Category Archives: WordPress and other CMS

Boot13, Things that are bad, WordPress and other CMS

Automattic sold your site data for years

Leave a comment

If you installed and activated the popular Jetpack plugin on a self-hosted WordPress web site after 2013, and didn’t bother to read the fine print when accepting Jetpack’s Terms of Service, Automattic (the company that makes Jetpack) surreptitiously gathered your site’s data and sold it to social media and data analytics companies.

Jetpack is a free plugin that adds a useful collection of features to WordPress, including social media buttons and sharing, Markdown support, security, backups, anti-spam, stats, and so on. Some of these features have been very useful for the sites I’ve managed over the years.

How was Automattic able to do this?

There’s a somewhat hidden setting that controls whether Jetpack siphons data from your site and sends it to the Automattic mothership. Navigate to the Jetpack Dashboard, scroll to the bottom of the page, and click ‘Modules’. The setting you’re looking for (prior to Jetpack 13.3) is ‘Enhanced Distribution’. It should be named ‘Donate your content to Automattic and allow them to sell it and keep all the proceeds’.

Even if all the more obvious Jetpack features are disabled, if ‘Enhanced Distribution’ is enabled, Jetpack is sending your data to Automattic.

Making matters even worse, Jetpack updates have a nasty habit of re-enabling previously-disabled features or reverting to default settings. Whether this affected ‘Enhanced Distribution’ or not is unclear.

The Firehose

Automattic sold your site data as part of a product called Firehose, which potentially contained all of the original content from your site. Here’s the first paragraph from the Firehose product page:

WordPress publishers and visitors produce thousands of new posts and comments every hour. These content streams are available in three real-time formats from redundant servers. These streams are intended for partners like search engines, artificial intelligence (AI) products and market intelligence providers who would like to ingest a real-time stream of new content from a wide spectrum of publishers.

What does Automattic say about this?

A recent post on the wordpress.org support forum asked about Jetpack Backup & AI. Here’s how Automattic responded:

They will retire Firehose, but…

We have sold our Firehose to social and data analytics companies, and we have also used some distribution partners (like Socialgist) to sell the Firehose to these types of end users.

The release notes for Jetpack 13.3 (2024-April-03) shows this: “Enhanced Distribution: begin deprecation process as the Firehose is winding down.” The only obvious difference is that ‘Enhanced Distribution’ is no longer listed on Jetpack’s Modules page. Hopefully that means the option is now also disabled for all sites, not just further hidden.

They never sold to AI companies and don’t plan to

Neither we or our distribution partners sell the Firehose to any companies that are training LLMs or to any generative AI companies.

Enhanced distribution is a feature that was released in 2013 with the purpose of driving traffic by giving blogs additional readership in the WordPress.com Reader. Content from those sites were gathered with approval by accepting the terms of service. Our partners were social and data analytics companies.

Automattic also published an article titled ‘Protecting User Choice’, a response to concerns about selling data to AI companies.

Okay, but…

If you were about to point out that posting anything on a public-facing web site makes it available for anyone to use: okay, sure, but Automattic SOLD the data they gathered. I never expected to make any money from this site, but that doesn’t mean I’m happy about anyone else making money from it.

Recommendations

Stop using Jetpack. Automattic has done, is doing, and will in all likelihood continue to do some shady things. I regret ignoring the advice I received years ago to stop using Jetpack, and can only hope that any damage caused to clients due to my recommendation and use of Jetpack is minimal.

If you can’t avoid using Jetpack, please disable the ‘Enhanced Distribution’ module. Unfortunately, if you’re using version 13.3, it’s not clear how this can be accomplished.

Most of the features provided by Jetpack can be found in other free plugins. Switching to alternatives for the functions you actually need has the additional advantage of eliminating the overhead of what is now quite a bulky Jetpack.

Here are a few alternatives to Jetpack for specific functionality:

And there are many more possibilities. Jetpack certainly was a handy and simple way to add a lot of useful functionality to WordPress. But Automattic has demonstrated that they are willing to sneakily sell your site data, and I just can’t trust them anymore.

Patches and updates, Security, WordPress and other CMS

Joomla 3.7

Leave a comment

WordPress is the current king of Content Management Systems, but there are others, including Joomla. Web sites built on popular CMS software are enticing targets for malicious hackers, because the people who manage such sites often lack the skills to keep them secure. Keeping a CMS-based site secure mainly involves keeping the CMS software up to date.

Joomla 3.7 — released yesterday — includes over 700 improvements, eight of which are related to security. Several of the security vulnerabilities addressed affect versions of Joomla going back to 1.5 and 2.5.

Joomla 1.0 through 2.5 are no longer supported. If you’re running a site that uses those older versions of Joomla, you should upgrade to 3.7 as soon as possible, as the site is otherwise likely to be hacked.

If you run a Joomla 3.x site, you should update it to 3.7 as soon as possible. If your site currently runs Joomla 3.6.x, it’s a single click update, so there’s no excuse not to do it.

Patches and updates, Security, WordPress and other CMS

WordPress 4.7.2 – security update

Leave a comment

Most WordPress sites are configured to automatically update themselves when a new version becomes available. Still, anyone who manages any WordPress sites should make sure they are up to date with version 4.7.2, released yesterday.

WordPress 4.7.2 addresses three serious security vulnerabilities. You can find all the details in the release announcement.

Update 2017Feb02: Apparently WordPress 4.7.2 included a fix for a fourth security vulnerability, which wasn’t announced until February 2. The vulnerability is so severe that the WordPress developers didn’t want to risk anyone knowing about it until the majority of WordPress sites were updated.