Files

2.0 KiB

WordPress SMTP Credential Discovery

When a site uses WP Mail SMTP (or similar) plugin, credentials are stored in the wp_options table as a serialized PHP array under wp_mail_smtp.

Query Pattern

SELECT option_value FROM wp_options WHERE option_name = 'wp_mail_smtp';

The value is a PHP serialized array. Extract fields with:

mysql -h 127.0.0.1 -P <PORT> -u <USER> -p'<PASS>' <DB> \
  -e "SELECT option_value FROM wp_options WHERE option_name = 'wp_mail_smtp'" \
  --skip-column-names 2>/dev/null | python3 -c "
import sys, re
data = sys.stdin.read()
# PHP serialized array — extract key fields via regex
for key in ['mailer', 'host', 'port', 'user', 'pass']:
    match = re.search(r's:4:\"$key\";s:(\d+):\"(.*?)\"', data)
    if match: print(f'{key}: {match.group(2)}')
"

Or parse the PHP serialized format more robustly with Python (the php-serialize library, or use the regex approach above for the specific fields needed).

Common Locations

Site DB Name Host Port User How to access
Apex Track Experience apextrackexperience_1781549652 c1113726.sgvps.net:2525 2525 contact@apextrackexperience.com MySQL tunnel on Core (127.0.0.1:33060)
Any WordPress site on wphost02 varies varies varies varies SSH to wphost02, query local MySQL

MySQL Tunnel Access

On Core, the Apex Track Experience database is accessible via SSH tunnel through wphost02:

mysql -h 127.0.0.1 -P 33060 -u <USER> -p'<PASS>' <DB> -e "SELECT 1"

The tunnel is maintained by mysql-tunnel systemd service (Core → wphost02:3306).

Pitfalls

  • The wp_mail_smtp option stores the password as plaintext (not hashed) in the PHP serialized array
  • The wp_mail_smtp_initial_version and wp_mail_smtp_version options confirm the plugin version
  • WPForms uses the same WP Mail SMTP plugin for email — form notification emails are sent via these same credentials
  • The MySQL password in the connection string is also in plaintext in systemd unit files — keep unit files chmod 600