WP API Privacy
WP API Privacy
The default WordPress installation from wordpress.org automatically transmits extraneous information via various HTTP calls that occur in the admin. Some of this data may be cause for concern from a privacy perspective.
This plugin seeks to limit that information, attempting to further protect your privacy in the process. Simply install this plugin and activate it, and various aspects of WordPress that are questionable from a privacy perspective will be modified.
To find out about recent changes, please read the Changelog.
Modifications Made
Default outgoing HTTP requests to third-party services like the plugin and theme update mechanism at WordPress.org contains site and version information in the User-Agent header. For example, all requests contain your website name in the form of http://mysite.com, and a version string such as 6.6, giving third-parties detailed information about your site. Combining this information with your IP address (which all servers can determine from incoming requests), provides the recipient with potentially intrusive insight into every website using the WordPress platform.
Once active, the plugin strips can be configured to strip this information so requests do not contain information about the domain name that requested them or which version of WordPress it was using. Some API calls, such as the ones to the plugin listings, also contain a version parameter to filter the associated list of plugins - these are left in.
Plugin And Theme Data
When a default WordPress installation contains WordPress.org requests information about plugin and theme updates, it sends detailed information about every plugin and theme on your WordPress site, including all the plugin and theme headers available. This occurs even for private plugins or themes, or plugins and themes that are not hosted on WordPress.org.
After activation, any plugins or themes that update from third-party repositories (as indicated by the Update URI in the plugin header) will be filtered on all outbound requests.
Core Requests
When WordPress attempts to do a core software update, it sends along detailed information such as your site URL, how many users you have, how many blogs you have, your MySQL version, your PHP version, the type of server you have (i.e Mac, Linux, Windows, etc) and all the PHP extensions you have on your site. This information can also be selectively filtered to only provide what's absolutey essential to the WordPress API servers.
Installation
You can install the package either via a ZIP file, or by using composer. Please note, this plugin is still in active development - please don't install it on any production sites, but feel free to test it on development or less essential sites to help provide feedback.
ZIP File
Navigate to the "Releases" section in the sidebar, and click on the latest release. Inside the release you will see a ZIP file that looks like wp-api-privacy.zip. Simply download that file and then use the WordPress plugin installer in the admin panel to add it.
Composer
You can add the plugin to your website using Composer. First navigate to your main WordPress directory.
The execute the command:
composer require wp-privacy/wp-api-privacyThis will install the plugin to your wp-content/plugins directory. Once done, navigate to your plugins page in the WordPress admin panel and activate the plugin.
Future Updates
The plugin will automatically fetch updates via the WordPress admin from this Github repository using the WordPress update mechanism (you will be notified in the admin when an update is available).
Verification
After installing the plugin, you can also use the "HTTP Requests Manager" plugin to verify the user-agent field has been changed to "WordPress/Private", and that the plugin information is stripped of any plugins hosted off-site.
The following is a list of the most recent releases for this plugin.
-
1.2.3 - Updater Fix
SHA256 hash:41969c6a52476dd928d92f771fed0de2cdf3ea5a6132dcded2900d108f63e135
-
1.2.2 - Language update + fixes
SHA256 hash:27f516b2f153f640046b0198237b2922a4defb22ef8e757554d1deec87c5702f
-
1.2.1 - Minor Updates
SHA256 hash:492535460df0b2dd963f71ee976340f86a400d8c16b09358248fa61b83115b88
-
1.2.0 - Code Improvements
SHA256 hash:22f24fd57c8b0450a04ec032e61693b2d4323ff626287d6f7d8873ad2b10a697
-
1.1.9 - Languages update
SHA256 hash:24d6126d20bded2a7ab90b82c2df537e01dc97e520ebbda30d3516908a525f14
-
1.1.8 - Updated languages plus more
SHA256 hash:90189cf2e11acd2a937cabcb70d8020fccd49f7ae7f2c560b5cec2abe24343c4
-
1.1.7 - Bug fixes
SHA256 hash:c2872ffbe8e37866c3dfbac02ce85c5c60cab06858975e0069781d612094039f
-
1.1.6 - Settings page
SHA256 hash:bea6f39f813ffbad97ae93968a17358e1cd105ac43977474940b3982e3b21941
-
1.1.5 - Minor Update
SHA256 hash:2c7c39c8d05603cc2de6c723dafcebf752a4b4f22716cbb9d9cf42b7a9a7bdae
-
1.1.4 - Github Updates
SHA256 hash:60b79bfb7aa58f83a95370a8b4e48b4284d4cee8be4102024a51636b69785021
-
1.1.3 - Errors + Admin Statistics
SHA256 hash:5ba05f3320f1eda77b1334080c06e4e2d37c062924262774b83eab2673b48a54
-
1.1.2 - Composer Updates
SHA256 hash:6c58299815f4909a3c7127161e9b5d827269d95b14e45cb1565edda7485552c7
-
1.1.0 - Settings page
SHA256 hash:43a8d260c228b4baa3d25df3ed353686aa7675591f11a0974075a4e0262503e5
-
1.0.3 - Bugs fixes, force check
SHA256 hash:d10696e1b941b96dab44c26b280931e0ed5adf06dd879fd54a53575dabeeea37
-
1.0.2 - Plugin & Theme Filters, Core URL changes
SHA256 hash:fc4187632e07b93846028baccd3e5d0392346b082c64c0a94b9be1ad55c9ae61
-
1.0.1 - Removed off-site plugins from data sent to WP.org
SHA256 hash:583bc19aa193bb7c279f9eb593c13977e1b2dc5dbc4f3943a5131bb38cb3be05
-
1.0.0 - First release
SHA256 hash:f3a15d027f4101619291d6e2311deeb3ab1495034c3f94ae4b0f94e1052eb0bd
The following is a list of the most recent issues for this plugin.
-
Spanish translation
-
Delete Setting Option on Uninstall
-
Update zh_TW Language Pack for 1.2.1
-
Default behaviour
-
Working with Git Updater
-
Added tr_TR language
-
Fatal Error from the GitHub Updater script
-
Investigate issue with Git Updater
-
Updated zh_TW language pack for 1.1.7
-
Persian Language
-
Update zh_TW language pack for 1.1.5 new strings
-
Maybe add plugin action link for settings screen
-
PHP Fatal Error when "network activated"
-
Improve I18N Issues
-
Some misspelled URI strings in the plugin's main file
-
Discussion - count of modifications
-
zh_TW language pack from qualified translator
-
Maybe use composer/installers to allow for custom install path when using composer
-
Discussion - poisoning of data
-
Fix use of $plugin instead of $theme
-
Plugin won’t update while WP API Privacy is active
Signing Authority
This plugin has designated a signing authority for all future ZIP file releases. That means in the near future, when you download a ZIP file, it will be verified cryptographically using information provided by the designated website, https://plugins.duanestorey.com.
If you are a plugin or theme author, this information is provided in the main Plugin of Theme file, using the Authority: header.
Hash Verification
ZIP files downloaded via this site have an associated SHA256 hash.
Mac
On Mac, you can use the sha256 command to calculate the hash of a downloaded ZIP file. Open terminal and execute:
sha256 [filename]
Where [filename] is the name of the ZIP file. If the hash matches the one on the website, the ZIP file is genuine.
Linux
On Linux, you can use the sha256sum command to calculate the hash of a downloaded ZIP file. From a shell, execute:
sha256sum [filename]
Where [filename] is the name of the ZIP file. If the hash matches the one on the website, the ZIP file is genuine.
Latest Release
The latest official release is below.
Updater Fix
Download 1.2.341969c6a52476dd928d92f771fed0de2cdf3ea5a6132dcded2900d108f63e135
Github Repository
This project is located on Github in the repository wp-privacy/wp-api-privacy.
Star Support Project