A freshly installed unmodified version of WordPress 5.9 “Josephine” sadly access 3rd party servers when opened in a web browser. I noticed the following access attempts on the home page:
- https://secure.gravatar.com/avatar/3febc554f4202125a2d8b656624c282a?s=52&d=mm&r=g
- https://secure.gravatar.com/avatar/3febc554f4202125a2d8b656624c282a?s=128&d=mm&r=g
I.e. any website created this way contains a tracker by default!
The images are used to display avatars for the logged in users. I suspect the long hexadecimal part of the URL is a hash of the user name. Thus gravatar.com would receive information about my (admin) user name!
Gravatar is not mentioned on the WordPress Privacy page.
This shows a lack of concern about privacy by the makers of WordPress. For site owners this could actually cause legal problems if their privacy policy promises not to share data with 3rd parties.
It’s a good thing I block gravatar.com using Little Snitch 🙂