Request quote

WordPress phone home – Spyware or justified?

Posted on: August 4th, 2012 by Sarath C 3 Comments

As a WordPress site admin, are you aware of the fact that wordpress.org is collecting back many of your site details without your permission? If not, it is true that all your wordpress installations are sending the following data back to wordpress.org servers at regular intervals and whenever you are upgrading your site.

Following are the list of site details that WordPress sends back to their http://api.wordpress.org site in order to check for core, plugin and theme upgrades.

  • Your IP address
  • URL of your blog
  • Your WordPress version
  • Your PHP version
  • Your MySQL Version
  • Locale setting if there is any
  • Details like Plugin title, description, author information – including all URL’s that form part of this.
  • Complete list of all the  plugins in your site, whether active or not.
You can locate the responsible code inside wp-includes/update.php
if ( is_multisite( ) ) {
    $user_count = get_user_count( );
    $num_blogs = get_blog_count( );
    $wp_install = network_site_url( );
    $multisite_enabled = 1;
} else {
    $user_count = count_users( );
    $user_count = $user_count['total_users'];
    $multisite_enabled = 0;
    $num_blogs = 1;
    $wp_install = home_url( '/' );
}

$query = array(
    'version'           => $wp_version,
    'php'               => $php_version,
    'locale'            => $locale,
    'mysql'             => $mysql_version,
    'local_package'     => isset( $wp_local_package ) ? $wp_local_package : '',
    'blogs'             => $num_blogs,
    'users'             => $user_count,
    'multisite_enabled' => $multisite_enabled
);
$url = 'http://api.wordpress.org/core/version-check/1.6/?' . http_build_query( $query, null, '&' );

$options = array(
    'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3 ),
    'user-agent' => 'WordPress/' . $wp_version . '; ' . home_url( '/' ),
    'headers' => array(
        'wp_install' => $wp_install,
        'wp_blog' => home_url( '/' )
    )
);

$response = wp_remote_get($url, $options);

This information is send back to WordPress servers at every 12 hours or whenever you load the plugin page if its been more than 12 hours after last recheck. If it checks plugins then all data about all plugins is sent to WordPress.org – this means name, version, description – for every plugin. Including the custom plugins or themes you wrote, and even including inactive plugins. The theme update checker does much the same thing. This information isn’t just going out from live blogs only, If you are developing a site locally on your computer then your local computer sends this information. If your site is an intranet then you are passing out information that is not supposed to be public.

Don’t confuse this with the current Privacy settings option in your WordPress admin panel. Even if you disable the visibility of your site to search engines, the WordPress.org is collecting your information.

This feature(?) was first  introduced in 2007 when WordPress 2.3 was released. Since then there has been a lot of discussion about this in the WordPress community and in many forums. See the associated trac report. It seems the WordPress core development team is not going to add this an optional feature in the site’s privacy settings page. Here is the reply from Matt Mullenweg in the wp-hackers mailing list.

Of the collected data, only a few data is made public (WordPress version, PHP and mySQL versions), then why they need to collect all these further informations?

Many other software programs give the site admin a chance to opt-in to the software data collection/usage statistics but with WordPress, it appears you are opted in when you install WordPress and use the program and the software does not provide a way of opting out. Some people have mentioned that the plugins which strip out the identifying information are same as an opt-out mechanism but I totally disagree with that.  No user is bothered about such a plugin if he/she doesn’t know about this secret call and feels it as an intrusion to their privacy.

Final thoughts

Although we all know that the great team behind WordPress has got no bad Ideas or intentions, I still  believe that the amount of data passed to remote server is more than needed to do the version check. WordPress should offer a checkbox perhaps on Settings->Privacy that allows the user the option to opt-out of sending unnecessary infromation, the default setting can still be to send statistical information. Privacy now a days is a concern for many users, transparency and options are important. A plugin to do this is not enough as many users do not know that this data is even sent. Opting out from the phone call should not put the site admins at risk by not receiving core, theme, plugin upgrade notifications so the process of opting out means that only version numbers of those three things and the php, mySQL version details will be sent. If any opted out user wanted to opt-in at a later date, they can just mark the checkbox and get listed. Otherwise its sad to see that the excellent WordPress software is falling into a category of softwares what Wikipedia call as a spyware.

Tags: , , , , , ,

3 Responses

  1. Peter says:

    Hi,
    I looked at my update.php file and didn’t see any of the above mentioned items such as user count etc. Is this still being done in WP 3.5?
    Thanks

  2. Peter says:

    Never mind, I found it. I was looking in the admin folder. Sorry.
    Can some of those calls be commented out?

  3. Team Webgalli'an says:

    Instead of commenting out use the filter “http_request_args” and change the data you don’t want to leak. See this gist. Credit goes to toscho.