Does WordPress send data about your blog to WordPress.org or Automattic?

2 Views

I’ve recently heard someone say WordPress does send data about your blog to back home. Is that true? and if so what data is that or where in the code can I see what’s exchanged?

Post Views: 2

Related posts

Leave a Reply

3 comments

  1. Yes, it does. See Ticket #16778 wordpress is leaking user/blog information during wp_version_check(). All the details are in /wp-includes/update.php:

    if ( is_multisite( ) ) {
    $user_count = get_user_count( );
    $num_blogs = get_blog_count( );
    $wp_install = network_site_url( );
    $multisite_enabled = 1;
} else {
    $user_count = count_users( );
    $user_count = $user_count['total_users'];
    $multisite_enabled = 0;
    $num_blogs = 1;
    $wp_install = home_url( '/' );
}

$query = array(
    'version'           => $wp_version,
    'php'               => $php_version,
    'locale'            => $locale,
    'mysql'             => $mysql_version,
    'local_package'     => isset( $wp_local_package ) ? $wp_local_package : '',
    'blogs'             => $num_blogs,
    'users'             => $user_count,
    'multisite_enabled' => $multisite_enabled
);

$url = 'http://api.wordpress.org/core/version-check/1.6/?' . http_build_query( $query, null, '&' );

$options = array(
    'timeout' => ( ( defined('DOING_CRON') && DOING_CRON ) ? 30 : 3 ),
    'user-agent' => 'WordPress/' . $wp_version . '; ' . home_url( '/' ),
    'headers' => array(
        'wp_install' => $wp_install,
        'wp_blog' => home_url( '/' )
    )
);

$response = wp_remote_get($url, $options);

    The user agent contains the URL of your installation, so all of these data are not anonymous anymore. To get some privacy back filter 'http_request_args' and change the data you don’t want to leak.

    Here is a simple example to anonymize the UA string (from a recent blog article):

    add_filter( 'http_request_args', 't5_anonymize_ua_string' );

/**
 * Replace the UA string.
 *
 * @param  array $args Request arguments
 * @return array
 */
function t5_anonymize_ua_string( $args )
{
    global $wp_version;
    $args['user-agent'] = 'WordPress/' . $wp_version;

    // catch data set by wp_version_check()
    if ( isset ( $args['headers']['wp_install'] ) )
    {
        $args['headers']['wp_install'] = 'http://example.com';
        $args['headers']['wp_blog']    = 'http://example.com';
    }
    return $args;
}

    You can change that to …

    add_filter( 'http_request_args', 't5_anonymize_ua_string', 10, 2 );

    … and get the request URL as second parameter for your callback. Now you can check if the URL contains http://api.wordpress.org/core/version-check/ and change all the values as want cancel the request and send a new one. There is still no way to change just the URL, that’s why I created the patch in the ticket.

  2. WordPress sends version data back to .org when using the .org API (installing/searching/updating) to my knowledge. That data is then collated into chart graphics. You can see the data here. I assume this is also used when plotting the roadmap for environment requirements (i.e. PHP4 > PHP5, MySQL version support, etc…).

    Here’s a sample of what the .org stats data looks like:

    enter image description here

    As a side note, it’s always imperative that you install plugins from trusted sources. Otto, and the other curators of the plugin directory have done a great job weeding out plugins that use base64+eval to send personal information back to unscrupulous plugin authors. I can guarantee there are some that pop up on a weekly basis in the repository. This applies to themes outside of the .org repo as well.

    I’ve heard talk of creating a plugin review team (similar to the theme review team) that will secure the integrity of the repository in the future. You can join the wp-hackers mailing list and get more information there. That’s where these type of discussions really are fleshed out.

  3. Yes, you are correct. The wordpress update checker, the plugin update checker and the theme update checker sends regular information about

    • Your IP
    • Blog URL
    • WordPress version
    • PHP version
    • Locale setting if there is one
    • Plugin title, description, author – including all URL’s that form part of this.
    • Full list of all plugins on your site, whether they are active or not.

    to the api.wordpress.org site. This is an old discussion since 2007. You can read about it more in my post WordPress phone home – Spyware or Justified post.