=== Pinny's Simple SMTP ===
Contributors: realpinny
Tags: smtp, email, gmail, mail, no-bloat
Requires at least: 5.0
Tested up to: 6.9
Requires PHP: 7.0
Stable tag: 1.2.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

The ultra lightweight SMTP plugin (~4KB). Stores passwords encrypted, has all basic features, and is dead easy to use.
== Description ==

**Pinny's Simple SMTP is a ultra lightweight SMTP plugin weighing in at just 4KB.** It’s simple to use, highly secure, and includes all the basic features you need to send emails reliably.


### 🚀 Super Easy 30-Second Configuration
Tired of bloated setup wizards, "Connect Account" popups, and endless menus?

**Pinny's Simple SMTP is designed to be invisible.** We removed the fluff so you can get back to work.
1. Enter your Host & Port.
2. Enter your Login.
3. Click Save.

**That’s it. You are done.**
There is no complex UI to learn. No dashboards to manage. It is a true **"Set and Forget"** solution that just works.

Unlike most SMTP plugins **(which are typically 2MB+ in size), Pinny's Simple SMTP is ultra-lightweight,** easy to set up, and never compromises on security. We ensure your sensitive credentials are always protected with **automatic encryption**—no more storing passwords in plain text.

**This plugin is different.** It’s **smaller than a favicon,** works with **any mail provider,** and takes just seconds to set up.

**Features:**

* **Ultra Lightweight (4KB):** This is the a ultra lightweight SMTP plugin. It has zero impact on your site speed.
* **Encrypted Security:** We take security seriously. Your SMTP password is **encrypted** in the database using native WordPress salts. We never store credentials in plain text.
* **Dead Easy Setup:** No confusing wizards or tutorials needed. Just enter your Host, Port, and Login, then click Save.
* **All Basic Features:** Supports TLS/SSL, custom ports, "From" email/name overrides, and includes a 1-Click Test Email tool.
* **Zero Bloat:** No ads, no dashboard widgets, no usage tracking, and no upsells.
* **wp-config Configuration Mode:** For added security, define SMTP settings in `wp-config.php` and lock the admin UI.

---

### ⚙️ Advanced: Configure SMTP via wp-config.php

Pinny's Simple SMTP supports **configuration directly from `wp-config.php`**, allowing administrators and developers to **lock SMTP settings and prevent changes from the WordPress dashboard**.

When enabled, the plugin automatically switches the admin interface to **read-only mode**.

To enable this mode, add the following constants to your `wp-config.php` file:

```php
define('PINNYS_SMTP_FORCE', true);

define('PINNYS_SMTP_ENABLED', true);
define('PINNYS_SMTP_HOST', 'smtp.gmail.com');
define('PINNYS_SMTP_PORT', 587);
define('PINNYS_SMTP_ENCRYPTION', 'tls');

define('PINNYS_SMTP_AUTH', true);
define('PINNYS_SMTP_USERNAME', 'your@email.com');
define('PINNYS_SMTP_PASSWORD', 'your_app_password');

define('PINNYS_SMTP_FROM_EMAIL', 'your@email.com');
define('PINNYS_SMTP_FROM_NAME', 'Your Website');
```

Once `PINNYS_SMTP_FORCE` is enabled:

* SMTP settings are **loaded from `wp-config.php`**
* The WordPress settings page becomes **read-only**
* Dashboard changes cannot override your configuration

Note: If `PINNYS_SMTP_FORCE` is not defined, the plugin behaves normally and settings can be configured from the WordPress dashboard.

### 🛡️ The "Zero-Retention" Security Promise

**Pinny's Simple SMTP** is built on a strict security philosophy: **WordPress is a CMS, not an Email Archive.**

Most SMTP plugins log every email sent from your site into your WordPress database. While this seems convenient, it introduces massive security risks, database bloat, and privacy violations.

We feature a **Zero-Retention Architecture**. We connect, deliver, and vanish. Here is why this is safer for you:

#### 1. The Security Risk (Why we don't log)
Storing email logs in your database creates a high-value target for hackers.

* **The "Big Hack" Reality:** In 2024 and 2025, major SMTP plugins (such as Post SMTP) suffered critical vulnerabilities (**[CVE-2023-6875](https://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af)** and **[CVE-2025-11833](https://zeropath.com/blog/cve-2025-11833-post-smtp-unauthorized-email-log-access)**). Hackers were able to bypass authentication, **trigger password reset emails**, read the plugin's email logs to capture the reset link, and take over the entire website.
* **Our Fix:** You cannot steal what isn't there. By **not** logging emails, Pinny's Simple SMTP renders this entire class of "Account Takeover" attacks impossible.

#### 2. The Database & Privacy Problem
* **Bloat:** Transactional logs grow indefinitely. A busy store sends thousands of emails a month. Storing these in `wp_options` or custom tables slows down your site and bloats your backups.
* **GDPR & Privacy:** Your database should not permanently store customer PII (Personally Identifiable Information) like password reset links, purchase receipts, or private contact form messages. If your site is compromised, those logs are a leak waiting to happen.

#### 3. The Right Way to Log
If you need to track email delivery, do it where it belongs: **At your Email Provider.**

* **Gmail / Google Workspace:** Has a "Sent" folder and comprehensive audit logs.
* **SendGrid / Mailgun / SES:** These services are built to archive millions of emails securely, with proper rotation policies and access controls.
* **Microsoft / Outlook:** Native "Sent Items" retention.
**Pinny's Simple SMTP** keeps your WordPress database clean, fast, and secure by letting your email provider do its job.

### 🚫 The “Anti-Bloat” Architecture: Why We Rejected OAuth

**Pinny’s Simple SMTP** is built on a strict performance philosophy: **Do not load code you do not use.**

The industry standard is to force users into OAuth (Log in with Google/Microsoft). While this looks fancy, for a WordPress plugin, it is technically inferior to standard SMTP. Here is why we deliberately stripped OAuth out of Pinny’s:

**1. The “Universal Adapter” Trap (Bloat)**
Most users connect to **one** provider (e.g., just Gmail). However, to support OAuth, other plugins must bundle massive SDK libraries for 10–15 different services (Google, Microsoft, Amazon, Yahoo, Zoho, etc.).

* **The Result:** You install megabytes of vendor code just to send a simple email.
* **Our Fix:** Pinny’s uses standard SMTP. We don’t force you to host 14 unused API libraries on your server just to use the 15th. This keeps our codebase at **~4KB**.

**2. The Complexity Risk (Security)**
In security, **Complexity is the Enemy.** OAuth flows require redirects, token storage, refresh tokens, and constant API updates. Every external library added to a plugin increases the “Attack Surface”—more code means more places for bugs to hide.

* **The Reality:** If a plugin’s bundled “Google API Client” has a vulnerability, your site is at risk—even if you are using Outlook.
* **Our Fix:** We use native WordPress functions. **No external dependencies.** No third-party SDKs. No supply-chain vulnerabilities.

**3. App Passwords: The Superior Choice**
We use **App Passwords** (Standard SMTP Authentication). This is the secure, recommended method for server-side mailing (Gmail/Workspace & Microsoft 365).

* **Strictly Scoped:** An App Password usually only has permission to *send mail*. Unlike an OAuth token (which can sometimes be scoped too broadly), an App Password cannot be used to change your account settings or read your Drive files.
* **Instantly Revocable:** If you suspect a breach, you can revoke that specific App Password instantly from your Google/Microsoft dashboard without changing your main login credentials.
* **Zero Downtime:** OAuth tokens expire or disconnect if the API changes. App Passwords work until you say stop.

**Pinny’s Simple SMTP** chooses stability over shiny buttons. Enter your Host, Port, and App Password → Save. **Done.**
---



== Installation ==

1. **Upload the Plugin**
- Download the plugin ZIP file.
- In your WordPress admin dashboard, navigate to **Plugins > Add New**, and click **Upload Plugin**.
- Choose the ZIP file you downloaded and click **Install Now**.

2. **Activate the Plugin**
- Once installed, click **Activate** to enable Pinny’s Simple SMTP.

3. **Configure SMTP Settings**
- Go to **Settings > Pinny’s SMTP** in the admin menu.
- Enter your SMTP host, port, and other settings.
- Save your changes.

4. **Send a Test Email**
- Enter a test email address and click **Send Test Email** to verify your SMTP configuration.

== Frequently Asked Questions ==

= How do I set up Pinny's Simple SMTP? =
Setting it up is easy! Just enter your SMTP Host, Port, and Login credentials in the plugin settings, then click Save. That's it!


= Does this work with Gmail or Outlook? =
Yes! However, because we don't use bloated OAuth libraries, you must use an **App Password** generated by Google or Microsoft in place of your standard login password.

= How is my password stored? =
Your SMTP password is automatically encrypted in the database using WordPress salts. We never store credentials in plain text, ensuring your data is secure.

= What makes this plugin different from other SMTP plugins? =
Pinny's Simple SMTP is 4KB, the ultra lightweight SMTP plugin on WordPress. It’s quick to set up, secure with encrypted passwords, and has zero bloat—no ads, upsells, or unnecessary features.

== Screenshots ==

1. Simple SMTP settings interface.
2. Forced configuration mode via wp-config.php (read-only admin UI).

== Changelog ==

== Changelog ==

= 1.2.0 =
* NEW: Optional wp-config configuration mode (`PINNYS_SMTP_FORCE`) allows SMTP settings to be defined in wp-config.php.
* NEW: Admin UI automatically switches to read-only mode when settings are controlled via wp-config.php.
* IMPROVEMENT: SMTP configuration handling refactored for improved reliability and consistency.
* HARDENING: Additional edge-case handling and internal stability improvements.
* CODE: Internal architecture improvements while keeping the plugin extremely lightweight.

= 1.1.0 =
* IMPROVEMENT: Major refactor to use the native WordPress Settings API.
* FIX: Resolved caching issue where "Settings Saved" notices were not appearing.
* OPTIMIZATION: Massive code reduction. Now only ~3KB.

= 1.0.0 =
* Initial release

== Upgrade Notice ==

= 1.2.0 =
New: Optional wp-config configuration mode. Define SMTP settings in wp-config.php to lock the admin UI and prevent dashboard changes. Includes additional edge-case hardening and reliability improvements.

= 1.1.0 =
Major Update: Switched to native WP Settings API for stability and fixed caching issues. Plugin size reduced to ~3KB (yup, you read that right).
