WordPress 2.3 Does Not Spy On Users [UPDATED]

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

Fork

[Spy+der+Mann]

Cue OpenWordPress project appearing in Sourceforge in 5... 4... 3...

Guys, the information is all really essential...

[nweaver]

So what does it send, according to the FA:
The blog's URL
A list of all plugins and versions
A list of the $_SERVER env variables

How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.

Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

And the blog URL tells you who it is.

Windows Update has to send far MORE intrusive information.

Re:Guys, the information is all really essential..

Why can't they download a file with a list of "all updates" and check locally?

Isn't this the point of FOSS?

[Enlarged+to+Show+Tex]

If the developer decides to insert malware, or other forms of code not acceptable to you, the GPL gives you the freedom to modify it to suit your own needs. If that means you have to fork the project, so be it - that's within your rights under the GPL.

OTOH, the idea of using FOSS (good!) as a venue for spyware (bad!) is enough to make a guy's head explode...

This is SENSATIONALISM (not Sparta)

[Laebshade]

When I first read the summary, I was a little worried. Then I went and read the actual reply in the WordPress Hackers mailing list Matt posted, and I was relieved. He points out that the blog name and URI has been sent to services like Ping-o-Matic (wordpress-run service) for 4 years now. For those wanting to disable it, he even posts links for plugins that will disable the feature of the 'update checker'. Seems to me this slashdot article was posted by someone who wants to take WordPress down. Here's a part of his post:

Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.

As to what the summary refers to, where Matt suggests a person fork Wordpress:

Moritz 'Morty' Strübe wrote:
> It can.

Your blog URL is completely harmless.

  > We only have your word for that. And sorry, that is not enough
  > for me. Especially if it does not have to be.

If you don't trust wordpress.org, I suggest you do one of the following:

1. Use different software.
2. Fork WordPress.
3. Install one of the aforementioned plugins.

Again, he gives the solution to the original poster's complaint (Moritz 'Morty' Strube). If this Moritz is really concerned, he can fork and remove the new code that transmits this information - or if he isn't too concerned, just install the plugins matt suggested.

This is making something out of nothing. Definitely nothing to see here, please move along.

Re:Breathless Hyperbole.

[vux984]

Matt Mullengweg is not being reasonable. He should simply make it an option. without requiring users to fork or install plug-ins or hack to overcome defective-by-design features.

It should be easy to turn on and off.
It should default to off.
It can ask one time during the upgrade, or first login after the upgrade, to be turned on, with an explanation of what it does and why he thinks it can be turned on.

There is no good reason the above cannot or should not be accomodated.

Where did he say to just go fork?!

[kwandar]

Maybe I missed it, but it struck me that the developer's response was very civil, and well thought out. From the slashdot article you'd think he'd told the whole community to "fork off"?

So - did I miss something, or did everyone else not RTFA?

Re:Breathless Hyperbole.

[kwandar]

I agree. Matt Mullenweg based on what I read (and I don't use Wordpress or know Matt or anyone else there) was very reasonable, and laid out the reasons for this. Did the slashdot editor even read this?!

Re:What Matt wrote

[GeckoX]

Well, shit, that's not even close to what was insinuated in the summary.

Thanks for your flamebait kdawson, really mature and appreciated.

WTF.

I thought...

[WED+Fan]

I thought only MS could be evil. Well, Google, too. Now, you are telling me that open sourcers are evil, too? Now, how many of you that use WordPress dug into the code to find that out? Hands? Anyone? Anyone? Bueller? Nah, didn't think so. But, I bet a number of you upgraded. Doesn't matter, closed or open, you're argument about security is bogus unless you crawl through the code, otherwise, it might as well be closed.