Postman SMTP Replaced by Post SMTP

SMTP to the rescue for WordPress email non-delivery

WordPress has a built-in mail script, but unfortunately, there is a high rate of delivery failure using wp_mail(), as many Internet Service Providers consider it insecure and block.  There is a presumption that the email being sent via WordPress is spam.  The fix for site owners who find that email is not being received is to install what is called an SMTP plugin.

There are numerous reputable plugins of this SMTP genre.  There are many approaches from setting up a plugin that uses the hosts SMTP setting for an email account and preferably SSL (so the email account’s credentials are used) to tying the mail delivery through Google Gmail and their OAuth credentialling.

For considerable time Postman SMTP was the go-to plugin for this type of need.  With thousands of installations, a reputation for terrific performance and great reviews, this was a cornerstone of a web developers toolbox.  Recently, an XSS vulnerability was identified with the Postman SMTP plugin and its author reportedly didn’t have time to revise the code and pulled the plugin from its repository.  When a plugin presents a high-security risk, it is removed to prevent new installations.

Unfortunately, it took a while for news of the issue to reach the community.  When it did, another developer, who like most of us, valued the necessary functionality of Postman SMTP and made a commitment to take on the plugin henceforth.  He quickly fixed the plugin, renamed it to Post SMTP and submitted it to for review.  They approved and already at this date, the plugin as over 7K installs.

Help!  I still have Postman SMTP installed on my site.

For anyone with the original Postman SMTP plugin still active on their website, the fix is quite simple.  It took me about 15 minutes per client site with the following steps.

Backup your database first (always a good idea before any updates).

Login to your website admin and go to Plugins | Installed Plugins | Postman SMTP | Deactivate (don’t delete it yet!)

  • Go to Plugins | Add new | enter Post SMTP in the search window.
  • Install Post SMTP
  • Activate Post SMTP
  • Settings from Postman SMTP will still be present (stored in the same data tables)
  • On my installs, I used Google Gmail and OAuth – I clicked on the option to revalidate
  • Send yourself a test email
  • If all works well, then return to your Plugins | Installed Plugins | Postman SMTP | Delete
  • Clear any caches

Other reputable options available

There are certainly other reputable SMTP plugins available, but if you need to remove Postman SMTP, replacing directly with Post SMTP means you don’t have to start over with configuring.

WP Mail SMTP – WP SMTP – Email – WordPress SMTP Mailer by Mail Bank

WP Mail SMTP by WPForms


Gmail SMTP

What Exactly is XSS Cross Site Scripting?

Below is an excellent article that explains what it is and why it’s so dangerous to allow a known vulnerability to exist on your website: