Is WordPress Spyware?

December 10th, 2009

Spyware: Spyware is software that gathers information about a computer user, often without that person’s knowledge or consent. Spyware watches what users do with their computers (such as what websites they visit), and sends that information back to a central location (usually the company that produced the spyware). This information is often given to other companies, who then target the user for their advertisements. Especially bad spyware can gather information about email addresses, passwords, and even credit card information and transmit it to other companies. Spyware is often installed as bundled software. Under’s guidelines, spyware is considered badware if it does not tell the user about the data that it will collect and how it will use that data.

I started using WordPress back around version 2.2 in 2007. Shortly after, WordPress 2.3 was released. This version of WordPress introduced the pre-cursor to automatic plugin upgrades in the form of plugin upgrade notifications. I thought this was an awesome feature but some in the community raised their eyebrows as they discovered the type of data that was being sent from WordPress to Apparently, it was more than just version numbers. You can view the debate that took place around the privacy issues in September of 2007 here along with the corresponding ticket in Trac which has since been reopened by a community member.

Fast forward two years later and the privacy concerns have been raised again. Here is the data that WordPress sends back to API.WordPress.ORG in order to check for plugin, theme and core upgrades.

  • Your IP
  • Blog URL
  • WordPress version
  • PHP version
  • Locale setting if there is one
  • Plugin title, description, author – including all URL’s that form part of this.
  • Full list of all plugins on your site, whether they are active or not.

This happens every 12 hours or when you load the plugin page if its been over 12 hours. The sticky point that some folks are arguing is that, the Blog URL should not be part of the information sent back rather just the IP address or some other unique identifier.

Matt has chimed in on the issue of disabling update checks with a response on the WordPress Hackers Mailing list that you can read here. Disabling update checks is a bad idea. It’s not the version number checks that are the problem, it’s the Blog URL that goes along with the checks that is the problem.

The privacy policy does mention that the WordPress software performs checks to to look for new versions of WordPress and plugins. However, the privacy policy does not go into detail into what information is sent from the WordPress software back to

It would be in good faith to outline this information in the privacy policy so everyone is on the same page. It’s also good PR. Not doing so just stirs the rumor mill and leaves people asking more questions.

While there are plugins available that disable the ability for WordPress to phone home, one of the best ideas proposed thus far is by Chris Jean.

To me, the only solution for plugin updates is for the server to send what it has since any other option would be highly inefficient or very error prone. So, why not add the ability for a plugin to opt out of having its information included in the update request? This should only require a minimal change to the update code and won’t require any changes to the update servers.

I know other software programs give the end-user a chance to opt-in to data collection/usage statistics but with WordPress, it appears you opt in when you install and use the program and the software does not provide a way of opting out. Some have mentioned that the plugins which strip out the identifying information are equal to an opt-out mechanism but I disagree. When you think about it, the only thing a WordPress powered website needs to send for core, theme, and plugin updates are the version numbers. Everything else just makes up the bigger picture.

It’s pretty simple to me what needs to happen but all of the proposals thus far have met strong opposition that anything is wrong with the way things are currently.

There needs to be disclosure to users of WordPress as they install the software so that they know upfront that their site will be sending data back to the mothership. Most software ships with a long EULA that users agree to by check marking a box. I think it might be time for WordPress to have a page added to the install process but instead of the EULA, make it the WordPress privacy policy. This policy would outline what data is collected, how often its collected, what the intended use of the data is, etc.

Check marking the box would signify that the end-user has opted-in to the data being sent home. No check mark means that the end-user has opted-out. Opting out should not put those users at risk by not receiving plugin, core, theme upgrade notifications so the process of opting out means that only version numbers of those three things will be sent. If someone wanted to opt-in at a later date, the option could be added to the Privacy Options page in the backend of WordPress.

Thoughts, Ideas, Suggestions

I don’t think WordPress is anywhere close to being spyware but according to the definition of the term by, WordPress seems to perform a few of the things mentioned.

I think it’s easy to shrug off the privacy concerns that are being raised and call those people paranoid but the points I’ve seen being made for the ability to opt-out have been pretty good. I encourage you to continue the conversation here in the comments or in the following forum thread.




  1. Otto (215 comments.) says:

    Yes, it is quite easy to shrug off these “privacy concerns” and call those people paranoid.

    So that’s exactly what I’m going to do. Their concerns are invalid and they are paranoid.

    Whew, that really was easy! :D

  2. Hannah (1 comments.) says:

    I don’t care about my information being shared if it helps WordPress out and isn’t being given out to anyone else. I can see why someone would be hesitant to share such information, so it would be a good move on WordPress’ part to make sharing of the information optional, except, of course, the information absolutely required to check for updates.

  3. Chip Bennett (63 comments.) says:

    IMHO, the major concern is not with the data being sent, but rather with those data being retained.

    If the data exist at api.wordpress only for the update transaction session, but are not retained, most of the concern would probably disappear.

    However, it is the retention of those data, and their potential ability to be tied to personally identifiable or professionally proprietary information, that is the cause for concern.

    My suggestion, as posted in the WPT forum thread, is to provide options on the Privacy Options page (options-privacy.php) to allow/disallow WP to send data to api.wordpress for 1) Core Update, 2) Plugin (and Theme) Update, and 3) Data Aggregation, and to disclose what data are sent to (and retained by) api.wordpress.

    And yes, it is easy to be a jackass, but doing so is neither conducive nor collaborative – not to mention, respectful.

  4. Andy Towler (1 comments.) says:

    The only data that should be sent, is the data without which the update check could not be completed.

    Any argument for transmitting extra data is spurious. End of.

    The blog URL is not required, and therefore should not be transmitted. The IP address will inevitably be available as part of the query, but should not be retained. And I don’t see the need to send the full plugin list either to be honest. Not unless it is actually being used to check for known conflicts (and I’m pretty sure it’s not).

    If anyone can provide the names of plugins that prevent this data being sent but do not disable the update check, please post here :)

  5. Rob McGuire (2 comments.) says:

    I’ve got to agree with Chip on this; I’m more concerned with the data that’s being retained in this whole process.

    I don’t think that all the data currently being collected for updates is necessary to perform the task at hand, but where my data goes after it’s been used can be a little worrisome.

  6. imran (4 comments.) says:

    phew, never knew that when i upgrade a plugin that any kind of information is transmitted to WordPress, but i believe they are good guys and they won’t do anything ‘bad’ to the community with this information they receive.

  7. Milan Petrovic (31 comments.) says:

    Most of the data send has nothing to do with the update anyway, so one might ask why the data is gathered in the first place.

    It would be good to offer users an options to allow them to provide their info during the update, and what data to allow to be sent. It would be easy to implement and will improve the credibility of the platform to allow such option and leave decisions to the user.

    Same goes for the plugin authors that would have a choice for providing this data or not. There are many plugins that are made exclusively for a website or are not available as a free download, and there is no reason for to gather info about them at all.

  8. that girl again (41 comments.) says:

    If you are running a blog that you wouldn’t feel comfortable sharing with the rest of the world, such as a private or work-related site, don’t use wordpress. Problem solved.

    Basically, if you’re that concerned about privacy, the onus is on you to take whatever steps you feel necessary to protect your data. If the people providing you with free software don’t understand your concerns, then take your custom to someone who does have a clear privacy policy and is upfront about what (if any) data they harvest from you and what they use it for. Much easier than sticking around hoping in vain that they will come around to your point of view.

    • Chip Bennett (63 comments.) says:

      Sorry, but that suggestion is all too reminiscent of the condescending and arrogant, “if you don’t like it, fork!” attitude that sometimes permeates open source projects.

      In this case, though, there is clearly a right thing to do, and a wrong thing to do – and the WordPress devs are clearly doing the latter. I see nothing wrong with holding their feet to the fire, regarding data collection and user privacy.

      • Alex (1 comments.) says:

        I can;t believe you’re all so concerned about a damn URL being tracked. Guess what, YOU’RE ON THE DAMN INTERNET! It’s your fucking URL. If they want it, great, take it, and share it with a lot of people please…

        “It’s so wroooong.” STFU, sit back, and enjoy your free bit of software you ungrateful people.

        It just baffles me that you people are so bored that you have nothing better to do then complain about a company taking info about their own software that you’re using for free, and the URL you’re using it at. What the hell are they going to do with your URL? Share it? OH NOOO!

        • Chip Bennett (63 comments.) says:

          Next time, try adding something useful to the conversation.

          Oh, and while you’re at it, make sure you actually understand what’s being discussed, so you don’t play the ignorant fool you just did with this comment. The issue isn’t merely about the blog URL. Do try to keep up.

          Try reading the GPL. It isn’t *their* software, once it is distributed. *I* own my copy of WordPress. *I* own my data.

          And by the way: I’ll not “STFU”, no matter how insistent you are.

          And clean up your language. You sound like a little punk.

  9. Jeff (27 comments.) says:

    Thanks for the article!

    I’ll be researching plugins that remove/anonymize a few bits of more contentious data for my twice daily phonehomes. Anyone know of any plugins that help with this?

    • gestroud (2 comments.) says:

      Anonymous WordPress Plugin Updates

      • Jeff (27 comments.) says:

        Thanks for the quick turnaround!

        I also found this mentioned in the related forum thread, and have already installed it on five different blogs. :)

      • Elpie (7 comments.) says:

        I wouldn’t use that plugin. It replaces a WordPress core file (update.php) with its own. Problem is, the one it uses is from WordPress 2.3 and the file has changed significantly since then.
        It doesn’t touch http.php, which is one of the places where the blog URL is sent from (user-agent string). It also does not include the theme update check, which didn’t exist then. So your information flows even with this plugin.
        However, that plugin isn’t sending anonymous data. It replaces your blog URL with the URL for
        Sending someone else’s URL in to be captured by WordPress is unethical and could possibly be illegal. I’m pretty sure would not be impressed!

        There doesn’t appear to be any plugin available at the moment that will strip out all the unneeded data. The 2007 plugins are like sieves today unfortunately.

        • Jeff (27 comments.) says:

          Hopefully something fresher will come along. My programming skills are strictly cut and paste. :)

  10. Jeremy (6 comments.) says:

    Well thank heavens WordPress is open source (and not some binary-blob CGI application) so we can actually see that this is happening, and hold Automattic accountable.

    (Not that I believe sending the blog URL is particularly invasive. The complainers are simply a very small but very vocal minority.)

    • Chip Bennett (63 comments.) says:

      To repeat:

      There are at least four issues here:

      1) The blog URL, while completely un-useful on its own, becomes incredibly useful when it can be used to cross-reference (and tie together) all manner of other data – including data being sent to api.wordpress.

      (Also, some users, in fact, do want to keep their blogs private. There is currently one setting on the Privacy Options page; care to guess what that option is?)

      2) WordPress does not disclose to the user the data transfer/retention policy of api.wordpress. Users simply don’t know that data are being sent to api.wordpress, nor how often. Users don’t know what data are collected/retained by api.wordpress.

      3) The legitimate reasons for sending any data beyond that which is absolutely necessary for (core/plugins/themes) update checks have not been disclosed. Why does api.wordpress need the blog URL, or the plugin/theme “header” information (i.e. any information beyond plugin name and version number)? The reason for sending PHP/MySQL version data is, to me, obvious – but yet remains undisclosed. Likewise with locale.

      4) The legitimate reasons for retaining any data, period, have not been disclosed. For instance, while knowing the aggregate totals of PHP4/PHP5 users is important for code-support decisions, that aggregate can be gleaned as a rolling, 12-hour average, with no need to retain the data beyond that time frame.

  11. Miroslav Glavic (27 comments.) says:


    I pray to the holy Goat that people do not get my url of my website.

    What is the big deal about WP getting your website address? will know if you fill your profile
    Jeff’s site has it as most of it’s visitors filled their profiles
    Every other website with a profile to fill that has an url
    What is the worst that WP can do? publish your url on a list of WP based sites?

    There is no such thing as privacy in the first place, it’s like Harper/Obama/Brown (leaders of Canada/US/UK) expecting any privacy whatsoever.

    • Elpie (7 comments.) says:

      What’s the worst WP (or Automattic) can do? That is easy to answer. They can sell the data or get it stolen through the server being hacked.

      This data could contain:
      PHP & MySQL versions
      IP address
      WordPress version
      List of all the plugins and themes on your site, whether they are active or not, including everything that is in the name, title, author and description fields (which sometimes contain personal information, email addresses and phone numbers)

      Through use of Akismet and/or Intense Debate, they can also gather the email addresses and URL’s of everyone who comments on your site.

      If you use the stats plugin, which is included in some themes and theme frameworks then they also have details of all the traffic on your site – where it came from, where it went to, and what it goes to within the site.

      All of this is tied to your site URL and nobody is saying how it is aggregated and how its being used. It’s all collected behind the scenes twice a day without anyone giving their permission for it to be gathered. And its all being sent over http where any slightly smart person can snoop and intercept the data for their own purposes.

      I don’t think it matters if people are happy to divulge this information or not. The important question is why is WordPress gathering data that has nothing to do with update checks and why is the team refusing to address privacy concerns?

  12. Yohan Perera (3 comments.) says:

    Well, I have no problem with the information the WordPress is collecting about my WP installation. That’s what most of the com mentors of this post are trying to tell. However we must bother to think how a security expert will view this type of communication…?

    Let’s say a hacker compromises the WordPress servers. And finds out that I am using an older version of a plugin which he has exploited. The next moment I will be facing a load of problems with my ISP and Web host.

    What if he discovers a bunch of WordPress blogs which has not been updated…? The list of communications linking back to outlined in this post seems very innocent, but only as long as WordPress servers are secure.

  13. tapirul says:

    another thing I mentioned in the past – maybe not strictly related to this topic, but related with how operates – is the akismet plugin. which is installed and reinstalled every time I update, anyway.
    i don’t generalize, i only talk about my experience: i am hosting three blogs on my site, two of which having a pretty good traffic. with akismet installed and activated, i get notified of hundreds of spam comments being filtered (allegedly) by akismet. without akismet (and everything else identical), i get no spam. or, maybe, once a month.

  14. Lazy (9 comments.) says:

    i do like wordpress and i trust the guys at wordpress, automattic.

    • Jeff (27 comments.) says:

      Trust them to what? Keep all of the data they collect, for however long they may keep it, completely and forever secure from hackers and disgruntled employees?

      Sorry, but that seems foolish.

  15. Denis de Bernardy (8 comments.) says:

    I was amused, albeit a bit bored, by the discussion in 2007. I am still amused, and even more bored, about the discussion in 2009. I’m confused by the fact that one very valid point in collecting the URL and the plugin data barely seems to get any mention…

    Specifically, if you cross-reference site urls from core updates + plugin updates, and *active* plugins from plugin updates (this is collected as well), and site urls from, you’ve a whole bunch of potential patterns to investigate in order to weed out spam blogs.

    Just my $0.02.

    • Jeff Chandler (171 comments.) says:

      Hey, that sounds great to me if I know upfront that is what the data collection policy is helping to combat. If that was one of the reasons presented to me during the install of WordPress when I choose to opt-in or out with regards to sending this data, I’d be more inclined to say yes. I’m sure other folks would as well.

      • Chip Bennett (63 comments.) says:

        +1 Jeff.

        The whole key (for me) is being open and honest, up front, about what data are retained, and why.

        Forthrightness and honesty go a long way in building trust and goodwill.

        Dismissiveness and lack of forthrightness, on the other hand, tend to breed distrust.

        Can this information help identify splogs? If so, great! That’s awesome! Just be up-front about what data are used.

        Of course, such analytics would require tying plugin/active plugin data to a non-hashed URL, which raises concerns for others.

    • Chip Bennett (63 comments.) says:

      “Amusement” and “boredom” can be interpreted as “condescension” and “arrogance” – which are precisely the attitudes that are rankling so many feathers on this matter.

      Just because a programmer doesn’t understand the privacy needs or concerns of a user does not invalidate those needs and concerns.

      User data collection without knowledge and consent of the user is wrong.


      End of story.

      As has been said: disclose what data are retained, for how long, and for what reason, and the vast majority of us will find our concerns placated.

      For the rest, provide – in core – an opt-out option for data *retention*.

      (Leave the data-sending for update checks without a core opt-out option, if you wish – though I would imagine that, to separate the options for sending and retaining an overlapping set of data will require a bit more coding than just a blanket enabling/disabling of sending the data in the first place.)

      • Denis de Bernardy (8 comments.) says:

        “User data collection without knowledge and consent of the user is wrong.”

        Oh, don’t get me wrong. It’s not condescension or arrogance.

        My initial thoughts on the whole thing, back in 2007 were similar to yours. It was just extremely clear from the onset, that the chances of reversing the decision was zero.

        Fast forward to today. I can see all sorts of valid reasons to send the data. So my views on actually sending it have shifted to neutral. As for storing it, keep in mind that Matt is a stats junkie by his own account, and that his decision was made a while ago.

        So yes, I’m bored, and amused. Not because I strongly disagree with you. Rather because I think you’re beating a dead horse.

      • Denis de Bernardy (8 comments.) says:

        Adding to my previous comment, in case you didn’t note my reply on the wp-devel blog, my own wish would be that all of this aggregated data was made public. It would then be useful to everybody, rather than only Automattic.

        • Rhonda J. (1 comments.) says:

          Yes, I agree. I’d be happy to opt in if all of the collected date were made public. Couldn’t this info be really useful to the WP community? Particularly plugin developers?

          I’m not saying that all of the information should be public. Some of it should be masked somehow, perhaps the blog url could be turned into some other unique identifier.

          Maybe if we ask nicely, instead of assuming the worst, this information could be shared with all of us for the purpose of improving the community rather than assuming it’s being gathered for evil purposes.

          I do agree that disclosure should be made to the user upon downloading and or installing the software but I don’t believe that Matt or anyone else is avoiding or evading the issue. I believe we should keep in mind that Matt and probably pretty much everyone else involved are programmers more concerned with creating cool stuff for us to use for free than they are about legal and admin issues like creating a privacy statement.

          WordPress is an opensource project. As users, doesn’t that make us responsible? I know I haven’t even put up a privacy statement on my own sites even though I use plugins that collect data about my visitors. I’ve been more concerned with building sites that provide great content and services than I have with dealing with privacy issues.

          Instead of finding fault with the developers of WordPress who have done a fantastic job of providing me with a fantastic product for free, I volunteer to help resolve this issue.

          And thank you to all of you who have volunteered to bring this issue to the attention of the community. Now what can we all do about it? Can we help draft a privacy statement? Can we help by writing plugins that allow users to opt out? What can we do as participants to make WordPress even better?

          I will gladly volunteer my time and energy to help in anyway possible to make things better for this community.

  16. Ade (12 comments.) says:

    I think the answer here is very simple: WordPress is simply plain wrong on this issue.

    No matter the myriad of apparently very good reasons why this data must be sent to, the point is (a) this is being done (largely) without the knowledge of the WP user and (b) for purposes that aren’t entirely clear.

    Either give an opt-out option for users to decide for themselves – with as many “the sky will fall on your head if you opt-out, you damned fool!” warning messages as is deemed fit, or display a terms of use notice on first installation that makes clear what data is being collected and for what purpose, and don’t build in an opt-out (leave that for plugins to tackle).

    This is an issue which the majority of (perhaps all?) reputable proprietory software companies dealt with a long time ago, and it’s high time that WordPress followed suit. In this day and age privacy, specifically computer-related privacy, is a valid concern, and users should be as well informed as possible about the implications of their actions eg in using software, including WordPress.

    Frankly, I find the resistance to this quite astonishing. Transparency and trust. Do the right thing, WordPress, and people like me will gladly shut-up. And don’t worry, we probably won’t opt-out either…

  17. Elpie (7 comments.) says:

    This is Matt Mullenweg’s response to the issue:

    It shows a level of leadership and maturity that should alleviate all concerns about the retention of personal data and its use.

    • Chip Bennett (63 comments.) says:

      Yes, that was particularly enlightening and instructive, wasn’t it?

      I know his response has certainly elevated my trust to heights heretofore unknown.

      …or, is that, depths?

      • Ade (12 comments.) says:

        A very disappointing answer from Matt. There ARE legitimate privacy concerns that WP should address, and I’m still astonished at the resistance to “doing the right thing”… :-/

  18. Ben Maden (1 comments.) says:

    I think article and Chip’s comments cut to the principal here. Nice job.

    Being upfront about what data IS collected so people can opt-in or opt-out makes complete sense and should be very painless to achieve.

    I build WordPress websites for clients, friends and family day-in and day-out. From now on I will be installing plugins to anonymize this data and as I conduct my regular upgrades I’ll add the plugin to the older ones I host (and manage) too.

    It’s not that I believe anything evil or malicious is underway that would be foolish. No matter how remote a possibility I just don’t like idea that a hacker could obtain WordPress version numbers and URLs and mess with my livelihood.

  19. bubazoo (213 comments.) says:

    I don’t think wordpress is spyware, if anything its probably considered a GPL Open Source project, if anything..

    no the only “spyware” like activity that I can see from blogging, are the google ads, and other ads posted all over some blogs.

    I purposely don’t put banner ads on my blog, because for one thing, banner ad’s don’t pay revenue to even pay for the hosting upkeep, much of less a decent profit, so why even bother having them on my site if there not going to make me any money except maybe 2 or 3 cents at the most to begin with? you know?? I’ve tried every kind of banner ad company out there, and I’ve never seen ONE PENNY of a check in the mail from any one of these companies, not google, or anywhere else, so its not worth it to me..

    Besides, certain banner ad companies have audio ads up, take the users IP address so they can claim to produce “targeted ads” towards certain people of certain countries, which I consider spyware, because they put these kinds of scripts on the users computers just like a virus infecting other computers and monitoring search habits. Those ARE considered spyware/malware to me…banner ads yes..

    but not wordpress….no….

    • BlaKKJaKK (10 comments.) says:

      @bubazoo No offense but what does your monetizing woes have to do with the topic? A side note with an Alexa rating of 6M+ pretty much means no ad will make you money.

      Back to the topic, personally I like the convenience of the update function but I have to admit that I found Matt’s response pretty ridiculous. Isn’t it interesting that he finds the passion in defending the GPL to an extremes but doesn’t seem to care about our privacy concerns. The fact is if data is collected it the right thing to do is tell us what is being done with that data. Aside from that, like any other piece of software you should have an option to opt out.

      I really have a hard time understanding why that is so controversial.

    • Chip Bennett (63 comments.) says:

      WordPress being GPL and open source is completely irrelevant to the question of whether the transmission to and retention of data by api.wordpress from WordPress installs without the knowledge or consent of the user constitutes behavior that is considered to be spyware.

      According to, the answer is, clearly, yes it does.

      Quite frankly, whether or not those data are or are not personally identifiable is likewise completely irrelevant, again, according to Their guidelines are quite clear on this matter.

      WordPress transmits personally, potentially personally, and non-personally identifiable user data to a third-party server ( without either the knowledge (disclosure) or consent (explicit opt-in/out consent) of the user.

      In the case of update checks, we can assume user intent to keep core/plugins/themes updated constitutes implicit consent to send data – and only those data required for the update check – to However, under no circumstance can we assume any user intent that would constitute implicit consent to having any data retained by

      These actions are in clear violation of good practice with respect to user data, and, according to guidelines, constitutes spyware behavior.

      • BlaKKJaKK (10 comments.) says:

        Chip, you are preaching to choir. I agree with you. My point regarding Matt and the GPL was merely to illustrate that Matt seems to have a mental blind spot to privacy concerns. As an user, non-programmer, I would tend to stereotype someone that advocates open source, GPL etc would also be sensitive to privacy advocate.

        I’ll repeat I still don’t understand why Matt and the others that control the core are even debating the point. It’s the right thing to do.

        Aside from that given that it is a privacy issue the burden of proof is on those advocate no action.

  20. Michael Hampton (14 comments.) says:

    As I did in 2007 when this feature first came to my attention, I find it disappointing and regrettable that Matt Mullenweg and other well known people in the WordPress “community” make light of legitimate security and privacy concerns.

    Of course, Google’s Eric Schmidt made the same stupid claims, which were easily refuted by actual security experts.

  21. Ricardo Santos (9 comments.) says:

    Personally i dont see any problem with the kind of data that is being sent, Automattic has given me a stable platform to blog in my free time…free support over the forums, available in dozens of languages.

    Does Google, Microsoft, Yahoo tell us which kind of data is being sent when using their web services? Do they easily tell us that?

    dat abeing sent:
    * Your IP….and?
    * Blog URL… and?
    * WordPress version…and?
    * PHP version….and?
    * Locale setting if there is one….and?
    * Plugin title, description, author – including all URL’s that form part of this….and?
    * Full list of all plugins on your site, whether they are active or not…. and?

    Not happy? Use Blogger… you guys are making a storm in a small cup with water, how many of you use software that autoupdates? Do they tell you what data is being sent?


    • Chip Bennett (63 comments.) says:


      Again, I love – and use – the update-check functionality of WordPress. Thus, I give implicit consent to send to my core version number, plugin names and version numbers, and theme names and version numbers for the sole purpose of performing the update check.

      My issues are with 1) disclosure and 2) data retention.

      The transmission and retention of user data is not disclosed to the user, nor does the user have any ability whatsoever to opt-out of data retention.

      For me, this has absolutely nothing to do with sending data required for update checks.

      As for Google, Yahoo, et al – you can be darn sure that their privacy policies do, in fact, disclose what data are sent to third-party servers.

      • Network Geek (21 comments.) says:

        So, you raise the same concerns with Microsoft and demand the same accountability, right? Because they have a much, much larger installed userbase and have NO disclosure on what they gather for their updates via Windows Automatic Update. They have no retention policy that I’ve seen or am aware of when they collect whatever information they collect. But, again, I’m not worried because surely, right now, thousands of experts are on Microsoft forums as we speak, er write, loudly complaining to Steve Balmer and crew about their abuses.


  22. Ricardo Santos (9 comments.) says:

    “…As for Google, Yahoo, et al – you can be darn sure that their privacy policies do, in fact, disclose what data are sent to third-party servers….”

    Do they disclose as some people want WordPress to disclose with options in the control panel? Why are you picking on wordpress, loads of software outhere that is installed on your pc where private details are kept…even more important ones that the data sent by wordpress…have you wrote to all the software creatores (free, open source and commercial ones) asking which data is sent by their software when it autoupdates?

    • Chip Bennett (63 comments.) says:

      Can we get past the data sent for update checks, please?

      How many times do we have to reiterate that it is not the data being sent for update checks that is our concern?

      It is the retention of these data – and the sending and retention of other data that are not in any way associated with update checks.

      I’m asking WordPress because I use WordPress. I don’t use Hotmail or GMail or Yahoo Mail. And besides the fact that I’m not concerned with data being sent for update checks, auto-updates of Hotmail, GMail, nd Yahoo Mail are completely irrelevant. I’m not the owner of those web applications. I am, on the other hand, the owner of my WordPress application.

  23. Ricardo Santos (9 comments.) says:

    Does Microsoft have a function in your hotmail account that tells what they do with your data? Google? Yahoo? A user friendly function? in the admin area of hotmail? Google? Yahoo?

    I know they didnt disclose it but not everything is perfect… C’mon it’s WordPress its not some dubious company…

    • Chip Bennett (63 comments.) says:

      Again: Hotmail, Google, Yahoo: irrelevant. I’m not the owner of those web applications, unlike my WordPress installation.

      The burden of proof is not on the users here, but rather on Matt Mullenweg.

      Disclosure and consent are required for transmission of user data to a third party.

      Why is this concept so difficult to grasp?

      • Otto (215 comments.) says:

        The concept is difficult to grasp mainly because it’s total crap.

        Disclosure and consent are clearly NOT required for transmission of anything. I can write software that transmits anything I like, and no legalese is required whatsoever.

        You’re saying that it is required “legally”, which is a different kettle of fish. It’s also untrue, for the majority of jurisdictions.

        So please, try to be clear. You can say it’s required, but it’s clearly not, which makes your other statements on the topic questionable at best.

  24. Ricardo Santos (9 comments.) says:

    Chip i understand what you’re saying but what you describe as far as i can see is a routine nowadays, since you dont use any of the 3 big email services im going to pick one particular piece of software that almost everyone uses…Adobe flash Player

    Do they ask you when the warning pops up on the screen “update available” if the program can send data to their servers and how long its going to be retained? Yep…its a closed/commercial program…no way to know…to my knowledge theres dozens of them outhere…from bigger companies than Automatic

    Why pick on this one? Because you use it you already said it but c’mon you dont use any program that does that?

    • Chip Bennett (63 comments.) says:

      Hmm… this was supposed to be in response to Ricardo Santos:

      Funny you should mention Adobe.

      Adobe actually has a rather extensive Privacy Policy. Money graf:

      Certain Products and Services may require you to use the most current version of such Product and Service or are offered in conjunction with other Products and Services, which you may or may not have already downloaded. The Product and Service may automatically check to determine if you are using the most current version or have other Products and Services and through e-mail messages, pop-up boxes or similar mechanisms inform you if need to upgrade in order to use the Product and Service you have requested. During this process, an IP address identifying your computer and the Product and Service version may be sent to a Web server, but system profile information is not transmitted nor are cookies used to store information.

      There’s plenty more in there, too, about what information Adobe collects, under what circumstances, and what they do with that information.

      Pretty much, Adobe’s Privacy Policy proves my case. Thanks for bringing it up.

  25. Milan Petrovic (31 comments.) says:

    ALL programs that perform any form of update or comunication to the server can be considered spyware because all of them send all kinds of data, and actually very few of them allow you too choose if you allow data to be send or you can even sign the opt-in. I tracked today what kind of data send Adobe Air, Adobe Flash, Skype and few more, and it’s a lot, a lot of data.

    I agree that WordPress should be leader in the area, and they should allow opt-in for some of the data send.

    • Chip Bennett (63 comments.) says:

      Funny you should mention Adobe.

      Adobe actually has a rather extensive Privacy Policy. Money graf:

      Certain Products and Services may require you to use the most current version of such Product and Service or are offered in conjunction with other Products and Services, which you may or may not have already downloaded. The Product and Service may automatically check to determine if you are using the most current version or have other Products and Services and through e-mail messages, pop-up boxes or similar mechanisms inform you if need to upgrade in order to use the Product and Service you have requested. During this process, an IP address identifying your computer and the Product and Service version may be sent to a Web server, but system profile information is not transmitted nor are cookies used to store information.

      There’s plenty more in there, too, about what information Adobe collects, under what circumstances, and what they do with that information.

      Pretty much, Adobe’s Privacy Policy proves my case. Thanks for bringing it up.

  26. Ricardo Santos (9 comments.) says:

    Chip…that link is on the website…not on the program itself like you specified for wordpress in the comments above (privacy.php)…

    • Chip Bennett (63 comments.) says:

      That’s because Adobe is merely a plugin for Firefox, and has no UI (that I can find).

      A more useful example would be the Privacy Policy of Firefox itself (conveniently found through Firefox, via Help -> About -> License -> Know Your Rights -> Privacy).

      Care to guess what is in Mozilla’s privacy policy, that was also in Adobe’s Privacy Policy?

  27. Ricardo Santos (9 comments.) says:

    So if wordpress had a privacy page on their website explaining which data and how long they keep the data it would be ok, with no need to introduce options in the wordpress dashboard?

    • Chip Bennett (63 comments.) says:


      I’m going to use the Mozilla example, as it is more analogous.

      In Mozilla’s case, Mozilla defines personally identifiable information, potentially personally identifiable information, and non-personally identifiable information, and explains how it treats information in each class.

      Further, Mozilla a) defines a URL as potentially personally identifiable information, and b) only sends the bare-minimum, non-personally identifiable information required for update checks, crash reports, etc. (Mozilla also uses a unique cookie value for unique identification – and identifies this cookie value as potentially personally identifiable.)

      Disclosure is the important first step – but it is also just the first step.

      Disclosure will placate most/all of my personal concerns, but will not put api.wordpress in the clear, without the follow-up step of providing a means to opt-out of data collection (retention).

      Again: for update checks, I am placated with disclosure.

      However, for data collection (retention), an opt-out mechanism is required.

  28. Ricardo Santos (9 comments.) says:

    That’s because Adobe is merely a plugin for Firefox, and has no UI (that I can find).

    Yes and no, If an update is available for adobe a Pop up Windows will appear and ask you if you want to update, but enough with the examples as there are those who do it and those who dont, altough anaware of the data sending and retaining ( that bit i agree that it should be disclosed) but i will continue to use it because i dont think the data that is being sent is dangerous (altough im not an expert), will carry on using wordpress as usuall

  29. Viv (2 comments.) says:

    Looking at the list of information gathered I cant see any thing apart from plugins that are not active that I cant get by visiting your web site and simply looking at it?

    So what is the privacy concern over what’s published publicly already?

    • Chip Bennett (63 comments.) says:


      WordPress is sending data to a third-party server, and those data are retained by that server, without disclosing the transmission/retention to the owner of those data, or providing a means of opting-out of retention of those data.

      The nature of the data – personally identifiable, potentially personally identifiable, or non-personally identifiable – is entirely irrelevant, as per the guidelines for transmission of user data.

      The transmission and retention must be disclosed, and the user must be provided with a means to opt-out.

      • Viv (2 comments.) says:

        A good reply but what leaps to mind from what you say is that all the search bots (and other types ;-) that crawl, scrape and scan our sites, gathering basically the same information and then storing it on third party servers, should ask us first?

        Is it just that wordpress should have fessed up sooner to taking what we already give away freely? or is there a deeper principle here?

        • Chip Bennett (63 comments.) says:

          There are two kinds of bots: the well-behaved ones, that obey robots.txt, and the not-well-behaved ones.

          Do we really want to equate WordPress to non-well-behaved bots? What would such a correlation say about WordPress?

          Again, what is at issue is not the nature of the data, but rather the lack of disclosure and lack of mechanism to opt-out of data retention.

          The nature of the data is, once again, irrelevant.

        • Andreas Nurbo (9 comments.) says:

          It doesnt matter what Google does and does not do in this case. This is about WordPress.
          Gathering of data should be disclosed and a way to opt out of this data collection part of the update should be available at installation point and in the admin backend.

          So far they haven’t said anything on what is stored in their database. We can guess what is stored and retained nothing more. It is an open source project being open with what you do and how should be part of that.

  30. Ricardo Santos (9 comments.) says:

    We agree on disagreeing, but by being open source doesnt mean that one has to be open, my interpretation of open source doesnt have anything to do with that but with the fact that anyone can look at the source code and modify it redistribute it

  31. Brad Potter says:

    This sure is changing the way I think about the security of my WP sites considering the depth of the data being sent back to “Mother”.

  32. Elpie (1 comments.) says:

    If you want to see just what WordPress gathers from your sites, check out this:

    If you are really happy for all that info to be sent back then so be it. If you value your privacy though you might think again.

    FWIW, a privacy statement is not worth the paper its written on. is not a legal entity, its a site owned by Matt Mullenweg. Good intentions are fine. Legal accountability would be better.

  33. tapirul says:

    what about akismet? nobody mentions it, I see.

    • Elpie (7 comments.) says:

      I do, in my posts ;)

      Akismet doesn’t have any privacy policy or anything to say what it does with the data. For all we know its collecting every email address and URL to add to the other stuff that Automattic collect about a blog URL. Gravatar doesn’t have any disclosure either but it does say in the FAQ’s that they will not allow accounts to be deleted. I guess that means they have our email addresses forever, to use however they like.

  34. Walter (1 comments.) says:

    How could someone think of WordPress as a spyware. In my experience, it is the best platform. :-)

  35. James (2 comments.) says:

    I’m well aware that WordPress can store your information whenever you auto update…so the best way to avoid this is to do it all yourself. But if you want to get concerned about spyware, Blogger would be the biggest culprit…just think of how much data Google can get from you over there. It cannot be avoided, but I think WordPress should come clean and provide a choice to people, if they are really storing our sensitive data.

  36. Brad Potter says:

    To get an industry leader’s perspective on privacy issues, listen to what Jason Calacanis has to say about Facebook privacy on the latest TWiT.

    He has also made a post about the topic here:

    I realize the exact issue with Facebook is not the same we discuss here but Jason raises several points that are applicable.


  1. […] en place des avertissements pour la mise à jour des blogs. (Détails en anglais sur Weblog Tools, Is WordPress spyware ? ) Voici donc la liste des informations qui sont envoyées à WordPress deux fois par jour […]

  2. […] Git, changing the name (while giving credit where it’s due, following GPL), ripping out the spyware “features,” and maintaining it for security. But probably on my own private sever, for […]

Obviously Powered by WordPress. © 2003-2013

page counter