Hacker News new | ask | show | jobs
by zelphirkalt 759 days ago
I have come across a situation, where an automatic Wordpress update (need to keep up to date, against vulnerabilities) made a site I maintain violate the law:

I used a unicode symbol for something in text. Wordpress out of nowhere and by itself decided, that it would be better to replace that symbol with a bloody svg, that is loaded from some third party. At first I could not believe my eyes, then it dawned on me, how incredible reckless they acted with that update. They must really have no clue what they are doing.

Then I scrambled to reverse this bs and tried various things, including editing the theme minimally, which originally I never wanted to do, because I do not want to maintain a theme in addition to the site. Well nothing worked, except for installing a plugin, whose sole purpose it is to reverse this stupidity.

If I had not had functionality connected to the DOM structure around my unicode symbol, I might not have noticed it, because that functionality also broke.

So there we go, WP automatically making the site violating the law by loading from third party without consent and also breaking my functionality and basically forcing me to install a plugin to correct WP core mistakes. Of course it is very clear now, that it is completely unfit for any business website, when the core developers make such bad decisions. It requires constant maintenance, even if you update nothing but WP itself. Alternatively you let it get outdated and get hacked due to vulnerabilities. Great.
2 comments
simonjgreen 759 days ago
Are you intentionally not mentioning which country and law?
link
zelphirkalt 759 days ago
GDPR, EU. You cannot simply load third party shit on your website, without asking for consent. By downloading an SVG from a third party provider, I would need to ask the visitor, whether transmitting their IP address is OK or not, since that is personal data. Aside form all the information associated with when someone accesses the site.
link
eertami 759 days ago
> You cannot simply load third party shit on your website, without asking for consent

That's not how the GDPR works at all. If it were, there would be no content distribution networks operating in the EU. Linking to a third party image in document markup does not involve you transmitting anything.

link
JimDabell 759 days ago
By including external references to third-parties, you’re effectively leaking your visitors’ IP addresses to the third-party. Those IP addresses are considered PII and are covered by the GDPR.

https://www.theregister.com/2022/01/31/website_fine_google_f...

link
simonjgreen 759 days ago
Gotcha, thanks
link
hawski 759 days ago
My bet is EU and making it non-compliant with GDPR.
link
selfmodruntime 759 days ago
They definitely are and I would bet money it's China.
link
addandsubtract 759 days ago
China has laws against loading content from third parties without consent? Sounds more like an EU thing.
link
selfmodruntime 759 days ago
China has laws against graphic displays of blood. I could not find a European country that does.
link
simonjgreen 755 days ago
How is that relevant?
link
hawski 759 days ago
> Of course it is very clear now, that it is completely unfit for any business website, when the core developers make such bad decisions.

I'm not saying it is or it isn't, but I do wonder how many people are doing business with WP while never considering a donation or whatever value add for the project. At the same time maybe you do pay, maybe they already swim in money.

link
nashashmi 759 days ago
Wordpress doesn’t take donations. They have a payable service attached to the open source platform. And that service does not work any differently.
link
JimDabell 759 days ago
Automattic is valued at $7.5BN. They don’t need your donations.
link