Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress 2.3 Does Not Spy On Users [UPDATED]

Posted by kdawson on from the if-you-don't-like-it-fork-it dept.

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

3 of 229 comments (clear)

  1. Guys, the information is all really essential... by nweaver · · Score: 5, Insightful

    So what does it send, according to the FA:
    The blog's URL
    A list of all plugins and versions
    A list of the $_SERVER env variables

    How is this information not necessary for a robust autoupdating/autonotifying infrastructure? Since the plugns are the source of so many vulnerabilities, you need to know their versions etc.

    Since so much incompatibility may be caused by funky $_SERVER variables, you need to know their contents.

    And the blog URL tells you who it is.

    Windows Update has to send far MORE intrusive information.

    --
    Test your net with Netalyzr
  2. Re:Guys, the information is all really essential.. by Anonymous Coward · · Score: 5, Insightful

    Why can't they download a file with a list of "all updates" and check locally?

  3. Re:What Matt wrote by GeckoX · · Score: 5, Insightful

    Well, shit, that's not even close to what was insinuated in the summary.

    Thanks for your flamebait kdawson, really mature and appreciated.

    WTF.

    --
    No Comment.