Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress 2.3 Does Not Spy On Users [UPDATED]

Posted by kdawson on from the if-you-don't-like-it-fork-it dept.

Marilyn Miller writes "Popular open-source blogging engine WordPress has been upgraded to 2.3 — with some unexpected nasties in the mix. As of version 2.3, WordPress now periodically (every 12 hours) sends personally identifying information (blog name & URI) to the mothership, along with an alarming amount of information including $_SERVER dumps, a list of installed plugins, and your current PHP/MySQL settings. Most unfortunately, it does not provide any way of disabling this functionality, and WordPress does not have any privacy policy protecting this information. In a thread about the issue, lead developer Matt Mullenweg defends his actions and staunchly refuses to add an opt-in interface, telling users to 'fork WordPress' if they aren't willing to put up with this behavior." Update: 09/25 17:52 GMT by KD : This article is misleading enough to be called "just wrong." Matt Mullenweg writes: "As mentioned in our release announcement, the update notification sends your blog URL, plugins, and version info when it checks api.wordpress.org for new and compatible updates. It does not include $_SERVER dumps, or any settings beyond version numbers (for checking compatibility), or your blog name, or your credit card number. We do provide a way of disabling this feature; in fact I link to one of the plugins in the release announcement and in my original response to Morty's thread."

3 of 229 comments (clear)

  1. Re:Surprised? by imbaczek · · Score: 0, Troll

    And in this case, they're gonna eat their shit.

  2. Never mind... by Brad_sk · · Score: 0, Troll

    Its not Microsfot...So we should not complain here...

  3. No point -- insecure codebase by sethawoolley · · Score: 1, Troll

    No point in forking. The codebase is a mess of security vulnerabilities already. A few years back somebody contracted me to break into their site and they had wordpress. I found a zero-day vulnerability in fifteen minutes and had it exploited in under an hour. I contacted wordpress, provided a way to patch it, and then a couple years later they reintroduced the same exact vulnerability when they refactored the code to add templates.

    Please, don't fork it unless you plan on completely rewriting the entire SQL backend. It's a horrid mess. We don't need _more_ b2/wordpress forks around.

    I would though suggest if you do fork it, do it well. Matt's done a lot of idiotic things (check the slashdot archives) with wordpress and he's a rabid commercializer, regardless of the cost. That his code absolutely sucks is the only reason he hasn't been able to make it big even with selling out at every opportunity.