Almost a year ago I wrote a blog post entitled, “Is Sexy Bookmarks Sending Data From Your Blog?” In that post I talked about a discovery that I had made regarding a third party service that Sexy Bookmarks was using to mine data from the people sharing your blog content. I now have an update to that post.
A few months after I wrote that post, Shareaholic, the owner of Sexy Bookmarks, removed the plugin from the WordPress directory. When you see something like that happen, your first thought is that WordPress booted them for a security problem. According to Shareaholic in their forum, there was nothing wrong; they were just updating the software and removed it from the directory.
Hmmm. I don’t know if I entirely believe that. Nevertheless, Sexy Bookmarks is back in the directory with the new version. We now see a new section in the plugin dashboard about this third party tracking. See the screenshot below:
So it seems that to make the third party tracking more palatable, Sexy Bookmarks is making the data available to its users and not just the third parties that are paying them for it. At first glance, that looked good because you could hook up your Google Analytics to it.
Not So Fast…
But hang on a sec, your data is not only available to you and the third parties, but everyone on the Internet! What? I had my 3rd Party Services set to yes for about 3 weeks until I found this:
How about if I just post my Google Analytics login information so anyone could see it? I don’t think so! As you can see from the screenshot, I’m not even signed in.
On a Related Issue…
I was chatting with Regina Smola over at WPSecurityLock.com about this as she is my go-to person for WordPress security. She was amazed at this discovery as well. In addition she pointed out that many plugins don’t close the door to their plugin files, leaving them vulnerable to hackers. But she gave me the code to lock the door so I’m passing it on to you.
First you can check to see if you have an open door by typing in your browser address bar http://yourdomainname/wp-content/plugins/sexybookmarks/ or any other plugin you have. If you get a page like the following, then you know your door is open.
Here’s how you fix it…
In your .htaccess file add the following:
# Turn off index browsing so directories with no index files will not display the list of files
Options -Indexes
And while you’re at it, you might as well tell Google to stay away from your plugins folder altogether, so in your robots.txt file add the following:
User-agent: *
Disallow: /wp-content/plugins/
Bottom Line: I still like Sexy Bookmarks but I disable the 3rd Party Services and I’ve added Regina’s recommendations in my htaccess and robots.txt files. By the way, Regina has a great little free report 7 Plugins for WordPress Security that I recommend you read.