Improving WordPress privacy
For several reasons you may want to keep the site you are working on under wraps. It could be because it contains potentially sensitive information, because your client demands it, or simply because you want to be in control.
If privacy is important to you or your clients and you want to work with WordPress, there are a number of things you need to do to prevent your development site from revealing itself by sending information to wordpress.org or other domains.
WordPress phones home by default
By default, WordPress will make a bunch of HTTP requests when you login to the dashboard. Some of the things it does is check for updates to WordPress, plugins, and themes, check for incoming links, and check if there is anything new on the WordPress blog. When checking for updates, WordPress also sends some information about your install, and this is where the privacy issues can occur. Check WordPress Phone Home & Privacy for more details.
Preventing disclosure of information
To stop WordPress from leaking information about your site there are several things you need to do.
1. Disable external HTTP requests
The very first thing you should do – before installing WordPress – is add the following to wp-config.php:
define('WP_HTTP_BLOCK_EXTERNAL', true);That line will block all HTTP requests to all domains except localhost and your site’s URL. You can verify that it is in effect by going to the dashboard and checking the Incoming Links, WordPress Blog, and Other WordPress News panels. They should all say “RSS Error: WP HTTP Error: User has blocked requests through HTTP.”
Alternatively you can add the WP_HTTP_BLOCK_EXTERNAL setting to your theme’s functions.php file, checking if it is already set before setting it:
if ( !defined('WP_HTTP_BLOCK_EXTERNAL') ) {
define('WP_HTTP_BLOCK_EXTERNAL', true);
}2. Prevent update checks
The previous setting should take care of all the phoning home business, but just in case that setting is turned off or forgotten, you can add the following to your theme’s functions.php file to prevent update checks for WordPress core, plugins, and themes:
/* Core */
add_filter( 'pre_site_transient_update_core', create_function( '$a', "return null;" ) );
/* Plugins */
remove_action( 'load-update-core.php', 'wp_update_plugins' );
add_filter( 'pre_site_transient_update_plugins', create_function( '$a', "return null;" ) );
/* Themes */
remove_action( 'load-update-core.php', 'wp_update_themes' );
add_filter( 'pre_site_transient_update_themes', create_function( '$a', "return null;" ) );Making sure you have the latest version of WordPress is generally a very good idea, so you’ll have to remember to check for updates manually if you use this.
If you just want to disable update checking for a private theme or plugin, follow the instructions in Excluding your plugin or theme from update checks.
3. Turn off Update Services
Under Settings - Privacy there is a “Site Visibility” setting where you can choose to make your site visible to everyone or not. If you set this to “I would like to block search engines, but allow normal visitors”, no Update Services will be notified when you publish blog posts. It will also tell search engines not to index anything and not to follow any links.
During development this is a good idea since it reduces the risk of search engines finding their way to – and indexing – your development site. You will likely want to set this to “I would like my blog to be visible to everyone” once the site goes live unless it’s completely private.
More details are available in Settings Privacy SubPanel in the WordPress Codex.
Verifying that nothing gets out
So how can you tell that no information is sent anywhere after taking these precautions? One way, if you’re using Mac OS X, is to install a utility like Little Snitch that monitors your network traffic and lets you decide what is allowed through. It will let you know when any application is trying to make an outgoing Internet connection.
A bit of healthy paranoia
Some may think that “firewalling” or “hiding” your WordPress install like this is a bit paranoid. In some cases it may well be, but if you work with clients that have you sign NDAs or similar, or work with content that is only meant for a company intranet, you can never be too careful with what is sent to the outside world.
Better safe than sorry.
- Previous post: Opera Mobile emulator and Opera Mini simulator
- Next post: Enterprise HTML, CSS and JavaScript explained
Comments are disabled for this post (read why), but if you have spotted an error or have additional info that you think should be in this post, feel free to contact me.
Subscribe / follow
Sponsors
Authentic Jobs
Job openings from Authentic Jobs
- Design Director at Happy Cog (Austin, Texas, Te, US)
- Creative Director at Revision3, A Discovery Digital Network (San Francisco, Ca, US)
- Sr. User Experience Architect at HSN (Saint Petersburg, FL, Fl, US)
- User Experience (UX) Specialist at Kleinfelder (Cambridge, MA or Framingham, MA or Denver, CO or Sacramento, CA or San Diego, CA, Ca, US)
DreamHost web hosting
Use the promo code 456BEREASTREET3 to save USD 20 when you sign up for DreamHost