Before installing any WordPress plugin for security reasons I always examine the plugin source code which is not a problem for me given my ten years developing in PHP. However I don’t expect the usual WordPress user to have this kind of knowledge most of which don’t even have any experience in PHP at all.
Thus when I was just reading the source code for the Tweet This plugin I was shocked to see that on both activation and deactivation of the plugin it automatically transfers the following information to the developer’s website:
- URL of your blog
- Tweet This version
- status (activated, deactivated)
- number of posts in your blog
- title of your blog
- description of your blog
- language of your blog
- your email address
- Tweet This plugin settings
- WordPress version
This is actually the code snippet taken directly from the source code - no, I didn’t add the “Big brother” there, that’s how it’s written in the code:
// Big brother is watching.
function tt_phone_home($status) {
global $current_site; global $wpdb; $wpv = get_bloginfo('version');
$siteURL = $current_site->domain; $blogURL = get_bloginfo('url');
$title = get_bloginfo('name'); $email = get_bloginfo('admin_email');
$description = get_bloginfo('description');
$lang = get_bloginfo('language');
$posts = number_format($wpdb->get_var("SELECT COUNT(*)
FROM $wpdb->posts WHERE post_status = 'publish'"));
$settings = $wpdb->get_var("SELECT option_value
FROM $wpdb->options WHERE option_name = 'tweet_this_settings'");
$phone = tt_read_file('http://th8.us/ttph.php?s=' . $siteURL . '&b=' .
$blogURL . '&v=1.3.9&u=' . $status . '&p=' . $posts . '&t=' .
urlencode($title) . '&d=' . urlencode($description) . '&l=' .
urlencode($lang) . '&e=' . urlencode($email) . '&w=' . $wpv .
'&x=' . urlencode($settings));
}
So if you don’t want all this information to be transferred to the developer prior to activating the plugin you should simply add a “return;” right after the function definition leaving the rest untouched.
function tt_phone_home($status) {
return;
That way the function will return right away and not calling any URL at all. I’m not telling that the developer is doing anything harmful with that plugin yet I don’t see any reason in transferring this information to his server.
