Safe to store SMTP password in wp-config.php?

I am using SMTP to send email through WordPress, however this requires using plain text password. What if this password is stored in wp-config.php?
Very similar to this.
Why this topic differs from the linked one: the nature of the password. This password can be used for spam mass mailing, and may require additional protection steps and considerations.

2 Answers
2

I am not sure where you else you would store the SMTP credentials? I am not comfortable storing those credentials in the Database because of the trouble you mentioned you could get into if they got out. Or putting them in a theme file. Like they mentioned in the other thread, if Apache gets screwed up and that files gets processed as plain text. Your credentials get exposed. If your DB is setup to only accept localhost connections or a specific IP, that could save you. But if your SMTP credentials get out, you might not have those luxuries.

If your setup looks like: (And your public website lives inside of public_html)

/home/user/public_html/
  \__ wp-config.php

I would store a file in: (Which is not public facing at all)

/home/user/smtp-connect.php

And then include() or require_once() that smtp-connect.php file when you need it. Have your credentials stored in there and your connection script in there as well.

The article you referenced has some good points about locking up your wp-config file. Here is another article that I think could shed some more light on the security of wp-config.php and some work arounds to help secure it if you decide to setup some PHP Constants for your SMTP Credentials:
https://www.wpwhitesecurity.com/protect-wordpress-wp-config-php-security/

Leave a Comment