=== Pinny's Simple SMTP === Contributors: realpinny Tags: smtp, email, gmail, mail, no-bloat Requires at least: 5.0 Tested up to: 6.9 Requires PHP: 7.0 Stable tag: 1.2.0 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html The ultra lightweight SMTP plugin (~4KB). Stores passwords encrypted, has all basic features, and is dead easy to use. == Description == **Pinny's Simple SMTP is a ultra lightweight SMTP plugin weighing in at just 4KB.** It’s simple to use, highly secure, and includes all the basic features you need to send emails reliably. ### 🚀 Super Easy 30-Second Configuration Tired of bloated setup wizards, "Connect Account" popups, and endless menus? **Pinny's Simple SMTP is designed to be invisible.** We removed the fluff so you can get back to work. 1. Enter your Host & Port. 2. Enter your Login. 3. Click Save. **That’s it. You are done.** There is no complex UI to learn. No dashboards to manage. It is a true **"Set and Forget"** solution that just works. Unlike most SMTP plugins **(which are typically 2MB+ in size), Pinny's Simple SMTP is ultra-lightweight,** easy to set up, and never compromises on security. We ensure your sensitive credentials are always protected with **automatic encryption**—no more storing passwords in plain text. **This plugin is different.** It’s **smaller than a favicon,** works with **any mail provider,** and takes just seconds to set up. **Features:** * **Ultra Lightweight (4KB):** This is the a ultra lightweight SMTP plugin. It has zero impact on your site speed. * **Encrypted Security:** We take security seriously. Your SMTP password is **encrypted** in the database using native WordPress salts. We never store credentials in plain text. * **Dead Easy Setup:** No confusing wizards or tutorials needed. Just enter your Host, Port, and Login, then click Save. * **All Basic Features:** Supports TLS/SSL, custom ports, "From" email/name overrides, and includes a 1-Click Test Email tool. * **Zero Bloat:** No ads, no dashboard widgets, no usage tracking, and no upsells. * **wp-config Configuration Mode:** For added security, define SMTP settings in `wp-config.php` and lock the admin UI. --- ### ⚙️ Advanced: Configure SMTP via wp-config.php Pinny's Simple SMTP supports **configuration directly from `wp-config.php`**, allowing administrators and developers to **lock SMTP settings and prevent changes from the WordPress dashboard**. When enabled, the plugin automatically switches the admin interface to **read-only mode**. To enable this mode, add the following constants to your `wp-config.php` file: ```php define('PINNYS_SMTP_FORCE', true); define('PINNYS_SMTP_ENABLED', true); define('PINNYS_SMTP_HOST', 'smtp.gmail.com'); define('PINNYS_SMTP_PORT', 587); define('PINNYS_SMTP_ENCRYPTION', 'tls'); define('PINNYS_SMTP_AUTH', true); define('PINNYS_SMTP_USERNAME', 'your@email.com'); define('PINNYS_SMTP_PASSWORD', 'your_app_password'); define('PINNYS_SMTP_FROM_EMAIL', 'your@email.com'); define('PINNYS_SMTP_FROM_NAME', 'Your Website'); ``` Once `PINNYS_SMTP_FORCE` is enabled: * SMTP settings are **loaded from `wp-config.php`** * The WordPress settings page becomes **read-only** * Dashboard changes cannot override your configuration Note: If `PINNYS_SMTP_FORCE` is not defined, the plugin behaves normally and settings can be configured from the WordPress dashboard. ### 🛡️ The "Zero-Retention" Security Promise **Pinny's Simple SMTP** is built on a strict security philosophy: **WordPress is a CMS, not an Email Archive.** Most SMTP plugins log every email sent from your site into your WordPress database. While this seems convenient, it introduces massive security risks, database bloat, and privacy violations. We feature a **Zero-Retention Architecture**. We connect, deliver, and vanish. Here is why this is safer for you: #### 1. The Security Risk (Why we don't log) Storing email logs in your database creates a high-value target for hackers. * **The "Big Hack" Reality:** In 2024 and 2025, major SMTP plugins (such as Post SMTP) suffered critical vulnerabilities (**[CVE-2023-6875](https://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af)** and **[CVE-2025-11833](https://zeropath.com/blog/cve-2025-11833-post-smtp-unauthorized-email-log-access)**). Hackers were able to bypass authentication, **trigger password reset emails**, read the plugin's email logs to capture the reset link, and take over the entire website. * **Our Fix:** You cannot steal what isn't there. By **not** logging emails, Pinny's Simple SMTP renders this entire class of "Account Takeover" attacks impossible. #### 2. The Database & Privacy Problem * **Bloat:** Transactional logs grow indefinitely. A busy store sends thousands of emails a month. Storing these in `wp_options` or custom tables slows down your site and bloats your backups. * **GDPR & Privacy:** Your database should not permanently store customer PII (Personally Identifiable Information) like password reset links, purchase receipts, or private contact form messages. If your site is compromised, those logs are a leak waiting to happen. #### 3. The Right Way to Log If you need to track email delivery, do it where it belongs: **At your Email Provider.** * **Gmail / Google Workspace:** Has a "Sent" folder and comprehensive audit logs. * **SendGrid / Mailgun / SES:** These services are built to archive millions of emails securely, with proper rotation policies and access controls. * **Microsoft / Outlook:** Native "Sent Items" retention. **Pinny's Simple SMTP** keeps your WordPress database clean, fast, and secure by letting your email provider do its job. ### 🚫 The “Anti-Bloat” Architecture: Why We Rejected OAuth **Pinny’s Simple SMTP** is built on a strict performance philosophy: **Do not load code you do not use.** The industry standard is to force users into OAuth (Log in with Google/Microsoft). While this looks fancy, for a WordPress plugin, it is technically inferior to standard SMTP. Here is why we deliberately stripped OAuth out of Pinny’s: **1. The “Universal Adapter” Trap (Bloat)** Most users connect to **one** provider (e.g., just Gmail). However, to support OAuth, other plugins must bundle massive SDK libraries for 10–15 different services (Google, Microsoft, Amazon, Yahoo, Zoho, etc.). * **The Result:** You install megabytes of vendor code just to send a simple email. * **Our Fix:** Pinny’s uses standard SMTP. We don’t force you to host 14 unused API libraries on your server just to use the 15th. This keeps our codebase at **~4KB**. **2. The Complexity Risk (Security)** In security, **Complexity is the Enemy.** OAuth flows require redirects, token storage, refresh tokens, and constant API updates. Every external library added to a plugin increases the “Attack Surface”—more code means more places for bugs to hide. * **The Reality:** If a plugin’s bundled “Google API Client” has a vulnerability, your site is at risk—even if you are using Outlook. * **Our Fix:** We use native WordPress functions. **No external dependencies.** No third-party SDKs. No supply-chain vulnerabilities. **3. App Passwords: The Superior Choice** We use **App Passwords** (Standard SMTP Authentication). This is the secure, recommended method for server-side mailing (Gmail/Workspace & Microsoft 365). * **Strictly Scoped:** An App Password usually only has permission to *send mail*. Unlike an OAuth token (which can sometimes be scoped too broadly), an App Password cannot be used to change your account settings or read your Drive files. * **Instantly Revocable:** If you suspect a breach, you can revoke that specific App Password instantly from your Google/Microsoft dashboard without changing your main login credentials. * **Zero Downtime:** OAuth tokens expire or disconnect if the API changes. App Passwords work until you say stop. **Pinny’s Simple SMTP** chooses stability over shiny buttons. Enter your Host, Port, and App Password → Save. **Done.** --- == Installation == 1. **Upload the Plugin** - Download the plugin ZIP file. - In your WordPress admin dashboard, navigate to **Plugins > Add New**, and click **Upload Plugin**. - Choose the ZIP file you downloaded and click **Install Now**. 2. **Activate the Plugin** - Once installed, click **Activate** to enable Pinny’s Simple SMTP. 3. **Configure SMTP Settings** - Go to **Settings > Pinny’s SMTP** in the admin menu. - Enter your SMTP host, port, and other settings. - Save your changes. 4. **Send a Test Email** - Enter a test email address and click **Send Test Email** to verify your SMTP configuration. == Frequently Asked Questions == = How do I set up Pinny's Simple SMTP? = Setting it up is easy! Just enter your SMTP Host, Port, and Login credentials in the plugin settings, then click Save. That's it! = Does this work with Gmail or Outlook? = Yes! However, because we don't use bloated OAuth libraries, you must use an **App Password** generated by Google or Microsoft in place of your standard login password. = How is my password stored? = Your SMTP password is automatically encrypted in the database using WordPress salts. We never store credentials in plain text, ensuring your data is secure. = What makes this plugin different from other SMTP plugins? = Pinny's Simple SMTP is 4KB, the ultra lightweight SMTP plugin on WordPress. It’s quick to set up, secure with encrypted passwords, and has zero bloat—no ads, upsells, or unnecessary features. == Screenshots == 1. Simple SMTP settings interface. 2. Forced configuration mode via wp-config.php (read-only admin UI). == Changelog == == Changelog == = 1.2.0 = * NEW: Optional wp-config configuration mode (`PINNYS_SMTP_FORCE`) allows SMTP settings to be defined in wp-config.php. * NEW: Admin UI automatically switches to read-only mode when settings are controlled via wp-config.php. * IMPROVEMENT: SMTP configuration handling refactored for improved reliability and consistency. * HARDENING: Additional edge-case handling and internal stability improvements. * CODE: Internal architecture improvements while keeping the plugin extremely lightweight. = 1.1.0 = * IMPROVEMENT: Major refactor to use the native WordPress Settings API. * FIX: Resolved caching issue where "Settings Saved" notices were not appearing. * OPTIMIZATION: Massive code reduction. Now only ~3KB. = 1.0.0 = * Initial release == Upgrade Notice == = 1.2.0 = New: Optional wp-config configuration mode. Define SMTP settings in wp-config.php to lock the admin UI and prevent dashboard changes. Includes additional edge-case hardening and reliability improvements. = 1.1.0 = Major Update: Switched to native WP Settings API for stability and fixed caching issues. Plugin size reduced to ~3KB (yup, you read that right).