games show lights shine through walls?

What do you call a weak person's act of taking on bigger opponents?

Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver?

Should my manager be aware of private LinkedIn approaches I receive? How to politely have this happen?

Inverse-quotes-quine

Why aren't (poly-)cotton tents more popular?

Why do some professors with PhDs leave their professorships to teach high school?

Using “sparkling” as a diminutive of “spark” in a poem

Can’t attend PhD conferences

Safe to store SMTP password in wp-config.php?

Password in wp-config. Dangerous?2 accounts under same email preventing me from loging inWordpress SMTP EMailhow wordpress smtp works? my emailing is not workingwp-config.php being deletedSMTP Issues with Outlook 365SMTP connect() failedConfused over wp-config.php and 'database user + database password + name'Easy WP SMTP plugin test email failedHow can I configure an SMTP Server?can't submit mail from contact 7 form site using wp mail smtp

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

I am using SMTP to send email through WordPress, however this requires using plain text password. What if this password is stored in wp-config.php?
Very similar to this.
Why this topic differs from the linked one: the nature of the password. This password can be used for spam mass mailing, and may require additional protection steps and considerations.

password wp-config smtp

share|improve this question

edited 7 hours ago

Nicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

asked 8 hours ago

RiccardoRiccardo

44788 silver badges2626 bronze badges

add a comment | 

1

I am using SMTP to send email through WordPress, however this requires using plain text password. What if this password is stored in wp-config.php?
Very similar to this.
Why this topic differs from the linked one: the nature of the password. This password can be used for spam mass mailing, and may require additional protection steps and considerations.

password wp-config smtp

share|improve this question

edited 7 hours ago

Nicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

asked 8 hours ago

RiccardoRiccardo

44788 silver badges2626 bronze badges

add a comment | 

I am using SMTP to send email through WordPress, however this requires using plain text password. What if this password is stored in wp-config.php?
Very similar to this.
Why this topic differs from the linked one: the nature of the password. This password can be used for spam mass mailing, and may require additional protection steps and considerations.

password wp-config smtp

share|improve this question

edited 7 hours ago

Nicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

asked 8 hours ago

RiccardoRiccardo

44788 silver badges2626 bronze badges

share|improve this question

edited 7 hours ago

Nicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

asked 8 hours ago

RiccardoRiccardo

44788 silver badges2626 bronze badges

share|improve this question

edited 7 hours ago

Nicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

asked 8 hours ago

RiccardoRiccardo

44788 silver badges2626 bronze badges

edited 7 hours ago

Nicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

edited 7 hours ago

Nicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

asked 8 hours ago

RiccardoRiccardo

44788 silver badges2626 bronze badges

asked 8 hours ago

RiccardoRiccardo

44788 silver badges2626 bronze badges

2 Answers
2

active

oldest

votes

2

I am not sure where you else you would store the SMTP credentials? I am not comfortable storing those credentials in the Database because of the trouble you mentioned you could get into if they got out. Or putting them in a theme file. Like they mentioned in the other thread, if Apache gets screwed up and that files gets processed as plain text. Your credentials get exposed. If your DB is setup to only accept localhost connections or a specific IP, that could save you. But if your SMTP credentials get out, you might not have those luxuries.

If your setup looks like: (And your public website lives inside of public_html)

/home/user/public_html/

  __ wp-config.php

I would store a file in: (Which is not public facing at all)

/home/user/smtp-connect.php

And then include() or require_once() that smtp-connect.php file when you need it. Have your credentials stored in there and your connection script in there as well.

The article you referenced has some good points about locking up your wp-config file. Here is another article that I think could shed some more light on the security of wp-config.php and some work arounds to help secure it if you decide to setup some PHP Constants for your SMTP Credentials:
https://www.wpwhitesecurity.com/protect-wordpress-wp-config-php-security/

share|improve this answer

edited 7 hours ago

answered 7 hours ago

ChristopherJonesChristopherJones

40077 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Chapeau. We do this also already for years (storing the wp-config.php file in a place which actually nothing has to do with the website at all) and it works like a charm. We use an 'empty' wp-config.php which has just the include line. Easy, safe and reliable. Have to admit that you must have the access to such but that is logical when you want to do it like this. Note, "if Apache gets screwed" then you have much more issues then just a possible exposing of such. Then is even your DB not safe anymore because the credentials from wp-config.php in the regular spot will be exposed.
  
  – Charles
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This works great, and is a good step to harden and secure the setup, so +1. I disagree with the aversion to the database though, because if you deal with several or even a multitude of SMTP credentials, it just works better in those cases.
  
  – Nicolai
  5 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What if a malicious plugin accesses wp-config.php?
  
  – Riccardo
  5 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I am not the best person to talk on malicious plugins. We've used two plugins for most of what we do and we spend time quarterly vetting the updates that get pushed out to the plugins. With any plugin, one should spend some time looking at the code base before getting in bed with it. But any plugin would have access to wp-config.php and could most likely write to the file as well.
  
  – ChristopherJones
  4 hours ago
  

  
  
  
  

add a comment | 

1

If you want to make it a bit safer, save the password into the database. Making additional steps necessary to access the SMTP data. You should store sensitive data encrypted, of course.

Besides that, someone malignant having access to your wp-config.php, is pretty much the worst case scenario anyway. So it is of utmost importance to make sure to keep your security up-to-date. So apply all updates for security fixes, WordPress, PHP, simply any software on your server that could be used as attack vector. Furthermore, harden your WordPress and server setup, e.g. file access, access to database and so on.

Generally speaking, to answer your question, if your server is secure, then it's safe to store the SMTP data into the wp-config.php.

share|improve this answer

answered 7 hours ago

NicolaiNicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "110"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwordpress.stackexchange.com%2fquestions%2f341129%2fsafe-to-store-smtp-password-in-wp-config-php%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

2

I am not sure where you else you would store the SMTP credentials? I am not comfortable storing those credentials in the Database because of the trouble you mentioned you could get into if they got out. Or putting them in a theme file. Like they mentioned in the other thread, if Apache gets screwed up and that files gets processed as plain text. Your credentials get exposed. If your DB is setup to only accept localhost connections or a specific IP, that could save you. But if your SMTP credentials get out, you might not have those luxuries.

If your setup looks like: (And your public website lives inside of public_html)

/home/user/public_html/

  __ wp-config.php

I would store a file in: (Which is not public facing at all)

/home/user/smtp-connect.php

And then include() or require_once() that smtp-connect.php file when you need it. Have your credentials stored in there and your connection script in there as well.

The article you referenced has some good points about locking up your wp-config file. Here is another article that I think could shed some more light on the security of wp-config.php and some work arounds to help secure it if you decide to setup some PHP Constants for your SMTP Credentials:
https://www.wpwhitesecurity.com/protect-wordpress-wp-config-php-security/

share|improve this answer

edited 7 hours ago

answered 7 hours ago

ChristopherJonesChristopherJones

40077 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Chapeau. We do this also already for years (storing the wp-config.php file in a place which actually nothing has to do with the website at all) and it works like a charm. We use an 'empty' wp-config.php which has just the include line. Easy, safe and reliable. Have to admit that you must have the access to such but that is logical when you want to do it like this. Note, "if Apache gets screwed" then you have much more issues then just a possible exposing of such. Then is even your DB not safe anymore because the credentials from wp-config.php in the regular spot will be exposed.
  
  – Charles
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This works great, and is a good step to harden and secure the setup, so +1. I disagree with the aversion to the database though, because if you deal with several or even a multitude of SMTP credentials, it just works better in those cases.
  
  – Nicolai
  5 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What if a malicious plugin accesses wp-config.php?
  
  – Riccardo
  5 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I am not the best person to talk on malicious plugins. We've used two plugins for most of what we do and we spend time quarterly vetting the updates that get pushed out to the plugins. With any plugin, one should spend some time looking at the code base before getting in bed with it. But any plugin would have access to wp-config.php and could most likely write to the file as well.
  
  – ChristopherJones
  4 hours ago
  

  
  
  
  

add a comment | 

2

I am not sure where you else you would store the SMTP credentials? I am not comfortable storing those credentials in the Database because of the trouble you mentioned you could get into if they got out. Or putting them in a theme file. Like they mentioned in the other thread, if Apache gets screwed up and that files gets processed as plain text. Your credentials get exposed. If your DB is setup to only accept localhost connections or a specific IP, that could save you. But if your SMTP credentials get out, you might not have those luxuries.

If your setup looks like: (And your public website lives inside of public_html)

/home/user/public_html/

  __ wp-config.php

I would store a file in: (Which is not public facing at all)

/home/user/smtp-connect.php

And then include() or require_once() that smtp-connect.php file when you need it. Have your credentials stored in there and your connection script in there as well.

The article you referenced has some good points about locking up your wp-config file. Here is another article that I think could shed some more light on the security of wp-config.php and some work arounds to help secure it if you decide to setup some PHP Constants for your SMTP Credentials:
https://www.wpwhitesecurity.com/protect-wordpress-wp-config-php-security/

share|improve this answer

edited 7 hours ago

answered 7 hours ago

ChristopherJonesChristopherJones

40077 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Chapeau. We do this also already for years (storing the wp-config.php file in a place which actually nothing has to do with the website at all) and it works like a charm. We use an 'empty' wp-config.php which has just the include line. Easy, safe and reliable. Have to admit that you must have the access to such but that is logical when you want to do it like this. Note, "if Apache gets screwed" then you have much more issues then just a possible exposing of such. Then is even your DB not safe anymore because the credentials from wp-config.php in the regular spot will be exposed.
  
  – Charles
  5 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This works great, and is a good step to harden and secure the setup, so +1. I disagree with the aversion to the database though, because if you deal with several or even a multitude of SMTP credentials, it just works better in those cases.
  
  – Nicolai
  5 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  What if a malicious plugin accesses wp-config.php?
  
  – Riccardo
  5 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I am not the best person to talk on malicious plugins. We've used two plugins for most of what we do and we spend time quarterly vetting the updates that get pushed out to the plugins. With any plugin, one should spend some time looking at the code base before getting in bed with it. But any plugin would have access to wp-config.php and could most likely write to the file as well.
  
  – ChristopherJones
  4 hours ago
  

  
  
  
  

add a comment | 

I am not sure where you else you would store the SMTP credentials? I am not comfortable storing those credentials in the Database because of the trouble you mentioned you could get into if they got out. Or putting them in a theme file. Like they mentioned in the other thread, if Apache gets screwed up and that files gets processed as plain text. Your credentials get exposed. If your DB is setup to only accept localhost connections or a specific IP, that could save you. But if your SMTP credentials get out, you might not have those luxuries.

If your setup looks like: (And your public website lives inside of public_html)

/home/user/public_html/

  __ wp-config.php

I would store a file in: (Which is not public facing at all)

/home/user/smtp-connect.php

And then include() or require_once() that smtp-connect.php file when you need it. Have your credentials stored in there and your connection script in there as well.

The article you referenced has some good points about locking up your wp-config file. Here is another article that I think could shed some more light on the security of wp-config.php and some work arounds to help secure it if you decide to setup some PHP Constants for your SMTP Credentials:
https://www.wpwhitesecurity.com/protect-wordpress-wp-config-php-security/

share|improve this answer

edited 7 hours ago

answered 7 hours ago

ChristopherJonesChristopherJones

40077 bronze badges

/home/user/public_html/

  __ wp-config.php

/home/user/smtp-connect.php

share|improve this answer

edited 7 hours ago

answered 7 hours ago

ChristopherJonesChristopherJones

40077 bronze badges

answered 7 hours ago

ChristopherJonesChristopherJones

40077 bronze badges

answered 7 hours ago

ChristopherJonesChristopherJones

40077 bronze badges

1

If you want to make it a bit safer, save the password into the database. Making additional steps necessary to access the SMTP data. You should store sensitive data encrypted, of course.

Besides that, someone malignant having access to your wp-config.php, is pretty much the worst case scenario anyway. So it is of utmost importance to make sure to keep your security up-to-date. So apply all updates for security fixes, WordPress, PHP, simply any software on your server that could be used as attack vector. Furthermore, harden your WordPress and server setup, e.g. file access, access to database and so on.

Generally speaking, to answer your question, if your server is secure, then it's safe to store the SMTP data into the wp-config.php.

share|improve this answer

answered 7 hours ago

NicolaiNicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

add a comment | 

1

If you want to make it a bit safer, save the password into the database. Making additional steps necessary to access the SMTP data. You should store sensitive data encrypted, of course.

Besides that, someone malignant having access to your wp-config.php, is pretty much the worst case scenario anyway. So it is of utmost importance to make sure to keep your security up-to-date. So apply all updates for security fixes, WordPress, PHP, simply any software on your server that could be used as attack vector. Furthermore, harden your WordPress and server setup, e.g. file access, access to database and so on.

Generally speaking, to answer your question, if your server is secure, then it's safe to store the SMTP data into the wp-config.php.

share|improve this answer

answered 7 hours ago

NicolaiNicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

add a comment | 

If you want to make it a bit safer, save the password into the database. Making additional steps necessary to access the SMTP data. You should store sensitive data encrypted, of course.

Besides that, someone malignant having access to your wp-config.php, is pretty much the worst case scenario anyway. So it is of utmost importance to make sure to keep your security up-to-date. So apply all updates for security fixes, WordPress, PHP, simply any software on your server that could be used as attack vector. Furthermore, harden your WordPress and server setup, e.g. file access, access to database and so on.

Generally speaking, to answer your question, if your server is secure, then it's safe to store the SMTP data into the wp-config.php.

share|improve this answer

answered 7 hours ago

NicolaiNicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

share|improve this answer

answered 7 hours ago

NicolaiNicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

answered 7 hours ago

NicolaiNicolai

15.6k77 gold badges3838 silver badges8989 bronze badges

answered 7 hours ago

NicolaiNicolai

15.6k77 gold badges3838 silver badges8989 bronze badges