WordPress.org
Get WordPress

Plugin Directory

Changeset 3429402


Ignore:
Timestamp:
12/30/2025 04:26:14 AM (13 days ago)
Author:
realpinny
Message:

readme.txt update

File:
1 edited

Legend:

Unmodified
Added
Removed

  • pinnys-simple-smtp/tags/1.0.0/readme.txt

    r3428941 r3429402  
    6565**Pinny's Simple SMTP** keeps your WordPress database clean, fast, and secure by letting your email provider do its job.
    6666
     67🚫The “Anti-Bloat” Architecture: Why We Rejected OAuth
     68Pinny’s Simple SMTP is built on a strict performance philosophy: Do not load code you do not use.
     69
     70The industry standard is to force users into OAuth (Log in with Google/Microsoft). While this looks fancy, for a WordPress plugin, it is technically inferior to standard SMTP. Here is why we deliberately stripped OAuth out of Pinny’s:
     71
     721. The "Universal Adapter" Trap (Bloat)
     73Most users connect to one provider (e.g., just Gmail). However, to support OAuth, other plugins must bundle massive SDK libraries for 10–15 different services (Google, Microsoft, Amazon, Yahoo, Zoho, etc.).
     74
     75The Result: You install megabytes of vendor code just to send a simple email.
     76
     77Our Fix: Pinny’s uses standard SMTP. We don't force you to host 14 unused API libraries on your server just to use the 15th. This keeps our codebase at ~4.5KB and auditable in minutes.
     78
     792. The Complexity Risk (Security)
     80In security, Complexity is the Enemy. OAuth flows require redirects, token storage, refresh tokens, and constant API updates. Every external library added to a plugin increases the "Attack Surface"—more code means more places for bugs to hide.
     81
     82The Reality: If a plugin’s bundled "Google API Client" has a vulnerability, your site is at risk—even if you are using Outlook.
     83
     84Our Fix: We use native WordPress functions. No external dependencies. No third-party SDKs. No supply-chain vulnerabilities.
     85
     863. App Passwords: The Superior Choice
     87We use App Passwords (Standard SMTP Authentication). This is the secure, recommended method for server-side mailing (Gmail/Workspace & Microsoft 365).
     88
     89Strictly Scoped: An App Password usually only has permission to send mail. Unlike an OAuth token (which can sometimes be scoped too broadly), an App Password cannot be used to change your account settings or read your Drive files.
     90
     91Instantly Revocable: If you suspect a breach, you can revoke that specific App Password instantly from your Google/Microsoft dashboard without changing your main login credentials.
     92
     93Zero Downtime: OAuth tokens expire or disconnect if the API changes. App Passwords work until you say stop.
     94
     95Pinny’s Simple SMTP chooses stability over shiny buttons. Enter your Host, Port, and App Password → Save. Done.
     96
    6797---
    6898
Note: See TracChangeset for help on using the changeset viewer.