WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] wordpress contains spyware? (26 posts)

  1. fooshoocoo
    Member
    Posted 8 years ago #

    After installing WordPress I immediately began to get lots of hits in my server logs from bots visiting the URL where I installed. I have never given this URL to anyone, published it anywhere or accessed it from any remote machine. I suppose it is possible that the bots guessed the URL (xxx.com/wordpress) but I don't recall seeing any entries for this URL before the day I installed.

    So, does WordPress have sort of spyware in it that reports details of where it has been installed onto a central server, from where it can be harvested by bots?

  2. jaseone
    Member
    Posted 8 years ago #

    Most if not all blogging software notifies services such as Technorati with each new post that you make by default, for further information please see:

    http://codex.wordpress.org/Update_Services

  3. fooshoocoo
    Member
    Posted 8 years ago #

    OK, I read the docs and removed all the update service URLs listed under "Update Services" on the Options->Writing admininstration screen. Since then everything has been well and no foreign machines have attempted to access my blog.

    Until tonight. I posted a new entry on my blog and *within 3 seconds* that specific entry was downloaded by a host called theta.flatline.de.

    WordPress still appears to be leaking my information somehow. What is going on?

  4. Mark (podz)
    Support Maven
    Posted 8 years ago #

    I doubt WP is leaking information. I have a couple of hidden blogs that no SE has found.

    But you pinged once. That was enough for the address to get out. And as for http://theta.flatline.de/ ?

    Any site doing that, but saying "There's Nothing here." is dodgy.

    http://www.dnsstuff.com/tools/whois.ch?ip=flatline.de

  5. Denis de Bernardy
    Member
    Posted 8 years ago #

    Your problem comes from spam bots. Some spammers track new blogs via update services and add the feeds to their tracking list. Think of these as email spam lists: Once you're on one, you might as well change emails.

  6. fooshoocoo
    Member
    Posted 8 years ago #

    my blog uses HTTP authentication to password protect all pages so there is no way anyone who indexed it in the past could obtain any new info from crawling it.

    and this site didn't just attemp to download the index page - it tried to download the specific URL of the latest entry within 3 seconds of that entry being posted.

    it didn't suceed in getting the post because it didn't have the password to authenticate, but it knew the post was there, and is no way it could have done that unless wordpress told it.

  7. Mark (podz)
    Support Maven
    Posted 8 years ago #

    WordPress does not contain spyware - or any other *ware.

  8. fooshoocoo
    Member
    Posted 8 years ago #

    OK, I've worked out what it is doing.

    The blog entry I posted contained a link to the website http://gimpfoo.de. This website is hosted on the same machine as theta.flatline.de. Upon posting the entry, WordPress is connecting to this machine and telling it about the link. Theta then attempts to connect back and download the entry.

    It's not mallicious, but it is certainly information leaking and those who are paranoid such as myself would consider it spyware.

  9. Mark (podz)
    Support Maven
    Posted 8 years ago #

    It was a ping.

    Ping=spyware ?

    May I suggest that if you do not want information 'leaking out' that you remove it from the net ?

  10. fooshoocoo
    Member
    Posted 8 years ago #

    your suggestion is not helpful. are you really claiming that i have no right to expect my machines to be online and accessible for my own limited purposes and also secure and inaccessible to unauthorised uses? that security is unobtainable, so we should simply open up our machines to spyware, viruses and crackers? and that the only other alternative is to unplug them?

    a real ping is an ICMP packet and it doesn't contain any information like URLs. if my machine was sending out pings to strange hosts i wouldnt consider it spyware but i would consider it an indication of a security problem, that something was wrong, that something couldn't be trusted.

    these 'pings' wordpress sends are not simple ICMP packets. i didn't enable any option for these 'pings' and i have not yet been able to find the option to turn them off, so yes, i do consider them a form of spyware. spyware is any software that sends out information about me without asking me first if i want that information sent out. yes, this definition probably does include a lot of closed-source software that 'phones home', but that's why i'm running open source software. i assumed that if anyone tried to put stuff like that into an open source project, the 'many eyes' would find it and remove it.

    in this case, no harm was done, but i'm not going to run wordpress again until i have time to do a full code audit. i don't even know what these 'pings' contain. i'm assuming it is just a URL, but for all i know it could be a post title, a post abstract, or even the full body of a post. on a private site that contains sensitive information that risk is not acceptable.

  11. Michael Bishop

    Posted 8 years ago #

    And I assume you've disabled all RSS feeds that are by default "on"?

  12. Jonathan Dingman
    Member
    Posted 8 years ago #

    Are you serious? If you don't want anyone reading it or attempting to check it, why don't you just load the software on a private local server that isn't connected to the internet. That way no SE bot or spam bot could ever reach it.

  13. error
    Member
    Posted 8 years ago #

    The option to turn that off is right there in Options » Discussion. "Attempt to notify any Weblogs linked to from the article (slows down posting.)" Turn it off, take out the update services (you said you already had) and enjoy the silence.

    And please understand the reason these things are in there is because the blogosphere is interconnected, and 99.999999999% of users want these interlinking features.

  14. Ryan Boren
    WordPress Dev
    Posted 8 years ago #

    Not an ICMP ping, but a pingback. See the Introduction to Blogging.

  15. Michael Bishop

    Posted 8 years ago #

    i didn't enable any option for these 'pings' and i have not yet been able to find the option to turn them off

    When at the write page, there's a two boxes, one for Allow comments, one for Allow Pings. I assume also you uncheck those?

  16. RustIndy
    Member
    Posted 8 years ago #

    In the Options screen under the Discussion tab, you can disable pings by unchecking Attempt to notify any Weblogs linked to from the article (slows down posting.).

    Pings, when in the context of a blog or other CMS-style system, do not refer to ICMP pings or echo commands. A blog ping lets a site know that you've linked to them from your site. It's really called a "pingback", and sites are free to ignore them. For total privacy, also uncheck Allow link notifications from other Weblogs (pingbacks and trackbacks.) on that page, and remove any entries under Update Services on the Options/Writing page. After doing this, only sites that already know your address (or sites that get it from them) will know where your blog is.

  17. Mark (podz)
    Support Maven
    Posted 8 years ago #

    are you really claiming that i have no right to expect my machines to be online and accessible for my own limited purposes and also secure and inaccessible to unauthorised uses?
    No, but why then are you using software you had not thoroughly investigated first ?

    i didn't enable any option for these 'pings' and i have not yet been able to find the option to turn them off
    You as yet non-existent code audit would have found an option on Options > Discussion. Helpful Hint - The line "Attempt to notify any Weblogs linked to from the article (slows down posting.)" means "Tell the world !!!!"

    spyware is any software that sends out information about me without asking me first if i want that information sent out.
    How locked down is your browser ? I can see your IP - did you know that ? Who is spying there then - me for seeing it or your browser for helpfully handing over that information ? How locked down is your whole OS ?

    that's why i'm running open source software.
    Open source software does not contain spyware ? That's a new one on me.

    but i'm not going to run wordpress again until i have time to do a full code audit
    I'd not trust it again ..oh no. Why not rewrite it ?

    i don't even know what these 'pings' contain
    You didn't know about pings, but you claim a standard you do know about. Hmm.....

  18. RustIndy
    Member
    Posted 8 years ago #

    C'mon, so he didn't know about blog functionality in modern blogwares. No need to be hard on him for it. We all have to start somewhere, yes?

    Anyhow, now he knows where the options are to turn off notifications of any type that his blog will send out by default (which, as said, 99% of bloggers want turned on, which is why they're on by default), and he'll know better the next time he installs software he hasn't bothered to research :)

    BTW (and someone please correct me if I'm wrong), but I think a pingback only contains the blog address and a timestamp - the excerpt and body are almost certainly not part of the information sent.

  19. Dgold
    Member
    Posted 8 years ago #

    I think WordPress would do the most benefit for the widest variety of users, if WordPress would take into account that some people might want to use it for something other than a public blog.

    It sure would make a great article on Codex: all the things you need to disable to have your WordPress notify no-one. Disable RSS entirely, turn off pings, turn off trackbacks, turn off register user...

    That's tricky how you install the software, make one test post, and your URL is known from then on by Google et al. Unless you think of the options to disable before you do anything. For me, right now for some reason Technorati knows my old test-site URL that I moved to my current URL.

  20. RustIndy
    Member
    Posted 8 years ago #

    Actually, that does bring up a good question - does WP notify http://rpc.pingomatic.com/ when it's installed because of the default post?

  21. shep
    Member
    Posted 8 years ago #

    there is a piece of software that allows no one to read what you write besides you, it's called a pen and paper. (or would that be hardware?) :P

  22. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Technorati is fetched as soon as you login for the very first time. It's the dash ....

  23. RustIndy
    Member
    Posted 8 years ago #

    Technorati is fine, I'd imagine. I'm curious about services that would display a public link to your blog, like Pingomatic, being notified because of the default post that's created when you install WP. Or does that notification only go out when you start creating new posts?

  24. vkaryl
    Member
    Posted 8 years ago #

    Yep. You simply open the dash files in an editor FIRST - and get all that crap out of there before you upload....

  25. Michael Bishop

    Posted 8 years ago #

    Dgold, are you volunteering to take this thread and pull the meat off the bone for the codex? That's great! ;)

  26. Dgold
    Member
    Posted 8 years ago #

    No, miklb. I want to READ the article, when someone who knows how to do these things writes it.

    I'm just a novice WP user who would like to keep some of my WP installations more quiet and others pinging the public.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags