[wp-hackers] Plugin update & security / privacy

Ryan Finnie ryan at finnie.org
Tue Sep 25 18:33:47 GMT 2007

On Sun Sep 23 11:12:56 2007, Alex Günsche <ag.ml2007 at zirona.com> wrote:
> By the way, I was rather shocked when I saw what big bunch of data
> Akismet transmits on connecting to its server. Why the heck does Akismet
> transmit *all* my $_SERVER environment variables? That's a big reason to
> mistrust Akismet, unless there are *very* good reasons for that. And I
> doubt there are any.

Irregardless of WordPress calling home with URL and plugin info (my 2
cents: not too bad, but it should be a core option), people seem to be
glossing over this.  What is Akismet sending during each spam check?


If you have a basic HTTP AUTH (.htaccess, etc) set up on top of
WordPress (or I believe WordPress itself has an option for using HTTP
AUTH instead of cookie sessions), you are sending usernames and

I'm not accusing Automattic of doing this intentionally, but this is a
MAJOR security problem.


More information about the wp-hackers mailing list