Login
15 Dec 2023

Two 1+ Million WordPress Plugins From SiteGround, Sponsor of Plugin Review Team Rep, Collecting Website Data Without Consent

Guideline 7 of the WordPress Plugin Directory’s Detailed Plugin Guidelines, “Plugins may not track users without their consent”, states that an example of a violation would be “Automated collection of user data without explicit confirmation from the user.” That is being publicly stated to be violated by two 1+ million plugins right on the Plugin Directory. The first is Security Optimizer, which states at the end of its description:

Data Collection

By default the plugin collects the information listed here. This data is collected only for technical analysis, improvements and the possibility to contact the plugin user in case urgent issues need to be fixed (for example a critical security release that needs to be communicated to site owners). The plugin user may opt out from the WP admin from the collection of this data, but we do not recommend this, as it may negatively impact the plugin performance. You may find more information on data collection in our Plugins Privacy Notice.

The second is Speed Optimizer, which states at the end of its description:

Data Collection

By default the plugin collects the information listed here. This data is collected only for technical analysis, improvements and the possibility to contact the plugin user in case urgent issues need to be fixed (for example a critical security release that needs to be communicated to site owners). The plugin user may opt out from the WP admin from the collection of this data, but we do not recommend this, as it may negatively impact the plugin performance. You may find more information on data collection in our Plugins Privacy Notice.

What they state they are collecting is quite broad and doesn’t seem like it would even all be required for the stated purpose:

  • Site URL
  • Marketing Consent (Y/N)
  • Admin Email
  • Admin URL
  • Hosting Provider
  • WordPress Version
  • PHP Variables
    • Version
    • Max Execition Time
    • Max Upload Filesize
    • Memory Limit
  • MySQL Version
  • WP CLI (y/n)
  • WordPress Memory Limit
  • WordPress Max Upload Filesize
  • WordPress Users Count
  • SSL (Y/N)
  • Server Type and Version
  • Multisite (Y/N)
    • Number of Sites
  • WordPress Theme
  • WordPress Theme Version
  • Locale & Timezone
  • Active Plugins list
  • Installed Plugins List
  • Image Library Type & Version
  • SiteGround Plugins Configuration

Both of those come from SiteGround, which is troubling, considering that SiteGround now sponsors one of the team reps of the Plugin Review team.

That default tracking was added in a change made to both plugins recently, on October 24. Here is the change for Security Optimizer and the change for Security Optimizer.

We have notified the team running the Plugin Directory about that.

No related posts.

Plugin Security Scorecard Grade for Security Optimizer

Checked on April 3, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Speed Optimizer

Checked on April 3, 2025
C+

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *