Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#43799 closed enhancement (duplicate)

Add a UI and functionality to deactivate gravatar completely (for single site as well as network-wide)

Reported by: tz-media's profile TZ Media Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Privacy Keywords: gdpr
Focuses: Cc:


In the standard behaviour, WordPress automatically includes gravatar links with every comment, as well as for every logged-in user (as far as I'm aware of). This bears the same problem as with embeds (see #43713).

When the user opens the website in his browser, a third party ( gets access not only to the user's IP address, but also to his md5-hashed email address. If the user has an account with gravatar, he will have accepted the terms of use of gravatar, but I see here the same problem as with social media widgets that transfer data without the user taking an explicit action other than open a web page without knowing that it will transfer data.

Also it is problematic to transfer hashed email addresses of non-registered users. gravatar can't map these to existing user data, but they could still build profiles on the hashed email address (though they probably won't...).

So as an admin I should be able to deactivate gravatar completely in settings.

Also, as a superadmin, I should be able to deactivate gravatar network-wide.

Change History (5)

#1 @joyously
6 years ago

Isn't the option show_avatars on the Settings > Discussion page the option you are talking about?

#2 @TZ Media
6 years ago

  • Keywords 2nd-opinion added

Upon looking at it - yes, it might be. I must admit that I didn't actually look at the implementation of get_avatar() before opening this ticket.

However, the implementation of get_avatar() allows for 2 ways to display avatars even if show_avatars is false:

  • $args[''force_display''].
  • the pre_get_avatar-filter hook.

This effectively makes it impossible for an admin to override a plugin or theme trying to force the display of gravatars.

At least In the case of show_avatars = false and force_display = true, we might have to deliver a (local!) placeholder image, because the layout might depend on "something" being present, hence forcing its output.

So to fix this we need to

  • immediately return false if show_avatars = false and force_display = false, even before executing pre_get_avatar
  • immediately return a local placeholder image if show_avatars = false and force_display = true
  • in all other cases, run through get_avatar as usual.

I could easily patch this, but the question is if we should filter the local placeholder through pre_get_avatar and get_avatar, and effectively allow third party code to replace it with a non-local avatar again.

#3 @pento
6 years ago

  • Keywords 2nd-opinion removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #14682.

If you want to deactivate Gravatars globally, you can create a small mu-plugin to enforce it. Increasing the priority should cover prevent any of the various custom avatar plugins from overriding it.

add_filter( 'get_avatar', '__return_empty_string', 1000 );

For folks who leave Gravatar activated, there's language in the privacy policy template to help them inform their visitors about it.

#4 @desrosj
6 years ago

  • Component changed from General to Privacy

Moving to the new Privacy component.

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.

6 years ago

Note: See TracTickets for help on using tickets.