SiteGround’s 1+ Million Install WordPress Plugins Also Contain Apparently Inadvertent Tracking

On Friday, we noted the web host SiteGrounds 1+ million install WordPress plugins Security Optimizer and Speed Optimizer are collecting a lot of website data from those installing the plugin without consent. That is in violation of the guidelines of the WordPress Plugin Directory. SiteGround sponsors one of the team reps for the team running that. It turns out SiteGround is doing more tracking in those plugins, though it looks like this tracking is inadvertent, though also in violation of the guidelines.

Guideline 7, “Plugins may not track users without their consent.”, mentions as example of a violation, “Offloading assets (including images and scripts) that are unrelated to a service.” Someone going by the handle JCV posted on the support forum for Security Optimizer that some of the plugin’s “fonts or pics are externally hosted.” We confirmed that was the case, and that is unrelated to a service, so it is a clear violation of the guidelines. It also occurs with Speed Optimizer.

Unlike the other issue, this isn’t a recent issue. We found that one instance in Security Optimizer was introduced in to the plugin in February 2022. That instance also notably as it involves the plugin making a request to an external server to get data, which is used to specify an image to be displayed that is externally hosted as well.

With the elements we looked at, it doesn’t appear this is being done in a way that would be intended for tracking purposes. All the same, it shouldn’t be happening and it is more of an issue that this is occurring in such popular plugins and plugins from a sponsor of one of the people running the plugin directory.

It also suggests the need for more checking on what is going on with plugins on this front. We checked for issues that would violate that guidelines when we do security reviews of plugins, but it would appear there isn’t much of anyone else doing that type of checking considering how this has been in a popular plugin for so long.