WordPress is not privacy friendly anymore

Ten post dostępny jest także w języku: Polish

WordPress nowadays isn’t as privacy friendly as I thought (connection with gravatar services, hardcoded google fonts references). It almost looks like WP devs doesn’t care anymore, business is winning over handy tool event for activists working under extremely dangerous conditions. I’ve on the other hand noticed this problem while having troubles with proper display of national letters on clean WP instance. Nevertheless: WordPress instance after clean installation shouldn’t try to connect to any server apart from its host.

I spent quite some time researching those kind of troubles with WP. Some of them (like Google Font problems) have their solutions, but they aren’t complete. You disable any Google Fonts references, you loose pretty fonts on your website unless you edit hardcoded references and provide locally hosted files (talking about dashboard and theme files). I’ve also talked with various developers who use WP all the time in their work, and they share my opinion.

Next step is: It needs to be fixed. So there is a plan too remove all that crap from WordPress so we have user,privacy and security friendly solution which we all love. This fork has another reason to exist also for business solutions. WordPress is great to implement even complicated business processes and models in it. I use it daily at my work and business needs to be sure the data won’t be leaked by the CMS itself on some unauthorized outgoing connections.

Primary objectives of such a fork:

  • remove every references to remote servers that WordPress makes by itself ootb
  • implement privacy and security hardening solutions and configurations
  • let its users run their own custom plugin repositories.

How the development will look like:

First step is to create fork for current WP release and make it free of references from objective one. Put locally hosted replacements if possible (bring back image upload field for avatar).

Each fork version will be released shortly after mainstream WordPress release. Next step is to release a plugin which will strip existing WP instances from things mentioned above and put in replacements.

Those followed by ongoing WordPress security hardening (disabling xmlrpc and so on) and enabling selfhosted plugin repositories with a software solution to set them up.

This post is released as a kind of manifesto, describing what will be done in really near future (I plan first release before the end of the year). You can follow all whats happening on my GitHub account. I invite you to share your thoughts and start collaboration (take a look at “Contact me!” section on the left).

UPDATE: Thanks for your emails and feedback! You can also join the discussion on Diaspora* or Reddit (thanks Fabián!).

Podobne wpisy