Site Being Cached by Photon, But I Do Not Use Jetpack

Howdy –

It’s possible that your theme and/or one of the plugins on the site is using the Photon API. This is pretty easy to sort out.

Change the theme to a default one, like twenty nineteen. Check the image URL behavior again. If the issue is gone, then you know it is the theme. If the issue persists, move on to checking plugins.

Disable all of the plugins on the site. Check the image URL. If the image URL seems fixed, add the plugins back one at a time, until you find the culprit.

My image URLs do not point at Photon. All of the images are hosted directly on my own site. I don’t understand how/why my images are being uploaded to the Photon service?

I checked through my plugins but none of them mention making use of Photon for CDN or resizing.

What traffic would I need to look for that is uploading to the photon api? Would it be an outbound connection to i1.wp.com?

As long as an image in content has a Photon domain in front of it, our Photon CDN will upload and serve the original, this is how the Photon API works: https://developer.wordpress.com/docs/photon/api/

This is why my colleagues mentioned that your theme or another plugin could be doing this.

Are the Photon URLs still in your content when you use the Twenty Nineteen theme?

James,

There are no photon urls in my content and never have been.

That is why I have raised a ticket.

I will take a look at the api documentation but I am trying to figure out how my content got cached on your cdn in the first place.

Will the system simply cache content based on a request from anywhere with no security in place?

I believe a nefarious 3rd party is using your cdn service as mitm to steal image content.

As far as I can tell, my server has never sent a request to photon API to cache any images.

As mentioned, it is trivial to add the Photon API to themes and plugins, this is not nefarious (well, it is abuse of our services, but that’s for us to deal with).

At any point, your theme, or another plugin could have been using the Photon API, and that would have uploaded the image.

Also, simply _viewing_ an image URL from your site with the Photon API URL before it, like if you were checking to see if one of your images was in Photon, would have added it.

I checked your site and see no Photon URLs in your source, so this no longer appears to be a problem for you.

>I checked your site and see no Photon URLs in your source, so this no longer >appears to be a problem for you.

There never were. That’s why I opened the ticket.

I have already checked my outbound traffic on posting new images and I don’t see any traffic being generated from my site to the Photon API. I highly suspect (and have found proof that) a 3rd party is using your API to rip off my images.

While it is a bit troubling that your service is able to be used as MITM with no authentication necessary for submitting images to the cache, it doesn’t really pose an issue for my use case other than not wanting association with the 3rd party sites that are abusing your services to download my images.

@vegasmerch, I think this is what is going on.

The person who is hotlinking your images is using WordPress. They turned on Proton API. Somehow Jetpack is now caching your images without your permission (and they are deflecting the blame onto you).

I also have this problem on my website. I do use JetPack, but I turned off Proton. I am also having scrapers hotlink my content. I also have no interest in using Proton.

To the people at Jetpack, you really want to solve this problem. The person who owns the pictures (the intellectual property) should be the ones who control whether or not Proton is on or off (not the person who is hotlinking without permission).

Since the pictures are hosted on your website i1.wp.com, without permission, Jetpack could be liable for copyright infringement. Thus, Jetpack, I strongly urge you to have your legal counsel look at this problem because if you do not solve this problem (hosting copyrighted pictures without the copyrighter’s permission), you could be in serious trouble (i.e., someone who is hurt by copyright infringement contacts a copyright lawyer).

A good analogy is having a copyrighted movie hosted on i1.wp.com and served through Photon (I am sure the Hollywood studio would sue Jetpack big time).

I agree with @convexity and might suggest that a potential solution would be to require cache users to register, generate a hash that the new registrant must place into a text file on their website in a predetermined location, and have your bots verify the hash is present there at least one time before allowing further caching of the site’s content.

This way, you have some mechanism to verify that the requester actually has control of the domain in question before caching its content. This should also help you cut down on abuse of your API and should be fairly simple to implement.

Exactly the same problem.

I have never used Jetpack

But in the Apache server logs I saw “Photon/1.0”

Found that images are cached. Example https://i1.wp.com/it-actual.ru/media/Could-not-open-profile-folder-1.png

Please clear the cache.

Confirmation that I am the owner of the site https://it-actual.ru/problem.html

Sorry for my English.

The image has been purged from our cache as requested.

I have the same problem. I have never used Jetpack but my images are cached.

Example https://i0.wp.com/vilmupa.com/muebles-valencia/wp-content/uploads/2014/04/reloj-de-pared-vintage.jpg?strip=all

and they are using that url to hotlink all my images,

Please clear the cache.

Thank you

Adela

The image has been purged from our cache as requested.

Thank you for deleting my images from your cache, I found that you are also caching my other domains, here you have example urls from both:

https://i0.wp.com/pintores-decoradores.com/wp-content/uploads/2018/12/mural-flores-blossom-510×375.jpg

https://i0.wp.com/alfombras-online.com/wp-content/uploads/2019/04/Alfombra-cactus-510×642.jpg

and they are using that urls to hotlink all my images

Please clear the cache of both domains

Thank you

Adela

The images have been purged as requested.