How I Regretted Using a Free Account on the External Service “Brevo”
Initially, to secure my WordPress email delivery system, I installed the WP Mail SMTP plugin. Following the guidance of an AI (Gemini) without a second thought, I integrated the external email delivery platform “Brevo.” At that moment, the setup completed flawlessly, and my email environment was perfectly locked and loaded. Saying it is easy, but the process itself was quite a hassle💦 Shortly after that, I had to migrate my blog to a new server.
When migrating data to the new site, I made the ultimate rookie mistake: “installing and activating the comment notification plugin before importing the actual post data.”
Exactly eight years ago, I fell into the exact same trap, yet I failed to turn it into a lasting lesson. I have nothing but absolute remorse.><
“It seems that creating a staging site for testing and installing the plugin beforehand caused reply notifications to be blasted out to comments simultaneously with the post import.”
And so, the moment I imported the massive amount of post data along with past comments, the underlying system mistakenly assumed that “replies had been posted to those comments.” This instantly triggered a hidden landmine, blasting out notification emails to my readers all at once.
To make matters worse, the data import itself failed initially, causing me to repeat the identical import operation multiple times. Consequently, the volume of notification emails generated behind the scenes multiplied at a geometric rate, ballooning into an unmanageable monstrosity.
Yet, unfortunately, not a single email was sent to me as the administrator, leaving me completely oblivious to the severity of the situation at that point.
I finally noticed something was wrong when testing the inquiry form on the new site. For some reason, emails wouldn’t send. Not only that, but forms on my other, separate websites—which had been running completely fine—were suddenly failing to send emails as well. After racking my brain for the root cause, I discovered that I had completely burned through the “300 emails per day” limit of Brevo’s free plan. It was at this exact moment that I finally realized the terrifying reality: “an astronomical amount of unintended emails are being blasted out in the background!”😨
At a complete loss, I consulted Gemini. It advised me to use the “WP-Optimize” plugin to wipe out the “expired transient options” lingering in the database. Furthermore, it told me to activate the “Disable Emails” plugin to force a master lock on all WordPress email outputs. I was assured that this would guarantee no new emails could escape from the WordPress side. However, by that point, 900 emails had already been shot out into the wild.
Was it truly safe? Feeling a lingering sense of dread, I checked my Brevo dashboard the next day, only to find the total number of sent emails had skyrocketed to 1,200! Another 300 emails had been unleashed since the previous day! That’s when the brutal truth hit me: no matter how tight you lock down the WordPress side, “the unsent queue (the ticking time bomb)” already pushed to the external service’s servers will not disappear. Worse yet, because of the restrictions on Brevo’s free plan, users are given absolutely zero tools or control to delete or clear this pending queue. I realized that as long as this remained, a catastrophic loop would continue, misfiring emails to my readers every single time the daily limit reset! (My hands were physically shaking at this point.)
How on earth do I stop this?! That was the burning question. Just the day before, a reader I’m connected with on LINE sent me a message with a screenshot, asking, “I’ve been getting a massive flood of these emails since yesterday, did you do something?” Although I had apologized and assured them that fixes were in place and everything was fine, the system was now pulling off a second full-blown rampage!
It was horrifying. I seriously started fearing that the people hit by this email barrage would put my address on a permanent spam block. No joke. I had caused an absolutely massive nuisance.
At all costs, I had to shut down this Brevo rampage. After thinking, thinking, and overthinking, it finally clicked: if I “completely delete the Brevo account itself” (which holds the pending queue), it has to stop! By completely vaporizing the external sending source itself, I finally managed to intercept the remaining bomb drops beyond the 1,200th email right at the water’s edge.
Through this devastating ordeal, I walked away with two core lessons: never blindly integrate external email delivery systems just for the sake of convenience, and never, under any circumstances, activate plugins at the destination site before the data import is complete.
The “direct server connection” setup I ultimately arrived at on CoreServer is the absolute best solution, allowing me to build the highest level of security (DKIM/DMARC) within a range I can personally manage. If anyone out there is currently lost in configuring their WordPress email environment or security settings, I highly recommend avoiding external services that lock essential features behind a paywall. Instead, take the definitive golden route of “direct server connection + DNS configuration” that I introduced in this article.
My only remaining anxiety is whether I might completely forget this sequence 10 years down the line and butcher an import job all over again. That is precisely why this record serves as an essential memorandum for myself. If any of the readers who were inconvenienced by this glitch happen to be reading this, I would like to take this opportunity to offer my deepest and most sincere apologies.