This absolutely astonishing. I cannot believe they would be doing this although I had my suspicions.
This demands a quick and open response from Wordfence.
You really have nothing to say about this (without using weasly language)? Well, that actually says quite a lot…
Incorrect.
The information you reference above is stored in your own database, not ours.
We don’t send your visitor stats to our servers. We don’t send entry or exit points to our own servers. We don’t send which domain visitors come from to our servers. And we don’t send browser types to our servers. ALL of that is stored in your OWN mysql wordpress database.
What we do send to our servers is aggregated data that is anonymized to help block attacks. We also send checksums (technically hashes) of your files to facilitate scanning.
Our code is 100% open source, so please inspect it yourself to verify what I’m saying above.
Regards,
Mark Maunder – Wordfence Founder/CEO.
Mark, thanks for your reply.
I’ve changed this to ‘not a support question’ because ‘resolved’ seems a bit too enthusiastic!
How about the visitors IP addresses, you don’t mention it but do you send those to your servers? That’s what actually triggered my reaction and I think that would be the worst privacy violation.
Other than that, what you say sounds good but seems to contradict your company privacy policy… So, are you going to update the privacy statement on your website to reflect your statements here?
Quote from your website (emphasis mine):
The Company monitors statistics such as how many people visit your website, the visitor’s IP address, pages visited, entry and exit points, from which domains visitors come and browser types. This data is used to provide the Services. This non-personally-identifiable information may be shared with third-parties …
The statement above is ambiguous at best and can clearly be interpreted such that you consider visitor IP addresses as ‘non-personally-identifiable information’ and that you are free to share that information as you please.
Until your official statement is changed to an unambiguous one with sound privacy rules I wouldn’t even think of using Wordfence.
Inspecting the source – are you serious? So I would have to audit your source (and keep track of all changes) just to keep you in check, while you should have a decent privacy policy in the first place? That’s just ridiculous. The right thing to do is to improve your privacy policy.
