Why You Should NEVER Comment on WordPress

Bob Leggitt | Sunday, 10 February 2013 |

It’s something all new WordPress bloggers are encouraged to do: comment on other users' blogs. Indeed, commenting is even incentivised with the notion that it can help a new blogger become more successful. But did you know that when you comment on a WordPress blog, WordPress takes your personal, private email address, and passes it straight to the administrator of the blog you’ve commented upon? Given that literally anyone can open a WordPress blog, and that WordPress issues no clear warning about the above to its users, this has to rank as one of the worst privacy breaches on the mainstream Internet.



Never having taken any interest in blog commenting, this privacy shocker was actually something I didn’t know about until yesterday, when I saw the matter raised on the WordPress Support Forum. Suitably enlightened, I’m now left struggling to take in the fact that a serious business could have such disregard for people’s personal information. But there’s no mistake. Give your email address to WordPress, and the site will automatically pass that private info on to any other users whose blogs you interact with.

Remember, WordPress bloggers are by default anonymous. Setting up an account is a no-questions-asked process. So where in the name of Matt Mullenweg’s bank statement WordPress gets the idea that it’s okay to share users’ private email addresses with all of these nameless, untraceable entities, is a mystery to me.

It’s reprehensible behaviour, obviously, but the practice is also a clear breach of UK Data Protection law, in that WordPress fails to take reasonable steps to protect users’ personal information, or to make sufficiently apparent the fact that users’ personal information is highly vulnerable to third party abuse. Just consider the implications. All a spammer need do is set up a WordPress blog, wait for the comments to roll in, harvest all the email addresses, and then spam away. They could even sell the email addresses on – to any piece of scum who’ll pay for them. Does this happen? You can bet it does. With tens of millions of blogs on WordPress, it’s inconceivable that a proportion of the accounts are not being used to harvest email addresses for the pupose of spamming, and potentially worse.

I would have logged into the WordPress Support Forum and contributed my thoughts on this. But who gets my email address if I post on the forum? I don’t know, and I’m not particularly keen to put it to the test.

The message is, NEVER comment on WordPress blogs, because every time you do, you cast your private information into the complete unknown. This runs way beyond irresponsibility on the part of WordPress - it's criminally disrespectful towards users' privacy rights. For other reasons, it’s unsurprising the blog host has been blacklisted by sites such as this, but I must say I'm amazed that no one appears to have seen fit to make an issue out of this email affair, because it is, quite simply, the greatest generic online privacy scandal I'm currently aware of.