Credentials Sec. Issue | ww.wp.xz.cn

Resolved Tano
(@tanohex)

4 years, 2 months ago

Hello,

Please note that the plugin (v2.1.1) stores the server credentials in plain text.

s:4:"port";s:3:"465";s:4:"auth";s:3:"yes";s:8:"username";s:19:"[email protected]";s:8:"password";s:9:"Testing123";s:8:"auto_tls";

This is a very dangerous practice, that can lead to data breaches, like it happened with another plugin that worked in the same way as yours.
https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/ – one of the largest data breaches in history.

So please consider urgently encrypting the mail server credentials before storing them.
Even the APIs need to be encrypted, as any hacker with access to the DB/Config, can hijack the SMTP system and start sending phishing emails…

Thanks!

Viewing 1 replies (of 1 total)

Plugin Author Shahjahan Jewel
(@techjewel)

4 years, 2 months ago

Hello @tanohex,
We have option to store the credential to wp-config.php file for all type of connections.

Viewing 1 replies (of 1 total)

The topic ‘Credentials Sec. Issue’ is closed to new replies.

1 reply
2 participants
Last reply from: Shahjahan Jewel
Last activity: 4 years, 2 months ago
Status: resolved