# WordPress SMTP Credential Discovery When a site uses WP Mail SMTP (or similar) plugin, credentials are stored in the `wp_options` table as a serialized PHP array under `wp_mail_smtp`. ## Query Pattern ```sql SELECT option_value FROM wp_options WHERE option_name = 'wp_mail_smtp'; ``` The value is a PHP serialized array. Extract fields with: ```bash mysql -h 127.0.0.1 -P -u -p'' \ -e "SELECT option_value FROM wp_options WHERE option_name = 'wp_mail_smtp'" \ --skip-column-names 2>/dev/null | python3 -c " import sys, re data = sys.stdin.read() # PHP serialized array — extract key fields via regex for key in ['mailer', 'host', 'port', 'user', 'pass']: match = re.search(r's:4:\"$key\";s:(\d+):\"(.*?)\"', data) if match: print(f'{key}: {match.group(2)}') " ``` Or parse the PHP serialized format more robustly with Python (the `php-serialize` library, or use the regex approach above for the specific fields needed). ## Common Locations | Site | DB Name | Host | Port | User | How to access | |---|---|---|---|---|---| | Apex Track Experience | `apextrackexperience_1781549652` | c1113726.sgvps.net:2525 | 2525 | `contact@apextrackexperience.com` | MySQL tunnel on Core (`127.0.0.1:33060`) | | Any WordPress site on wphost02 | varies | varies | varies | varies | SSH to wphost02, query local MySQL | ## MySQL Tunnel Access On Core, the Apex Track Experience database is accessible via SSH tunnel through wphost02: ```bash mysql -h 127.0.0.1 -P 33060 -u -p'' -e "SELECT 1" ``` The tunnel is maintained by `mysql-tunnel` systemd service (Core → wphost02:3306). ## Pitfalls - The `wp_mail_smtp` option stores the password as plaintext (not hashed) in the PHP serialized array - The `wp_mail_smtp_initial_version` and `wp_mail_smtp_version` options confirm the plugin version - WPForms uses the same WP Mail SMTP plugin for email — form notification emails are sent via these same credentials - The MySQL password in the connection string is also in plaintext in systemd unit files — keep unit files `chmod 600`