[wp-hackers] Plugin update & security / privacy

Otto otto at ottodestruct.com
Mon Sep 24 16:03:45 GMT 2007


In the interests of clarity, let's state exactly what's going on.

First case:
Every 43200 seconds (12 hours) or so, depending on when your site is
hit, the function will send a single HTTP request to
http://api.wordpress.org. It sends the following information:

WordPress Version
PHP Version
Locale setting (if there is one)
The Blog's URL

That's the main WordPress version check. It doesn't have anything to
do with plugins. Disabling it is easy, one line of code will do it:
remove_action('init','wp_version_check');


Second case:
Plugin update check. This occurs when you go to the plugin page and it
has not checked for updates in more than 43200 seconds (12 hours). It
also sends a single request to http://api.wordpress.org (different
script though) consisting of:
The Blog's URL
WordPress Version
Plugin names, url's, versions, etc. All the plugin info, basically,
including inactive plugins.

Disabling this is also easy, another one-liner:
remove_action( 'load-plugins.php', 'wp_update_plugins' );


WordPress and Automattic's privacy policies can be found here:
http://automattic.com/privacy/


Two things I have to say:
1. If the blog is set to "Private", on the privacy admin page, both of
these should be disabled. Why? Because the user will have expressed a
preference. Respect it.
2. There should be a link to the above privacy policy in the admin
pages, somewhere.

Given that WordPress has failed to do both of these, then yes, I agree
that this "feature" is subversive and will cause an outcry. Regardless
of *what* the information can be used (or not used) for, it's sending
out information without informing the user of that fact or disclaiming
what that information can and will be used to do. Furthermore, it has
no opt-out mechanism, especially when there exists a mechanism already
that allows the user to express such a preference.

These two simple things are really not optional. They must be added.
If you're collecting data, ever, then these are the absolute minimum.

So, there's my 2 cents.


More information about the wp-hackers mailing list