ATTN Wordpress Users: Google Is Spying On You With Fonts!

CCarter

CCarter

Final Boss ®
Moderator
BuSo Pro
Boot Camp
Digital Strategist
Joined
Sep 15, 2014
Messages
4,341
Likes
8,855
Degree
8
Zw4PXNg.jpg


Wordpress is at it again! First they added those extra http calls for emoji which @Ryuzaki talked about, NOW they've got a Google font specifically in the admin area of your PBN, which doesn't show up in the visitor area!! This basically means that every time you log into wordpress admin Google knows it's you and your IP.

Now you are thinking, how is that bad? If you've been hiding your footprints from Google by not using Google Chrome, Google Analytics, Google DNS, Google internet service, and and the ducking the myriad of other Google traps to track you - you just wasted your time, cause now Google Font is being called back as soon as you login to your admin. "But, who avoids all those services CCarter?" People running PBN (Private Blog Networks) that do not want Google even getting a signal that they are all controlled or owned by the same person, now every wordpress login even the first one is sent to Google...

They laughed at him when he said "Don't use Wordpress anymore, it's getting too big and will become a security risk" - Who's laughing now...

Sauce: Important: Google WordPress Font Tracking

Google’s privacy statement for the font use says “we detect which websites are using Google Fonts”.

https://developers.google.com/fonts/faq#Privacy

Google’s general privacy policy states the company collects information from various technologies and may combine it with personal information. The policy also says “We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google…”

http://www.google.com/policies/privacy/#infouse

There is a WordPress plugin that disables the font call:

https://wordpress.org/plugins/disable-google-fonts/

However, if you log into the WordPress admin area to install the plugin it’s too late. Google just got your data. But it’s better than nothing.

There is further discussion about privacy issues on the WordPress developers blog:

https://make.wordpress.org/core/2013/11/11/open-sans-bundling-vs-linking/

In addition to the WordPress core, some themes, including pre-installed themes all call the Google font. But I feel the bigger concern is admin area and information given to Google, even without a cookie, which can be used to connect websites together – even match them with particular users.

Ultimately, since the font call is made immediately upon logging into the WordPress admin area for the first time, it seems to me the identification trigger can only be avoided by modifying the core WordPress files before logging in. While doable, it presents a possible nightmare because WordPress continually updates and some have WordPress installed across dozens, even hundreds of websites.

My recommendation, if you are using a private blog network or linking between your websites is not to use WordPress unless (1) your first login is with a proxy, (2) you immediately install the Google font removal plugin, and (3) do not use any themes making use of Google fonts.
Click to expand...

Read more Google Webfonts, The Spy Inside?

2HWdRXF.gif


It's only going to get worst with Wordpress before it gets better, hence why I suggest getting off of Wordpress if you CAN as soon as possible.
 
Google is brilliant.

Do you think Google could use a lack of font requests as a ranking signal? i.e. Google would know that you are intentionally hiding from them
 
Sobol said:
Google is brilliant.

Do you think Google could use a lack of font requests as a ranking signal? i.e. Google would know that you are intentionally hiding from them
Click to expand...

That's what's sort of holding me back. I'm sure having a block-google-fonts plugin, makes your site trustworthy lol.
 
contract said:
That's what's sort of holding me back. I'm sure having a block-google-fonts plugin, makes your site trustworthy lol.
Click to expand...
If you are running a PBN, by all means, sending no data is the better option than sending incriminating data.

Things would really get interesting if Google cross references when new blog posts were made/pages edited with admin font requests.
 
Sobol said:
If you are running a PBN, by all means, sending no data is the better option than sending incriminating data.
Click to expand...

If your running a PBN sely on WP your already incriminating yourself in the eyes of big G in my oppinion anyways
 
Why is everyone focusing just on PBNs? Wouldn't this out people who have multiple money sites and need to login into them daily? Owning multiple domains on WP installs cannot be the only criteria used to determine SERP manipulation.....right?
 
Yeah it is a problem for people with multiple money sites, but having multiple sites isn't manipulation of the SERPs, whereas PBNs are designed for that specific purpose.
 
Sure. But, I'm sure anyone with X number of sites is now going to be marked for manual review.
 
stackcash said:
Sure. But, I'm sure anyone with X number of sites is now going to be marked for manual review.
Click to expand...

I'd say the issue would rise if you have a lot of sites in the same niche, versus sites in various niches. If they are in the same niche, I'd think you could tastefully include them all under the same banner and be fine. There's one ecommerce company, I can't remember their name, but all of their products all had their own MFA domain, but linked to one another everywhere as if they were all one website. They've existed for a long time and the last I recall Google hadn't taken any action against them. I'm sure they are all hosted on the same server and IP and since everything is transparent, there's no reason to dock them any points.
 
Google is creating a cms to compete with wordpress. Soon enough none of this will matter. People will flock to it. Builds links to it.
 
It'll be live in the next 3-6 months. It's been in beta testing since 2014.
 
Tavin said:
It'll be live in the next 3-6 months. It's been in beta testing since 2014.
Click to expand...
This is very interesting. Any ideas on how they plan to market this? Or a name?
 
Can't say much more then that, but just know it's 100% coming.
 
Assuming you are correct, it's a very logical move -- especially if they plan to go the centralized route and make it part of the google cloud platform. I'd imagine they can build a pretty compelling tool with a super easy to use dashboard that has integration with their other services. They have a domain registrar, hosting platform, analytics, adwords that would all just accessorize the main CMS functions. Now Google can suck even more data into it's algorithms.

For wannabe SEO's, they'd say it comes with some benefit like automatically submitting new posts to the index. For the common people, google's got a crack team of designers who could easily make a CMS with a learning curve that's a 1/10th that of WP. Google could use it to attract more advertising by allowing people to promote pages or posts as part of the publishing process. More ads = higher prices = more revenue. They'd have rock solid reliability and speed.

It's not hard to see how Google could design a very compelling product for small businesses.

Thankfully, Wordpress won't go away any time soon. Most sites are too entrenched with plugins and content that would be a pain to migrate. That being said, if Google's play is as integrated as I think, it won't be easy for new sites to refuse. Google won't gain marketshare overnight.
 
Everyone was laughing when I suggested buying multiple laptops each with a dongle for my adsense accounts.

Paranoia is good.

For PBNs though, proxy should help?? Any good Proxy solution that you guys use with the flick of a switch. Something like tunnelbear, but with multiple IPs. And you just flick on one entity with a button where you assign an IP to different "accounts"?
 
An Update to this thread - I thought we covered this but since Wordpress 4.6, launched August 17th 2016, they've dropped the google fonts and went straight native. Your PBNs are safe now:

Native System Fonts in WordPress 4.6

WordPress started using Open Sans from Google Fonts project, as the default font so that the admin interface looks the same on different platforms and devices. However, this meant a tiny compromise on speed and relying on a third party project.

Since 4.6, WordPress will now use your native system font for the admin area. This will make WordPress load faster and feel like your native device and platform.

Sauce: http://www.wpbeginner.com/news/whats-new-in-wordpress-4-6/
 
Saw that. One of the concerning things that caught my eye, though:

Inline Link Checker
https://wordpress.org/news/2016/08/pepper/

Ever accidentally made a link to https://wordpress.org/example.org?
Now WordPress automatically checks to make sure you didn’t.
Click to expand...

I checked around, but couldn't really find a straight and technical answer as to exactly how that functions. First thought was, "Oh damn, more surreptitious HTTP requests to leak your stuff." I tested it on one site, but in the browser or a logger, wasn't able to see any weird request, cookie, etc. It seems that may have been the original intent people had behind this, but it sounds like it may have morphed in to simply being a regex check on the actual string, to see whether it's a well-formed URL or a bit outside the norm.

My whole thought, as I was worrying about what other unnecessary crap was crammed in this update...."Wordpress, stop trying to protect the shit out of us, and just make it easy to PRESS words FFS." LOL
 
You must log in or register to reply here.
Back