A few .htaccess lines to block access to the
vendor folder could help. But I don’t see how I could write a .htaccess file that protects anyone from writing bad code which exposes credentials. The script as it is should be safe enough. Any large changes made to the script has to be done properly by the developer.
What was illegal? Creating, using and sharing open source software? If so, we would have to ban basically any CMS.
Sending mails with an external mail server? That has always been a supported use case. We have had an article in the knowledge which actually helps people with this for years, but as was discussed in the other topic recently, it was still a bit too complicated to use.