WordPress 2.3 Does Not Spy On Users [UPDATED]

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

Surprised/

[Captain Splendid]

You shouldn't be. Developers gotta eat.

Re:Surprised/

[gclef]

Crow isn't very nutritious.

Re:

[beavis88]

Yep. I hope for Matt's sake that crow is a tasty meal.

Re:

[jimstapleton]

kindof actually, both at the summary, and the fact that the guy would bother...

"Popular open-source blogging engine WordPress has been upgraded to 2.3 -- with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not pro

Re:

[Smidge204]

I think what was meant is: There is no "off switch" for the "feature". If you want to disable it, you have to manually track down all the code that enables the functionality and remove it yourself, as opposed to unchecking a box on an adminstration page or editing a line in a config file.

=Smidge=

Re:Surprised/

[ZaMoose]

Not true. There are two plugins that explicitly disable this functionality:
disable WordPress version check [wordpress.org] and disable plugin version check [wordpress.org], both of which were mentioned by Matt in the thread above.

Re:

[KlomDark]

Why should someone have to install a plug-in to disable BASE FUNCTIONALITY? Shouldn't that be part of the base code?

What if someone has an issue with this information being transmitted? What if WP transmits the info before they are able to install the plug-in?

Guys, the issue here is not what info is being sent, it's that the information is being transmitted without asking for permission of the person running WP.

However, one of the best points brought up in the mailing list about what info is being sent is t

Re:

[ZaMoose]

Why should someone have to install a plug-in to disable BASE FUNCTIONALITY? Shouldn't that be part of the base code?

This is likely to occur in version 2.3.1. In fact, I'm advocating [wordpress.org] for just such a change, in true Open Source fashion.

The problem here is less one of malice and more one of poor timing. The WordPress project has been trying to stick to a rigorous, rigid schedule for releases (see: Fedora Project, Ubuntu, etc.) and this issue cropped up about 1.5 days before release. You can argue that the r

Re:

[trolltalk.com]

just edit your hosts file so that when it trys to contact the mother ship, it ends up at 127.0.0.1

Re:

[Joebert]

Gives new meaning to the term Web Monkey.

Suggestion

[Anonymous Coward]

He can go fork himself.

Fork

[Spy der Mann]

Cue OpenWordPress project appearing in Sourceforge in 5... 4... 3...

No point -- insecure codebase

[sethawoolley]

No point in forking. The codebase is a mess of security vulnerabilities already. A few years back somebody contracted me to break into their site and they had wordpress. I found a zero-day vulnerability in fifteen minutes and had it exploited in under an hour. I contacted wordpress, provided a way to patch it, and then a couple years later they reintroduced the same exact vulnerability when they refactored the code to add templates.

Please, don't fork it unless you plan on completely rewriting the entire

Alternatives, in that case?

[Spy der Mann]

Wow - to think that such a popular blogging engine is so flawed...

Anyway, i googled and found this link:

http://www.mitchelaneous.com/2007/09/19/9-wordpress-alternatives/ [mitchelaneous.com]

9 WordPress Alternatives

September 19, 2007 at 7:16 am Web Development

No doubt that WordPress is the king of the hill when it comes to content management these days. It seems like in a lot of people's eyes they can do no wrong. There have to a few other choices out there though right?

Now don't get me wrong, I am totally happy with Wordpress - but, there are several cool alternatives that might be worth checking out for your next web project.

Drupal - Drupal is a little more of a WordPress on steroids. Lots of goodies and better membership system in place too.

AJAXPress - A little buggy by looking at the demo but will become a better idea once it has had more time to get polished.

Textpattern - Flexable and open source blogging solution - much of the same WordPress look and feel.

Serendipity - This is a PHP-powered weblog application which gives the user an easy way to maintain a weblog or even a complete homepage.

Joomla - Like Drupal, might be too feature rich for the casual blogging fan - but a good engine for in depth web sites or basic blogs.

b2evolution - An old one, but still a good one - and can hold it's own weight still with the other selections out there.

Simplog - Simple, yet powerful - the name says it all here. You want basics without the fluff - go with Simplog.

Wikiblog - This one tries to mix the blogging and wiki sides of things into an interesting mashup of content creation.

Sblog - Another one similar to WordPress, looks like it is playing catchup too. Once it gets there though, might be worthy competition.

There you have it - nine other tools you can use to get your content published and your articles out there to the world. Have one I missed?

Now, my question is - how secure are they for you, sethawoolley? Which one would you choose?

Re:

[sabinm]

Well, that's the beauty of open source, right? We can all say "Screw this guy" and take his code and make it better.

Wrong. Open source has nothing to do with *taking* someone else's code. The principle is that the software is built by collaboration, taking a little from column "A" and a little from column "B", to build your project. Because you use a variety of sources and collaborators, a great part of your work is "non original". Now this isn't a perfect way of doing things: you get people who contri

This thread would be longer...

[My name is Bucket]

...But people are busy checking their posts from the "Sony DRM" thread last month to make sure they don't look like hypocrites.

fork

[rodentia]

telling users to 'fork WordPress'

Consider it done.

I nominate the fork name to be:

[jbeaupre]

PrivatePress

well

[stoolpigeon]

one way to disable it is to go into the code and remove the offending portion. couldn't be that hard to do. and once somebody does it and posts instructions, it gets even simpler. no reason to fork the project.
 
and wordpress isn't that complicated that this is something that no one but the most hard core will do. tons of wordpress users regularly go in and tweak it for their own uses. i haven't moved to this new versions with my site yet - i always wait a bit for things to shake out, and stuff like this is why. when i do upgrade, i'll just fix my install.

Re:

[SamP2]

"one way to disable it is to go into the code and remove the offending portion."

Or take the even easier path and set up your firewall to block all packets from this application.

But neither of those options solve the underlying problem - the whole point of FLOSS is to prevent this from happening in the first place. If I have to take any extraordinary steps to secure myself against a free software application I'm using, if I have to go and turn an enemy into a friend through manual effort and each other user

Re:

[cos(0)]

Or take the even easier path and set up your firewall to block all packets from this application.

Easier? Do you mean block all outgoing HTTP traffic? If not, how do you plan to block packets from a specific set of PHP scripts?

Re:

[stoolpigeon]

I guess my point is that opening up a file in vi or notepad and cutting out a few lines isn't extraordinary in my mind. What I get in exchange is a good product with active and good development. So it's worth the trade off. If somebody does fork it and maintains all the aspects of WP that are good, I'd look at jumping over.

Re:

[HoosierPeschke]

Well, I just read this article (ok, I lied, the comments), downloaded the source, searced all files for 'api.', and found (thanks notepad++):

[G:\downloads\wordpress-2.3\wordpress\wp-admin\includes\update.php] Line 82 : $http_request .= "Host: api.wordpress.org\r\n"; Line 90 : if( false != ( $fs = @fsockopen( 'api.wordpress.org', 80, $errno, $errstr, 3) ) && is_resource($fs) ) { [G:\downloads\wordpress-2.3\wordpress\wp-admin\update-links.php] Line 18 : $http_request .= "Host: api.pingomatic.com\

Re:

[GeckoX]

Not the right answer. Fork is better.

Why? Well anything else is supporting this developers decision, albeit indirectly.

He has every right to decide to do this, but users have every right to not use his code.

Let him be right and eat crow at the same time.

Ignorant bugger needs to learn a few hard lessons apparently.

Re:

[stoolpigeon]

It's the right answer for me at this point in time. It is debatable whether or not a fork would be better. You don't think so, but I do.

I'm not sure how using the software, but not enabling this functionality would be supporting the developer. But if by that you mean in essence saying to them, "I support you but not in regards to this one feature." then I'm cool with that. I don't think everything has to be all or nothing. I don't think that the developers of Wordpress have to match my every id

Re:

[GeckoX]

Sorry, I have to revoke what I originally posted as it has come to light that what kdawson posted in the summary and title is clearly flamebait as it has basically zero relation to what was actually said and is extremely inflammatory.

In light of that, I'd have to agree with you.

Re:

[lawpoop]

Hey, how about replacing the code with code that poisons the database with bogus data?

Re:

[stoolpigeon]

That's funny. I wouldn't do it personally - I appreciate the product the wordpress folks put out. I'm not going to support this effort, yet at the same time, I wouldn't try to actively undermine it. There may be a bunch of folks out there who are only too happy to participate.

I think that it would have been better if they had been up front and said themselves right off the bat, 'hey we have this in there - and if you want it off, you will have to do it yourself'. But aside from that I don't thin

Re:

[ZaMoose]

...up front and said themselves right off the bat...

You mean like in the announcement of the 2.3 release [wordpress.org] where Matt said

Our new update notification lets you know when there is a new release of WordPress or when any of the plugins you use has an update available. It works by sending your blog URL, plugins, and version information to our new api.wordpress.org service which then compares it to the plugin database and tells you what the latest and greatest is you can use.

? (emphasis mine)

Re:

[stoolpigeon]

Well there you go. And I see that there are plugins also available to turn it off. Tempest in a teapot is what we have here.

Re:

[KlomDark]

This would probably be the best way to teach this guy how to respect the privacy of others - Spam his database with bogus entries.

IN MY OPINION ONLY, not saying anyone actually is doing something like this, this whole thing smells like a way to generate money by reselling the information somehow.

Therefore, it make a lot of sense to either 1) Demand a way to shut the damn thing off, or if that fails, 2) Ensure the data is not very resellable by filling it with bogus data. Data resellers don't pay much for ba

Re:

[stoolpigeon]

I guess - but that means finding a group that will do the amount of work that is being done to keep moving things forwards. I know I don't have that kind of time. But the whole thing is php - it's not an egregious amount of work to go in and cut or comment out some code - especially if I don't even have to look for it myself.

This isn't like having to download the source of open office to remove something and then recompile the whole deal from scratch. I don't need an ide or know about libraries,

Re:

[trolltalk.com]

su root
vi /etc/hosts
i
wordpress.com 127.0.0.1
:wq

There - fixed it for you!

Re:

[stoolpigeon]

you fixed it for people running wordpress on a machine where they have root privileges. which i'm sure is a good number, but i'm not in that group. thanks anyway.

Re:

[trolltalk.com]

"> you fixed it for people running wordpress on a machine where they have root privileges. which i'm sure is a good number, but i'm not in that group. thanks anyway."

In that case: fgrep -n 1 "api.wordpress.org" *.php > lines_of_code_I_might_want_to_change.txt

Guys, the information is all really essential...

[nweaver]

So what does it send, according to the FA:
The blog's URL
A list of all plugins and versions
A list of the $_SERVER env variables

How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.

Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

And the blog URL tells you who it is.

Windows Update has to send far MORE intrusive information.

Re:Guys, the information is all really essential..

[Anonymous Coward]

Why can't they download a file with a list of "all updates" and check locally?

Re:

[ZaMoose]

The thinking was (as per Matt's post):

The system was designed to keep the client side as light as possible so
the heavy lifting can be done on the server side, allowing us a lot more
flexibility and agility in adapting the service as it gets rolled out
and evolves.

For example right now nothing is done with regards to localization, but
because of the data being sent and the lightness of the client side we
could introduce that feature in the future without having to update
every install of WordPress in the world. T

Re:Guys, the information is all really essential..

[Otter]

At a minimum, I don't see why sending this information is so "alarming", even if it's inappropriate. Are your $_SERVER env variables such a sensitive bit of information?

Re:

[garett_spencley]

yes and no.

On the one hand, security through obscurity is a very bad default and sole security policy. On the other hand it can be a nice extra layer of security on top of an already well planned and established security policy.

Let's see what kind of details $_SERVER contains:

1. Absolute path to document_root on server
2. Absolute path to script being executed to process request
3. Contents of $PATH
4. SERVER_ADMIN which is an e-mail address that may not be public information - and apache can be configured, an

Re:Guys, the information is all really essential..

[Billosaur]

It isn't what information they are looking at but how. If they want the information and it will make the software better, fine, but do they really have to go about it in such a sneaky and under-handed way? Even Microsoft allows you to control how your system is updated (I never let it run automatically; I prefer to know what it's trying to put on my system.). As to the "fork" comment, while I thin the generic blogging community will be clueless and have no idea what this is all about, this will drive the OS

Re:Guys, the information is all really essential..

[GeckoX]

If he can't test this stuff without scraping real live user data, do you really think you should be trusting his code?

This guy is arrogant and his attitudes are potentially dangerous. If he was a truly good developer, this would not be an issue whatsoever.

Sheesh, and trying to justify this behavior based on what MS does for an entire OS...a) this is not an OS and b) it's a bad MS practice which certainly does not make it right for others to do.

It'd be one thing if it was opt in, but this is just pathetic.

Re:

[GeckoX]

I take that back. That was stated based on the title and summary of the story.

Thanks for the flamebait there kdawson. That's about the worst case of it I've ever seen on /., you should be ashamed.

There is possibly an issue here, but not even remotely on the scale that this was made out to be.

Re:

[Sierpinski]

If he can't test this stuff without scraping real live user data, do you really think you should be trusting his code?

This guy is arrogant and his attitudes are potentially dangerous. If he was a truly good developer, this would not be an issue whatsoever.

Sheesh, and trying to justify this behavior based on what MS does for an entire OS...a) this is not an OS and b) it's a bad MS practice which certainly does not make it right for others to do.

It'd be one thing if it was opt in, but this is just pathetic.

I

Re:Guys, the information is all really essential..

[dozer]

Are you sure you understand the meaning of the word essential? WordPress made it to version 2.3 without this information... that doesn't sound very essential to me.

You probably meant "convenient" or "useful for monetizing."

Re:Guys, the information is all really essential..

[A beautiful mind]

Hey, slow down cowboy! We're talking about a blogging software here, written on a cross-platform interpreter called PHP, not an operating system with hundreds of components and different hardware configurations!

Windows Update might need the information, because it deals with a lot of programs and I guess it would be impractical to send a 2Mb+ list of current versions. There are no such limitations in case of wordpress. As far as I'm concerned the update checking tool shouldn't send anything at all, just r

Re:Guys, the information is all really essential..

[ObsessiveMathsFreak]

How is this information not necessary for a robust autoupdating/autonotifying infrastructure?

Absolutely. However, you are assuming that I want my Wordpress installation to automatically update, and further that I am willing to give up a lot of sensitive information in order to get that done.

There should be a way to turn this feature off, plain and simple. There is no excuse whatsoever for forcing this down users throats. None. Yes, comment spam and other vulnerabilities are something that needs dealing with

Re:Guys, the information is all really essential..

[Bogtha]

How is this information not necessary for a robust autoupdating/autonotifying infrastructure?

The argument is not that the information is unnecessary for an autoupdate/autonotify feature. The argument is that people should be able to easily opt-out from this feature. Having said that, the contents of $_SERVER seem unnecessary. That can leak things like usernames and paths.

Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

Why does anybo

Re:Guys, the information is all really essential..

[penguinstorm]

> Windows Update has to send far MORE intrusive information.

Good god man, you're not using Windows Update as a way of justifying intrusive behaviour are you?

If that's the kind of standard which you're judging against, what hope is there for rest of the world.

"It's better than Windows" has never been a good enough excuse in my books.

Re:Guys, the information is all really essential..

[Xtravar]

A list of the $_SERVER env variables

I keep my root password in my env variables, you insensitive clod!

Re:Guys, the information is all really essential..

[M. Baranczak]

Since the plugins are the source of so many vulnerabilities, you need to know their versions etc.

The auto-updater code needs to know the version of the locally installed software, and it needs to download the version of the current release, so it can compare the two. It does NOT need to send the local version to the vendor.

Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

What exactly do you need this for? I've read the linked thread, and the software author himself can't even come up with a concrete reason for sending the $_SERVER variables. Elsewhere in the thread, someone else claims that the system works just fine when it doesn't send this data,

Correction

[Otto]

The $_SERVER variables are not sent out by WordPress, they're sent by Akismet during its spam-checking process. Akismet is a plugin that is bundled with WordPress which helps prevent comment spam. Activating it requires an account on WordPress.com as well, so it's not something you can turn on by accident.

The reason it sends those variables is that it does so when somebody submits a comment to your blog. Those variables and the comment are sent to the Akismet servers which send back a pass/fail for spam ide

Pyblosxom

[Marcion]

Well if anyone is looking for an alternate upgrade path, I 'upgraded' my blog from Wordpress 2.2 to Pyblosxom and am really enjoying using it:
- its really light and fast
- I can edit posts in a text editor rather than a web based interface
- its in Python and very easy to customise
- theming far simpler, just rip your HTML template into a header and footer, rather than having to make 12 files with Wordpress.

Plug over... Move along...

Re:

[Laebshade]

I'm going to point out one blaring misconception you have about WordPress.

- theming far simpler, just rip your HTML template into a header and footer, rather than having to make 12 files with Wordpress.

You don't have to split it into 12 files. You can use one index.php file for the whole thing if you really want to.

That product is doomed

[multipartmixed]

Can you imagine the water cooler conversation about Pyblosxom? How the hell are they supposed to go back and google about it? That'd be like trying to google for the symbol that represents the artist formerly known as Prince.

I mean, really, WTF. They might as well have named it slakdfjalskdjflaskjdf!

Re:

[stu42j]

...the symbol that represents the artist formerly known as Prince.

I think you mean the artist formerly known as "the artist formerly known as Prince", subsequently known as "The Artist" but currently known as Prince [wikipedia.org].

Breathless Hyperbole.

[Some guy named Chris]

Read the thread. This isn't a developer admitting to spying on users. This is debate over a new feature written to help you keep from getting your blog haxored. They are collecting server and plugin data to help you to keep your software up to date.

Matt Mullenweg is being very reasonable and reasoned in dealing with a small but vocal groups paranoia. In the same breath that he mentioned forking Wordpress, he also mentioned that another option is using a plugin that disables this behavior.

The submitter should be ashamed.

Re:Breathless Hyperbole.

[vux984]

Matt Mullengweg is not being reasonable. He should simply make it an option. without requiring users to fork or install plug-ins or hack to overcome defective-by-design features.

It should be easy to turn on and off.
It should default to off.
It can ask one time during the upgrade, or first login after the upgrade, to be turned on, with an explanation of what it does and why he thinks it can be turned on.

There is no good reason the above cannot or should not be accomodated.

Re:

[Tom]

It should be easy to turn on and off.
It should default to off.

There are some times were default off is not useful.

If windos auto-update would conform to those standards, we'd have a billion spam bots out there.
Instead of the half-a-billion we have now.

Re:Breathless Hyperbole.

[kwandar]

I agree. Matt Mullenweg based on what I read (and I don't use Wordpress or know Matt or anyone else there) was very reasonable, and laid out the reasons for this. Did the slashdot editor even read this?!

Re:

[imbaczek]

Did the slashdot editor even read this?!

You must be new here.

Re:

[duncan]

The point of the 'opposition' I think is that such a fundamental piece of the software such as auto-updates should be a configuration option out of the box, not a default requirement needing a plug-in to disable it.

Re:

[LWATCDR]

You mean this like this post. Yep I am afraid that Slashdot is once again producing a lot more heat than light.

"Your logic is flawed. You assume that someone looking to exploit won't
attack the latest version. This is usually untrue. If a serious exploit is
found, hackers usually just Google for "WordPress" (it's already on your
site for "powered by WordPress") or like wp-login.php and then attempt to
exploit it, regardless of version. If some database somewhere somehow did
get leaked, then all it'd do is just

Re:Breathless Hyperbole. WRONG

[Nom du Keyboard]

This isn't a developer admitting to spying on users. This is debate over a new feature written to help you keep from getting your blog haxored. They are collecting server and plugin data to help you to keep your software up to date.

Id that were the case, then rather than sending this information out secretly every 12 hours, pop a box up to the user and tell them that their software is obsolete, and a potential security problem, and these are the particular items in question.

Isn't this the point of FOSS?

[Enlarged to Show Tex]

If the developer decides to insert malware, or other forms of code not acceptable to you, the GPL gives you the freedom to modify it to suit your own needs. If that means you have to fork the project, so be it - that's within your rights under the GPL.

OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...

What Matt wrote

[imaginaryelf]

Message-ID:
Date: Sun, 23 Sep 2007 12:35:26 -0700
From: Matt Mullenweg
To: wp-hack...@lists.automattic.com
Subject: Re: [wp-hackers] Plugin update & security / privacy
References:
In-Reply-To:

Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/ [wordpress.org]
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/ [wordpress.org]

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
ones. :)

I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.

Re:

[$RANDOMLUSER]

Oh sure, use logic and reason! That's no way to quench a flamewar!

Re:What Matt wrote

[GeckoX]

Well, shit, that's not even close to what was insinuated in the summary.

Thanks for your flamebait kdawson, really mature and appreciated.

WTF.

Rip out the code?

[e2d2]

It doesn't provide you a way to stop it? Hardly. They provide full source code under GPL. Rip it out, publish changes, DONE.

Fork we shall

[businessnerd]

This is once again proof that the open source model is a good thing for users and protects us from unknowingly being used as pawns. The win is two fold here. First, the source was open, so that it was available for audit by anyone. This appears to be how this functionality was discovered. Someone noticed what the code was doing and raised a red flag. Now the users are aware and can make a choice in whether they will make the upgrade, not make the upgrade or turn to a new application. In the closed source world, often we are unaware of "unsavory code" while we use it for some time, all the while being subjected to its unsavory effects.

The second way that the open source model has won, is that users who disagree with the direction the application is heading in can now fork. In fact, the head developer of the project suggests it.

Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior."

I'm pretty confident that this will happen and happen fast. Given that people "fork" (some say hack/crack) closed source software all the time to leave out all of the "evil" modules (See Kazaa > Kazaa Lite > Kazaa Lite K++; and don't forget cracked Windows XP) forking an open source project to leave out all of the "evil" modules should be pretty easy. I'm no developer, but I could see this being as simple as taking the original source, commenting out/removing the bad stuff, and then redistributing.

Re:

[thenextpresident]

It was never an issue before. More importantly, WordPress makes available the tools to stop this, and the developer in fact provides this information.

This is SENSATIONALISM (not Sparta)

[Laebshade]

When I first read the summary, I was a little worried. Then I went and read the actual reply in the WordPress Hackers mailing list Matt posted, and I was relieved. He points out that the blog name and URI has been sent to services like Ping-o-Matic (wordpress-run service) for 4 years now. For those wanting to disable it, he even posts links for plugins that will disable the feature of the 'update checker'. Seems to me this slashdot article was posted by someone who wants to take WordPress down. Here's a part of his post:

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/ [wordpress.org]
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/ [wordpress.org]

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

As to what the summary refers to, where Matt suggests a person fork Wordpress:

Moritz 'Morty' Strübe wrote:
> It can.

Your blog URL is completely harmless.

  > We only have your word for that. And sorry, that is not enough
  > for me. Especially if it does not have to be.

If you don't trust wordpress.org, I suggest you do one of the following:

1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.

Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.

This is making something out of nothing. Definitely nothing to see here, please move along.

INCLUDE POST IN SUMMERY

[joe 155]

This post neatly sums up what should have been said in the summery; ie. nothing is going on. One person is over reacting, and the suggestions which were given including "fork" seem like a rather pleasant way of this being dealt with...

Basically, this is FUD.

Re:

[illumin8]

Your blog URL is completely harmless.

> We only have your word for that. And sorry, that is not enough
> for me. Especially if it does not have to be.

LOL... I almost spit my coffee on the keyboard when I read this. I think some bloggers need to take off their tinfoil hat and step away from the keyboard... If you don't want anyone to find out your blog URL, then WTF are you doing blogging? Isn't the whole point for as many people as possible to find your blog URL?

Why is this even an issue?

[gillbates]

You have the source code, right?

If you don't like the way the software behaves, you can change it. This is one of the fundamental freedoms the FSF endorses. In fact, I would say this is a perfect example of the open source model in action:

1. User doesn't like a feature of the software.
2. User disables feature in source code, recompiles, and improves the software.

The sad thing is that Microsoft and other proprietary vendors have been so successful at convincing the general public that they should be a

Where did he say to just go fork?!

[kwandar]

Maybe I missed it, but it struck me that the developer's response was very civil, and well thought out. From the slashdot article you'd think he'd told the whole community to "fork off"?

So - did I miss something, or did everyone else not RTFA?

Re:

[jours]

> So - did I miss something, or did everyone else not RTFA?

You're new here, aren't you?

The Actual Quote

[michaelkpate]

Since no had actually linked the Fork comment, http://groups.google.com/group/wp-hackers/browse_thread/thread/bdced7524fa79a18/f8b5bc6efc4a4005#f8b5bc6efc4a4005 [google.com]

> If you don't trust wordpress.org, I suggest you do one of the following:

> 1. Use different software.
> 2. Fork WordPress.
> 3. Install one of the aforementioned plugins.

Don't worry

[m4g02]

As a rule spying on users shouldn't be a security concern as long as the person/corporation spying is honest, just and only concerned on improving their software and the user experience...

So... As a rule spying on users is always a security concern =P (name it WordPress or Windows Update).

Fork This!

[Nom du Keyboard]

telling users to 'fork WordPress' if they aren't willing to put up with this behavior."

I think I'd rather "fork" him -- right in a tender spot.

It's bad enough to do it in the first place.

It's worse to do it in secret. (Did he really think it wouldn't be discovered?)

It's worst of all to actually defend it afterwards. (Who does the think he is? Dan Rather?)

You can't program people

[athloi]

A good process is important. Of course I agree with that! But at some point, for any area where decisions must be made, you will need a person. Or a HAL 9000. But either way, the individual is what determines what will occur. Bad leaders are doom, good leaders are bliss. There is no way to from a distance or with a policy escape this fact. You need to make sure the people in power are good people you can trust, because power does not corrupt that kind of person, at least not in important ways. I'd rather ha

Fork

[Penguin Follower]

If you can't wait for a Fork, there's a nice package called Textpattern [textpattern.com] that I used to use. It's kinda like WordPress. I liked it. Give it a spin and see if it works for you. :D (End shameless plug for favorite php app).

Google Cloaking

[Trillan]

For those wondering what the big deal is, I expect a lot of the reaction is fueled by memories of Mullenweg being caught google cloaking [theregister.co.uk] in 2005. Once someone loses your trust, you don't really want to share any data with them.

Summary Is A Troll

[bmo]

And not only is it a troll, it's tinfoil haberdashery and skating _really close_ to Libel.

Actually RTFA Matt's reasoning gives the opposite impression of the summary. Fork the submitter and Kdawson for greenlighting this.

--
BMO

Well that makes it easy for me

[carlivar]

I was thinking about moving my blog to Typo. This makes my decision easy!

Privacy?!

[soccerisgod]

Ahoy,

I can understand the complaints about how this may be an additional security risk, or at least would make an assholes job a bit easier if they hacked that central WP database. What I find somewhat irritating is that some people have voiced privacy concerns over this. I was under the impression that if you're running a blog, it means you're one of those Web 2.0 exhibitionists that tell everyone in the whole wide world all their daily activities in embarrassing detail anyway. Am I missing something?

A little php snippet

[unity100]

that can be run in the wp directory as a 'patch' would easily solve that situation. provided that you give write permissions to all files it needs to fix, of course.

wouldnt be too long until someone produces a 'fix'.

I'm glad Matt updated us on this...

[Mr.Fork]

Canada's privacy law is pretty strict against the unauthorized sending in of personally identifiable information, especially one that sends it to an American server. There, the Patriot act allows the government to capture Matt's database. And the kicker, he is not allowed to tell you.

Up here, we (being the government) can't buy any software package that stores the data in the USA. I can only imagine the tens of millions of lost dollars in contracts because of the Patriot Act. I would of hate to have added Matt's awesome editor to that list. Rock on Matt!

Re:

[Laebshade]

The "fork wordpress" comment by Matt is taken out of context. See the link in the summary [google.com] and do a ctrl+f search for "Matt Mullenweg".

Re:

[LWATCDR]

SO have you started yet?
Before you keep going off half cocked I suggest you read the mail list messages.

"Simply put, if you really insist on wearing a tin foil hat, it's uber easy
to disable the automatic update checker. For the other 99.99999% of people
out there, this feature will be a godsend to them in both terms of new
features and more importantly, the _only_ real way to make sure your site
doesn't get hacked -- by running the latest version. "

If you don't like it then take it out. You have the source for

Re:

[KingSkippus]

Okay, I'll bite. Which, pray tell, "real language" would be better?

Re:

[vux984]

The versions it reports are for an autoupdate feature...

And everyone knows that this can done equally well by having the client request the current version number, and then the client can decide based on that whether an upgrade is needed. There is no reason for the server to need to know the version number to support an autoupdate feature.

and the $_SERVER and php/database settings are (I imagine) used to figure out what wordpress settings are common. How soon they can remove support for old versions of mysq

Re:

[thenextpresident]

Dear god, you know that your slashdot comments show your URL?!?? You'd better stop there!

Thank you Mr. Did-Not-Read-The-Fscking-Article.

Re:

[penguinstorm]

You consider that an upgrade? MT4 is vastly more powerful than WordPress.

http://blog.plasticmind.com/cms/why-you-should-upgrade-to-mt4/ [plasticmind.com]

Re:

[seebs]

MT3 has been so abysmal that I'd pretty much written them off. Maybe I'll rethink it now.

I thought...

[WED Fan]

I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[19thNervousBreakdown]

It's pretty much inevitable at this point. Lead developer looks like an ass because of an overblown headline on a site with over 100,000 visitors a day who are known for not reading the article, which is the only thing that shows that it's Slashdot that's screwed up. Somebody is going to fork it. Later, they'll realize they overreacted to an overreaction, but have a lame justification for their position and continue anyway, before eventually falling dead after pulling a few developers away from WP.

Re:

[somersault]

I don't think he's referring to word/notepad in any way, google came up with textpad [wikipedia.org] . I'd have to kill anyone that prefers notepad over wordpad with the ctrl and s keys.

Re:

[75th Trombone]

In context, he's obviously referring to Textpattern [wikipedia.org].