WordPress 2.3 Does Not Spy On Users [UPDATED]

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

Surprised/

You shouldn't be. Developers gotta eat.

Re:Surprised/

Crow isn't very nutritious.

Re:Surprised/

Not true. There are two plugins that explicitly disable this functionality:
disable WordPress version check [wordpress.org] and disable plugin version check [wordpress.org], both of which were mentioned by Matt in the thread above.

Suggestion

He can go fork himself.

Fork

Cue OpenWordPress project appearing in Sourceforge in 5... 4... 3...

Alternatives, in that case?

Wow - to think that such a popular blogging engine is so flawed...

Anyway, i googled and found this link:

http://www.mitchelaneous.com/2007/09/19/9-wordpress-alternatives/ [mitchelaneous.com]

9 WordPress Alternatives

September 19, 2007 at 7:16 am Web Development

No doubt that WordPress is the king of the hill when it comes to content management these days. It seems like in a lot of people's eyes they can do no wrong. There have to a few other choices out there though right?

Now don't get me wrong, I am totally happy with Wordpress - but, there are several cool alternatives that might be worth checking out for your next web project.

Drupal - Drupal is a little more of a WordPress on steroids. Lots of goodies and better membership system in place too.

AJAXPress - A little buggy by looking at the demo but will become a better idea once it has had more time to get polished.

Textpattern - Flexable and open source blogging solution - much of the same WordPress look and feel.

Serendipity - This is a PHP-powered weblog application which gives the user an easy way to maintain a weblog or even a complete homepage.

Joomla - Like Drupal, might be too feature rich for the casual blogging fan - but a good engine for in depth web sites or basic blogs.

b2evolution - An old one, but still a good one - and can hold it's own weight still with the other selections out there.

Simplog - Simple, yet powerful - the name says it all here. You want basics without the fluff - go with Simplog.

Wikiblog - This one tries to mix the blogging and wiki sides of things into an interesting mashup of content creation.

Sblog - Another one similar to WordPress, looks like it is playing catchup too. Once it gets there though, might be worthy competition.

There you have it - nine other tools you can use to get your content published and your articles out there to the world. Have one I missed?

Now, my question is - how secure are they for you, sethawoolley? Which one would you choose?

This thread would be longer...

...But people are busy checking their posts from the "Sony DRM" thread last month to make sure they don't look like hypocrites.

fork

telling users to 'fork WordPress'

Consider it done.

I nominate the fork name to be:

PrivatePress

well

one way to disable it is to go into the code and remove the offending portion. couldn't be that hard to do. and once somebody does it and posts instructions, it gets even simpler. no reason to fork the project.
 
and wordpress isn't that complicated that this is something that no one but the most hard core will do. tons of wordpress users regularly go in and tweak it for their own uses. i haven't moved to this new versions with my site yet - i always wait a bit for things to shake out, and stuff like this is why. when i do upgrade, i'll just fix my install.

Guys, the information is all really essential...

So what does it send, according to the FA:
The blog's URL
A list of all plugins and versions
A list of the $_SERVER env variables

How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.

Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

And the blog URL tells you who it is.

Windows Update has to send far MORE intrusive information.

Re:Guys, the information is all really essential..

Why can't they download a file with a list of "all updates" and check locally?

Pyblosxom

Well if anyone is looking for an alternate upgrade path, I 'upgraded' my blog from Wordpress 2.2 to Pyblosxom and am really enjoying using it:
- its really light and fast
- I can edit posts in a text editor rather than a web based interface
- its in Python and very easy to customise
- theming far simpler, just rip your HTML template into a header and footer, rather than having to make 12 files with Wordpress.

Plug over... Move along...

That product is doomed

Can you imagine the water cooler conversation about Pyblosxom? How the hell are they supposed to go back and google about it? That'd be like trying to google for the symbol that represents the artist formerly known as Prince.

I mean, really, WTF. They might as well have named it slakdfjalskdjflaskjdf!

Basically, go fork ourselves?

Gladly. The arrogant attitude shown by these developers gives me not only a reason to think about how to fork the code, but the reasons we as a community should fork the code as soon as possible.

My thought is that though information wants to be free, my information wants to be more private, so any software that blatantly violates my privacy rights tends to not get or stay installed on my workstation.

Who cares?

The versions it reports are for an autoupdate feature... and the $_SERVER and php/database settings are (I imagine) used to figure out what wordpress settings are common. How soon they can remove support for old versions of mysql and php, how many people use cgi instead of fastcgi instead of mod_php.

Tempest in a teapot.

Breathless Hyperbole.

Read the thread. This isn't a developer admitting to spying on users. This is debate over a new feature written to help you keep from getting your blog haxored. They are collecting server and plugin data to help you to keep your software up to date.

Matt Mullenweg is being very reasonable and reasoned in dealing with a small but vocal groups paranoia. In the same breath that he mentioned forking Wordpress, he also mentioned that another option is using a plugin that disables this behavior.

The submitter should be ashamed.

Re:Breathless Hyperbole.

Matt Mullengweg is not being reasonable. He should simply make it an option. without requiring users to fork or install plug-ins or hack to overcome defective-by-design features.

It should be easy to turn on and off.
It should default to off.
It can ask one time during the upgrade, or first login after the upgrade, to be turned on, with an explanation of what it does and why he thinks it can be turned on.

There is no good reason the above cannot or should not be accomodated.

Re:Breathless Hyperbole.

I agree. Matt Mullenweg based on what I read (and I don't use Wordpress or know Matt or anyone else there) was very reasonable, and laid out the reasons for this. Did the slashdot editor even read this?!

Isn't this the point of FOSS?

If the developer decides to insert malware, or other forms of code not acceptable to you, the GPL gives you the freedom to modify it to suit your own needs. If that means you have to fork the project, so be it - that's within your rights under the GPL.

OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...

What Matt wrote

Message-ID:
Date: Sun, 23 Sep 2007 12:35:26 -0700
From: Matt Mullenweg
To: wp-hack...@lists.automattic.com
Subject: Re: [wp-hackers] Plugin update & security / privacy
References:
In-Reply-To:

Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/ [wordpress.org]
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/ [wordpress.org]

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)

I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.

Re:What Matt wrote

Well, shit, that's not even close to what was insinuated in the summary.

Thanks for your flamebait kdawson, really mature and appreciated.

WTF.

Rip out the code?

It doesn't provide you a way to stop it? Hardly. They provide full source code under GPL. Rip it out, publish changes, DONE.

Fork we shall

This is once again proof that the open source model is a good thing for users and protects us from unknowingly being used as pawns. The win is two fold here. First, the source was open, so that it was available for audit by anyone. This appears to be how this functionality was discovered. Someone noticed what the code was doing and raised a red flag. Now the users are aware and can make a choice in whether they will make the upgrade, not make the upgrade or turn to a new application. In the closed source world, often we are unaware of "unsavory code" while we use it for some time, all the while being subjected to its unsavory effects.

The second way that the open source model has won, is that users who disagree with the direction the application is heading in can now fork. In fact, the head developer of the project suggests it.

Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior."

I'm pretty confident that this will happen and happen fast. Given that people "fork" (some say hack/crack) closed source software all the time to leave out all of the "evil" modules (See Kazaa > Kazaa Lite > Kazaa Lite K++; and don't forget cracked Windows XP) forking an open source project to leave out all of the "evil" modules should be pretty easy. I'm no developer, but I could see this being as simple as taking the original source, commenting out/removing the bad stuff, and then redistributing.

This is SENSATIONALISM (not Sparta)

When I first read the summary, I was a little worried. Then I went and read the actual reply in the WordPress Hackers mailing list Matt posted, and I was relieved. He points out that the blog name and URI has been sent to services like Ping-o-Matic (wordpress-run service) for 4 years now. For those wanting to disable it, he even posts links for plugins that will disable the feature of the 'update checker'. Seems to me this slashdot article was posted by someone who wants to take WordPress down. Here's a part of his post:

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/ [wordpress.org]
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/ [wordpress.org]

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

As to what the summary refers to, where Matt suggests a person fork Wordpress:

Moritz 'Morty' Strübe wrote:
> It can.

Your blog URL is completely harmless.

  > We only have your word for that. And sorry, that is not enough
  > for me. Especially if it does not have to be.

If you don't trust wordpress.org, I suggest you do one of the following:

1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.

Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.

This is making something out of nothing. Definitely nothing to see here, please move along.

Fork Them!

Nice choice of words, don't you think?

B-)

Why is this even an issue?

You have the source code, right?

If you don't like the way the software behaves, you can change it. This is one of the fundamental freedoms the FSF endorses. In fact, I would say this is a perfect example of the open source model in action:

1. User doesn't like a feature of the software.
2. User disables feature in source code, recompiles, and improves the software.

The sad thing is that Microsoft and other proprietary vendors have been so successful at convincing the general public that they should be at the vendor's mercy when it comes to bug fixes and feature requests that even Open Source users have come to believe the software originator's blessing is required.

Un-warp your brains. Experience freedom. Fork it if you don't like it, and let the people decide which version they like better.

But you're little?

I love it when little guys act high and mighty. Yes, they're "little" as compared to say Apple or MS who can pull stunts like this and the general populous just acquiesces. I include myself in that statement as, at times, it still makes business sense to go with a product even if you don't agree with all aspects of what it does. This, however, IMHO is not one of those cases.

Ironically, I was considering global site licenses of this product for our public relations agency. Thanks for dropping out of the running!

Where did he say to just go fork?!

Maybe I missed it, but it struck me that the developer's response was very civil, and well thought out. From the slashdot article you'd think he'd told the whole community to "fork off"?

So - did I miss something, or did everyone else not RTFA?

The Actual Quote

Since no had actually linked the Fork comment, http://groups.google.com/group/wp-hackers/browse_thread/thread/bdced7524fa79a18/f8b5bc6efc4a4005#f8b5bc6efc4a4005 [google.com]

> If you don't trust wordpress.org, I suggest you do one of the following:

> 1. Use different software.
> 2. Fork WordPress.
> 3. Install one of the aforementioned plugins.

Hey don't worry, Barry will protect you!

If you're worried about the security of the copious data being sent to Wordpress.org, don't be, there's this guy named Barry, he's awesome and he will keep your private information safe!

Or as the author of WordPress puts in TFA:

"In 2 years of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up."

Uh, right.

Don't worry

As a rule spying on users shouldn't be a security concern as long as the person/corporation spying is honest, just and only concerned on improving their software and the user experience...

So... As a rule spying on users is always a security concern =P (name it WordPress or Windows Update).

Fork This!

telling users to 'fork WordPress' if they aren't willing to put up with this behavior."

I think I'd rather "fork" him -- right in a tender spot.

It's bad enough to do it in the first place.

It's worse to do it in secret. (Did he really think it wouldn't be discovered?)

It's worst of all to actually defend it afterwards. (Who does the think he is? Dan Rather?)

You can't program people

A good process is important. Of course I agree with that! But at some point, for any area where decisions must be made, you will need a person. Or a HAL 9000. But either way, the individual is what determines what will occur. Bad leaders are doom, good leaders are bliss. There is no way to from a distance or with a policy escape this fact. You need to make sure the people in power are good people you can trust, because power does not corrupt that kind of person, at least not in important ways. I'd rather have a good leader who splurges on a BMW with taxpayer funds than a bad leader who drives a Honda.

In the case of WordPress, it's advantageous for them to be able to get diagnostic and statistical information. They will learn more about their users's needs, and will be able to see where bugs crop up and eliminate them more quickly. I have no problem with people I trust having this kind of information about my servers, especially if I trust them to keep it securely. But I don't know the WordPress team, so it could be a problem.

There are no solutions you can implement from the couch for this issue. People keep looking for from the couch solutions like "no one should retain any information about us" or "trust the government, no more 911s." But these are not realistic answers. You will have to trust some leader and there will always be both good and bad leaders, and the only way to remove the bad ones is with a sword. Oh well. Life is struggle, get used to it.

Fork

If you can't wait for a Fork, there's a nice package called Textpattern [textpattern.com] that I used to use. It's kinda like WordPress. I liked it. Give it a spin and see if it works for you. :D (End shameless plug for favorite php app).

I'm too sexy for... a privacy policy.

It makes you wonder what they're going to do with the data. Anyone out there peeled out all the code that sends this data yet?

Google Cloaking

For those wondering what the big deal is, I expect a lot of the reaction is fueled by memories of Mullenweg being caught google cloaking [theregister.co.uk] in 2005. Once someone loses your trust, you don't really want to share any data with them.

Summary Is A Troll

And not only is it a troll, it's tinfoil haberdashery and skating _really close_ to Libel.

Actually RTFA Matt's reasoning gives the opposite impression of the summary. Fork the submitter and Kdawson for greenlighting this.

--
BMO

Well that makes it easy for me

I was thinking about moving my blog to Typo. This makes my decision easy!

Privacy?!

Ahoy,

I can understand the complaints about how this may be an additional security risk, or at least would make an assholes job a bit easier if they hacked that central WP database. What I find somewhat irritating is that some people have voiced privacy concerns over this. I was under the impression that if you're running a blog, it means you're one of those Web 2.0 exhibitionists that tell everyone in the whole wide world all their daily activities in embarrassing detail anyway. Am I missing something?

A little php snippet

that can be run in the wp directory as a 'patch' would easily solve that situation. provided that you give write permissions to all files it needs to fix, of course.

wouldnt be too long until someone produces a 'fix'.

I'm glad Matt updated us on this...

Canada's privacy law is pretty strict against the unauthorized sending in of personally identifiable information, especially one that sends it to an American server. There, the Patriot act allows the government to capture Matt's database. And the kicker, he is not allowed to tell you.

Up here, we (being the government) can't buy any software package that stores the data in the USA. I can only imagine the tens of millions of lost dollars in contracts because of the Patriot Act. I would of hate to have added Matt's awesome editor to that list. Rock on Matt!

How does this affect WPmu? And hosted sites....

How does this affect WordPress multiuser? Usually that's a few steps ahead of the single WP installation. Also, how does this actually schedule and send things? I'm on a hosted WP install, and as far as I know, I'd have to manually go in an set up some sort of job or something to get any sort of recurring activity. They're saying my hosted webserver PHP code is going to initiate outgoing requests or something?

Glad to see the update BUT...

It appears as if this was going to be placed into the code without notifying anyone of it. It was people in the linked list that found out about this, which provoked a rather harsh response from the developer. Considering the amount of secrecy that was evidently intended with this feature, what is to prevent even more information to be sent in the future? A security update could come out next week and in that a developer decides to sneak a code in that also sends a list of all emails in your user database. Trust is something earned. The trust for Wordpress has gone down in my book. I will be moving my site to another platform this week. As a lawyer who specializes in tech related issues, I have written numerous privacy statements and end user agreements for software companies. They pay money for these to protect their own interests, as well as the interests of their users. Wordpress took none of these into consideration. That is ashame since Wordpress is a great platform for the person who isn't that technically gifted. Those are also the same people that deserve some sort of guarantee that their privacy is of utmost concern to the software manufacturers, and not be expected to learn programming or search mailing lists to find out about it.

I read the forum posts and still disagree

Of course Matt thinks the article is wrong. I did read the linked forum discussion from the day before this shipped. First, You shouldn't have to plug the app to enable/disable a feature like this. Are we really that bad for wanting this? The functionality should be included. Secondly, there is no privacy statement associated with the information gathering. They can do with it if they so choose. Third, they never provided convincing info on why they need to gather the info. Autoupdate would work without most the info they are collecting. I could go on with rational discussion of why people see this as a negative, but what's the fun in that. Flame away.

Yes Sir

telling users to 'fork WordPress' if they aren't willing to put up with this behavior.

Ok easy enough :) curling old source now.

OpenPress

It's time to start OpenPress guys ;)

it's not that hard to write your own blogtool

I don't particularly prefer WordPress, and while recently considering various blogging tools for my new blogs and a new website service offering hosted blogs that I am designing, I ended up building my own tool based on some pre-existing code: I got Drupal [drupal.org]'s HEAD and I am currently modifying its blog module to create exactly what I perceive as the perfect blogging tool for me and the blog service I am going to launch. I'll provide patches or a complete new blog module to the Drupal project when I finish the preliminary testing of my changes. I liked Drupal's blog module for its simplicity and small size, as I had a good base (posting system and Drupal's blog API support) to start adding features to, without having to worry about breaking an existing large complex system. I found Drupal's blog module easy to customise, so I think it's a good platform to base your own blog on, especially if you know PHP programming and you have special requirements that are not solved by existing packages (like in my case). So, if you feel that WP or MT or any other blogging tool does not fully suit you, I encourage you to have a look at Drupal and modify it to create the perfect solution just for you. After all, a blog is something personal and must fully express your individuality and personality, and this cannot be done simply by changing a theme, as the software code itself is also an expression of your personality, so my idea is that if you want a fully personalised blog you should run your own blog engine too.

Moderate kdawson -1 Troll

Is anyone really surprised that this story didn't turn out to be all that?

kdawson has a penchant for posting 'stories' linking to shady blog postings, archived emails and usenet messages that tend to be little more than flamebait. If he's got anything going for him, he doesn't discriminate who he spreads FUD against.

For extra enjoyment when you read slashdot, try to pick out which stories have been posted by kdawson without peeking at who it was. It's a very easy game.

Why send, instead of retrieve?

Matt Mullenweg writes: "As mentioned in our release
announcement, the update notification sends your blog URL,
plugins, and version info when it checks api.wordpress.org
for new and compatible updates.

Helping the users keep the software up to date is an
honourable goal, but why exactly does WP need to *send*
any data in order to do this? Wouldn't it be enough to
*retrieve* a text file containing the latest version of
everything, compare it to what it's running on and inform
the user accordingly?

In this particular case, concern for security is a cheap
excuse for invading privacy and actually causing a security
problem.

Forking hell

So in other words, everyone was too busy forking around to actually pay attention to what information was being sent.

Shut up, it's open source!

The magic of open-source software is that any idiot with a text editor can go in and change it.

If someone's so darn concerned about the information in $_SERVER, then they should just grep the source and rip out the offending code.

And if they don't know how, then they should shut the hell up about $_SERVER. In the end, it's really not a huge deal, nothing an attacker couldn't figure out on their own in about ten seconds with readily available scripts.

Re:Which is why...

Are you thinking of WordPad [kellys-korner-xp.com] (text editor), not Word Press [wordpress.org] (blog software) ?

Re:There's no money in it ...

Isn't lucrative! Are you insane?! Market minions would pay handsomely for even a whiff of the askimet database as it currently stands. This latest farce is their wet dream come true. Mullenweg can essentially name his price.

I recently installed Wordpress 2.2.3 on a site server. I'm now going to have to consider uninstalling it. Even though 2.3 is the only version confirmed as effected, as of now, the entire Wordpress name is justifiably tainted. I can't really allow a piece of software on the server to send out a deluge of sensitive information to a third party server. It's asking for trouble.