Few days I ago I started working on a plugin.

Please understand I'm not really a fan of WordPress, this is very rare for me to work on a plugin.

Already it does nonce's better (what WordPress calls a nonce does not meet the definition) and does passwords better (argon2id) - right now I'm working on the gravatar part. 1/

The problem with Gravatar is that it's a tracking nightmare. Not only does gravatar.com use third party tracking cookies, but the avatar is based on an unsalted md5 hash of the user's e-mail address making it easy for *anyone* to discover the e-mail address of who made what comments on a WordPress blog. 2/

So - the WordPress function that does that is `get_avatar()` in the `pluggable.php` file. I use to have a plugin that fixed that issue by salting the hash first, but that was years ago and WordPress bastardized how the gravatar functions work.

I really wish WordPress just used actual namespaced classes for stuff like this, but it doesn't.



So - I created a generic class called "groovtar" in my namespace. It does not depend upon any WordPress functions, and I wrote it so that I could use it elsewhere - and eventually change the url for the avatar to something that doesn't track but I may have to create such a service. If I do, generated avatars will be SVG.

Anyway - I then extend that Groovytar class to make WordPressGroovytar that has the WordPress specific functions.


· · Web · 0 · 0 · 0

For example, it needs to be able to extract a e-mail address to hash from a postid because WordPress wants to do that sometimes.

The extended class is then called by my replacement for the `get_avatart()` function.

One of the nice things about an abstract class and an extended class is I can easily unit test the abstract class with phpunit - unit testing WordPress plugins are hard because 5/

they basically need all of WordPress, but by making abstract classes that do not use WordPress defined functions, I can at least write unit tests for the bulk of the plugin *as well* as having the ability to re-use those classes elsewhere.

Well, time to start testing the gravatar privacy fixes...

Right now only obfuscates the e-mail hash, gravatar still tracks. An alternate service will take time.


Sign in to participate in the conversation

Switter, a sex work-friendly social space. Check out Tryst.link, our verified escort directory. Looking for listings? Visit Switter Listings Looking for Backpage alternatives?