Improving WordPress privacy

For several reasons you may want to keep the site you are working on under wraps. It could be because it contains potentially sensitive information, because your client demands it, or simply because you want to be in control.

If privacy is important to you or your clients and you want to work with WordPress, there are a number of things you need to do to prevent your development site from revealing itself by sending information to wordpress.org or other domains.

WordPress phones home by default

By default, WordPress will make a bunch of HTTP requests when you login to the dashboard. Some of the things it does is check for updates to WordPress, plugins, and themes, check for incoming links, and check if there is anything new on the WordPress blog. When checking for updates, WordPress also sends some information about your install, and this is where the privacy issues can occur. Check WordPress Phone Home & Privacy for more details.

Preventing disclosure of information

To stop WordPress from leaking information about your site there are several things you need to do.

1. Disable external HTTP requests

The very first thing you should do – before installing WordPress – is add the following to wp-config.php:

define('WP_HTTP_BLOCK_EXTERNAL', true);

That line will block all HTTP requests to all domains except localhost and your site’s URL. You can verify that it is in effect by going to the dashboard and checking the Incoming Links, WordPress Blog, and Other WordPress News panels. They should all say “RSS Error: WP HTTP Error: User has blocked requests through HTTP.”

Alternatively you can add the WP_HTTP_BLOCK_EXTERNAL setting to your theme’s functions.php file, checking if it is already set before setting it:

if ( !defined('WP_HTTP_BLOCK_EXTERNAL') ) {
    define('WP_HTTP_BLOCK_EXTERNAL', true);
}

2. Prevent update checks

The previous setting should take care of all the phoning home business, but just in case that setting is turned off or forgotten, you can add the following to your theme’s functions.php file to prevent update checks for WordPress core, plugins, and themes:

/* Core */
add_filter( 'pre_site_transient_update_core', create_function( '$a', "return null;" ) );
/* Plugins */
remove_action( 'load-update-core.php', 'wp_update_plugins' );
add_filter( 'pre_site_transient_update_plugins', create_function( '$a', "return null;" ) );
/* Themes */
remove_action( 'load-update-core.php', 'wp_update_themes' );
add_filter( 'pre_site_transient_update_themes', create_function( '$a', "return null;" ) );

Making sure you have the latest version of WordPress is generally a very good idea, so you’ll have to remember to check for updates manually if you use this.

If you just want to disable update checking for a private theme or plugin, follow the instructions in Excluding your plugin or theme from update checks.

3. Turn off Update Services

Under Settings - Privacy there is a “Site Visibility” setting where you can choose to make your site visible to everyone or not. If you set this to “I would like to block search engines, but allow normal visitors”, no Update Services will be notified when you publish blog posts. It will also tell search engines not to index anything and not to follow any links.

During development this is a good idea since it reduces the risk of search engines finding their way to – and indexing – your development site. You will likely want to set this to “I would like my blog to be visible to everyone” once the site goes live unless it’s completely private.

More details are available in Settings Privacy SubPanel in the WordPress Codex.

Verifying that nothing gets out

So how can you tell that no information is sent anywhere after taking these precautions? One way, if you’re using Mac OS X, is to install a utility like Little Snitch that monitors your network traffic and lets you decide what is allowed through. It will let you know when any application is trying to make an outgoing Internet connection.

A bit of healthy paranoia

Some may think that “firewalling” or “hiding” your WordPress install like this is a bit paranoid. In some cases it may well be, but if you work with clients that have you sign NDAs or similar, or work with content that is only meant for a company intranet, you can never be too careful with what is sent to the outside world.

Better safe than sorry.

Posted on February 2, 2011 in WordPress

Comments are disabled for this post (read why), but if you have spotted an error or have additional info that you think should be in this post, feel free to contact me.