Skip navigation

Since I just railed against Congress for being a bit two-faced about privacy I thought some site disclosure would be in order.

At present, third-party tracking is limited to:

  • Something in my WordPress configuration adding a DNS pre-fetch for There are a few more other DNS pre-fetches that I’m also going to try to eradicate (but that aren’t showing up in my uBlock Origin likely to to /etc/hosts blocks);
  • Gravatar (which displays logos near comment author names). I’m torn on this one but Gravatar is owned by Automattic (who owns WordPress). See next bullet on that;
  • WordPress. Vain site stats tracking, JetPack uptime warnings and some other WordPress pings happen (including some automatic short-linking) as well as the previous bullet bits. I’m not likely going to do the site surgery necessary to stop this but you have full disclosure and can easily avoid pings to those sites via uBlock Origin site-specific rules;
  • SendPulse; I’m running an experiment on user behaviours when it comes to authorizing web notifications (and I just kinda ruined said experiment). I’ll be disabling it later this year (after a full year of it being on so I can have more than just a few sentences to say).

The above came from an in-browser uBlock Origin report.

I ran a splashr::render_har() — which is how I measured things for the Congressional privacy post — on one of my pages and this is the result:

tld                 n
1           67
2           21
3      6
4     3
5             3
6     2

Props on WordPress capturing! I’m still ticked Microsoft stole from me ages ago.

As you can see, most resources load from my site and none come from Twitter, Facebook or Google Plus.

I run WordPress for a ton of reasons too long to go into for this post, so I’m likely not going to change anything about that list (apart from the DNS pre-fetching).

Hopefully that will abate any concerns visitors might have, especially after reading the post about Congress.


  1. Hi Bob – thanks so much for all your contributions to the R community!

    I’m currently configuring an R-centric WordPress blog and was wondering what your WP plug-in “stack” is and what your process for creating posts is.

    For the stack, from above it sounds like you use Jetpack, from your site’s footer notice you use Akismet, and I coincidentally saw on Stackoverflow that you use prism for code highlighting. Do you use any others? In particular, are there any security plugins you recommend?

    For the process, do you write in Rmarkdown and use the RWordPress package?

    If you’re willing to share, I’m also curious about the many reasons you run WordPress.

    Thanks and best wishes,

    • Well met, Trey!

      You work for one of my fav orgs (CDC)!

      I use WordPress for a ton of reasons. First, it’s what powers 30% of the internet content dissemination and I’m in infosec and also have a bunch of friends who run WordPress so I feel somewhat obligated to know everything abt it so I can help folks be safer when they use it. And I run some honeypot code underneath the covers and analyze the logs every day to keep track of scanners and attackers.

      That being said the stack is larger than I’d like it to be (more plugins == more attack surface)

      I consider Jetpack, Akismet and Wordfence must-haves and at the lowest “pro” tier if you can afford it. That tier comes with ValutPress so that’s in there too.

      Prism is wonderful and I just started using the <pre><code…> idiom for it vs the dedicated shortcode fields (I was stupidly using those before). I’m almost done with an R Markdown template that will generate those too so — apart from graphics — it’s a cut/paste from a file to a blog post soon. I’ve tweaked the Prism theme a bit but the default is fine IMO.

      Smush and Hummingbird are in the mix as well since I’m often too lazy to add in the bits for R Markdown that make smaller PNGs. I’m going to try to incorporate that into my R Markdown custom template so I’ll likely remove Smush soon. Hummingbird is almost a 100% requirement IMO but the free tier (which I’m on) has just sufficient annoyances that I can’t say it’s 100% necessary.

      There’s an old plugin that I now maintain myself called Arrueba which turns twitter @‘s into links.

      Speaking of links I also use Broken Link Checker and tend to it abt 1x/mo.

      I grudgingly use the AMP plugin b/c Google will downgrade search results for mobile and in general if you don’t.

      As a joke I installed GDPR Cookie Consent and will likely be removing it this weekend.

      Finally, Insert Headers and Footers is super helpful but I feel lazy for using it.

      Anything else I use is mostly for playing or bot/attacker research (and they vary during the year).

      For “how do I write”: I use R Markdown. I rly don’t like hooking up things to WordPress and the only pain point left is uploading and manually inserting image tags, but that’s super fast for lighter posts.

      Once I’m done with the template I’ll GitHub it so you can give it a go.

      The server is nginx (but you likely figured that out already).

    • There’s an undocumented prismpress in which will generate correct pre/code blocks. It still needs work but I figure if more than 1 person is trying it out we’ll get bugs worked out faster. It does require enabling markdown in Jetpack tho.

One Trackback/Pingback

  1. […] This is a Security Bloggers Network syndicated blog post authored by hrbrmstr. Read the original post at: […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.