Last week I wanted to take a look at the recently released WordPress 2.7 and of course wanted to give it a go on a mobile. As you might have noticed I’m on Google’s blogger and there is, unfortunately, no mobile version, so a proper mobile plugin would be a big plus for me and a good reason to move away.
I download the tiny zip from the official site, opened the readme.txt file. The file itself did not tell much if not that it would make my blog mobile. Fair enough, I took the php file and copied it in wp-content/plugins. That is all that was apparently required to install and in fact in the admin interface I had a new plugin available, I selected it and enabled on my Mac. The site URL was a local one, of course, wordpress.local (and added to my hosts file to access it).
Looking for some further information I went back to the official site (that I won’t link) and notice that in homepage there’s a nice link mentioning that my wordpress.local is the latest site which installed the plugin! A bit surprised I opened the small PHP file and noticed that there are two calls, one on plugin activation and one on deactivation. Being PHP it was not so hard to find what it does and I was very disappointed with the discovery. On both events the plugin calls a remote API AND send an e-mail to Andy Moore mentioning the site name, URL, and the admin’t email, YES, YOUR E-MAIL address.
In my case, the SMTP server was down, so the e-mail did not get delivered, but to my great disappointment the API was reached and that is why my local install was mentioned on the website.
Nothing wrong has happened, in fact I’m pretty sure if Andy wanted to contact me he would definitely find a way, but it was very disturbing to discover that this happens without letting the user know. If I had been a bit smarter I would have looked at the code and I would have discovered it, the problem is that the average wordpress user will not bother to look at the code and will probably not even be capable of understanding what’s going on. We are not all developers and my impression is that Andy is relying exactly on the inability of his users to disable the feature. The software is GPL and everyone is welcome to look at and change it and that is exactly why I did not even bother to look at it, I took it granted that nothing bad would happen.
In case you wanted to disable this functionality (but it’s probably too late now, I admit), what you should do is open wordpress-mobile.php, find the function wordpress_mobile_plugin_activate (it’s at line 1664 in version 1.3), go to the first line of the function and just add the following line:
Do the same for the function wordpress_mobile_plugin_deactivate (line 1673 in version 1.3).
Andy has definitely spent time to get this plugin working and maintaing it and I think it’s perfectly fair for him to ask for money and ask his users to provide usage details, but asking and taking are different operations, I my opinion.