WordPress is leaking user/blog data
More than six months ago we opened a ticket for WordPress developers about an undocumented behaviour of the WordPress Version Check functionality:
Hi, we’ve noticed that wordpress will send how many users and blogs are in a given installation during the GET to api.wordpress.org together with the installation URL in the headers.
Is there any reason why this is done? It seems quite a leak of information. Can it be turned into an option defaulting to off and admins can opt-in if they want to report how many users/blogs are currently there?
We reckon our request was clear enough: Your software is sending back to you some informations without the users knowing. Please make it explicit adding one of those opt-in dialogues like “Send usage statistics to wordpress.org”.
The developers promptly replied within a few hours. What did they say? They closed the request and marked it as invalid. They basically said: Yes, we are collecting and keeping data about you all without telling you, so what?
We reopened the request together with other users trying to convince the developers to fix this privacy issue, but their replies were always far from being satisfying. This comment summarizes very well their line:
There are plugins available already which allow you to disable the [version] checks if you don’t want to send the data.
We are not going to add any UI option for this.
They basically suggested to completely disable the updates checks if a data leak is not desired. This idea looks particularly funny to us: How could an average user possibly know and decide to disable the checks if it is not clearly written anywhere that WordPress is leaking informations?
So, six months later WordPress is still leaking user/blog data while checking for newer versions. Noblogs obviously does not, but what about your WordPress installation?
Do yourself a favor: Carefully inspect every line of code you are putting on your servers.
UPDATE (1316100929)
These are the patches we applied to our WordPress installation:
Settembre 15th, 2011 at 12:02 am
Could you post the necessary patches to disable it? Thanks!
Settembre 19th, 2011 at 5:19 pm
http://pastebin.com/7SeLZbu0
Settembre 21st, 2011 at 11:22 am
le patches sono già li