Anne van Kesteren

Spyware in WordPress nightlies

Robbert Broersma just showed me something nasty of the WordPress camp. If you download a recent nightly and open the file wp-admin/admin-footer.php you get this nasty little thing:

<img src="" alt="Get Firefox" />

Next week Matt releases a new plug-in on his website, called “how-many-times-did-you-login-to-your-admin-area-today.php”, which enables him to list the number of admin pages you opened today next to your comment. How’s that?


  1. Even the idea of a banner not giving information to Wordpress regardless of what's on it sounds pretty stupid to me. Although this'd be ten times worse...

    Posted by Frenzie at

  2. Jeez, talk about overreacting.

    Posted by Michel Vuijlsteke at

  3. Okay, maybe it isn't the best idea to have the image remote, but labelling it spyware is going a bit too far I'd say. If you are that bothered you could remove the code easily.

    Posted by Turnip at

  4. Well, it's not as if this is new. I pointed this out in June, and got hate mail from WP fanbois in return.

    When are you going to switch, Anne?

    Posted by Moose at

  5. Some people create, some only criticize.

    Posted by Michiel at

  6. Good thing I am in the creating camp, right, Michiel?

    Posted by Robbert Broersma at

  7. Hahaha! Nice one Anne!

    Posted by Mark Wubben at

  8. Now Photomatt can launch a “Who is reading Anne’s feed using a b0rked feed reader?” service. Sage treated the XHTML content as entity-encoded tag soup and loaded the image!

    Posted by Henri Sivonen at

  9. Whether it becomes true spyware or not remains to be seen. It does, however, mean that it is already ad-ware. For shame. Misdirected zeal can have bad consequences.

    To the "fanboiz": if you want people to take you seriously, you gotta accept criticism (valid or not) with grace. Criticism of a product is not smacking down its developers or users. Jumping down any and everyone's throat because they won't overlook WP's weaknesses does not help WordPress, it makes WP look stupid and you an @ss.

    Posted by Mary at

  10. A little off topic, but Henri, the text loaded OK in Sage for me (version 1.3).

    Criticism: valid. Calling it spyware: probably an overreaction

    Posted by Rob at

  11. Well, per definition I think we are correct in calling it spyware. It does track usage and other information your browser sends when it requests the file.

    However, this post should not be taken to serious as some of the people here seem to do. As you can clearly see in the second paragraph of the most it was not really intended that way.

    Posted by Anne at

  12. is entirely static content with permanent addresses and there is no logging on the host. If it still bothers you it would be trivial to write a plugin to eliminate the image using an output buffer and str_replace. You could also block from your machine using a HOST file. Why Firefox? It's open-source, like WP, and it is the most featureful browser available for the WP experience.

    Posted by Matt at

  13. Surely, we know that it could easily be removed (using Firefox, just click "block images from" ;-) But hey, that is like saying: if SoftwarPackage 3 would be open source, it is okay to send sneaky messages to their servers, since that part of the code could easily be removed.

    This isn't a big thing, but then again: why didn't you just include it in the .tar.gz package? You did that with the WordPress logo, and other images... That's what makes it so hard to believe that there's no logging on that server. I can see no reason whatsoever to serve such image on your own server besides checking out what many WordPress installations there are used...

    Posted by Robbert Broersma at

  14. Rob: I am using Sage 1.3, too. Bug filed.

    Posted by Henri Sivonen at

  15. Anne, you're correct per definition. I've come to associate spyware with the same kind of evil as spam. Given Wordpress' contribution to open source software it's easy to jump to Matt's defense. Robbert's got a point though, why not just put the image in the package?

    Posted by Rob at

  16. Why don't you mark code with [code]?

    Posted by NeefRoel at

  17. Because it does not preserve whitespace by default and is an inline element per HTML 4.01 where I need a block level element.

    Posted by Anne at

  18. We need <blockcode />! ;p

    Posted by Laurens Holst at

  19. Blockcode? Already covered:


    Posted by david gouch at