Update (June 2026): This page originally explained how to enable Gmail’s "Less Secure App Access" (LSA) setting. Google permanently removed LSA on 30 May 2022. The setting no longer exists, the toggle page returns a 404, and plain username/password SMTP authentication to Gmail no longer works. The original instructions are preserved below for reference, but they cannot be followed.
What happened
Google’s LSA setting allowed third-party apps to authenticate with a Gmail username and password over SMTP. Google deprecated the feature on 30 May 2022 as part of a broader push toward OAuth 2.0. The lesssecureapps settings page and the DisplayUnlockCaptcha page are both dead.
For WordPress sites, this means any mailer plugin configured with a Gmail address and password stopped working on that date. The SMTP session fails at authentication — typically a 534-5.7.9 Application-specific password required or 535-5.7.8 Username and Password not accepted error.
What to do instead
Two options remain for sending WordPress email through Gmail’s SMTP server (smtp.gmail.com):
Option 1: App Passwords (simpler)
App Passwords are 16-character codes that replace your Gmail password for SMTP authentication. They require 2-Step Verification on the Google account.
Full walkthrough: How to set up App Passwords in Gmail
In your WordPress mailer plugin, the configuration is:
- SMTP Host:
smtp.gmail.com - Port: 587 (STARTTLS) or 465 (SSL)
- Username: your full Gmail address
- Password: the 16-character App Password (not your Google account password)
Option 2: OAuth 2.0
OAuth avoids passwords entirely — the mailer plugin redirects to Google’s consent screen and receives a token. WP Mail SMTP Pro, FluentSMTP, and Post SMTP all support Gmail OAuth. This is Google’s preferred method but requires more setup (creating a Google Cloud project and OAuth credentials).
See: Gmail OAuth vs App Passwords for WordPress
Which option for WordPress?
App Passwords are the right default for most WordPress sites. The setup takes two minutes, works with every mailer plugin (free tiers included), and requires no Google Cloud configuration. OAuth is worth the extra setup for sites that need unattended token refresh or cannot enable 2-Step Verification on the sending account.
Original instructions (archived — no longer functional)
The following steps described how to enable LSA before Google removed the feature on 30 May 2022. They are preserved for reference only.
- Sign in to your Gmail account.
- Visit
https://www.google.com/settings/security/lesssecureapps(now returns 404). Next to "Allow less secure apps: OFF," toggle to ON. - Visit the Display Unlock Captcha page (also dead) and click Continue.
The credentials required were your Gmail username and Gmail password — no App Password or OAuth token.
References
- Less secure apps & your Google Account, Google Account Help
- Control access to less secure apps, Google Admin Help
- How to set up App Passwords in Gmail, nanoPost
- Gmail OAuth vs App Passwords for WordPress, nanoPost
Leave a Reply