Thanks for the feedback. I believe that is something that we had already discussed via email and here in the forums, but I cannot find our previous conversations about it anymore. Let me try to clarify a few things, if that can help a bit.
anyone can use it to cache images from anywhere on the web onto WordPress’s servers. On top of that, there is no authentication required in order to do so. All anyone needs to do is prepend a short URL snippet to any image URL in order to cache an image
That’s correct. Jetpack’s image CDN, also known as Photon, is a public image CDN. It can cache a copy of any publicly accessible image you feed it, and then generates resized and optimized versions of that image based on your needs.
In some ways, it is similar to the image CDN you may be used to seeing on Facebook, where image previews of links you share on your newsfeed get cached and generated by Facebook.
The biggest difference, as you pointed out, is that it is fairly easy to test and see Jetpack’s image CDN in action by prepending a domain before an image URL, while Facebook uses dynamic URLs that are generated for you when you share a post. Here is an example with a picture of my dog ??
https://external-cdt1-1.xx.fbcdn.net/safe_image.php?d=AQFuI5V0WuY13XHG&w=584&h=389&url=http%3A%2F%2Fjeremy.hu%2Fwp-content%2Fuploads%2Fwatson-5818-1.jpg&_nc_oe=6ea08&_nc_sid=06c271&ccb=3-5&_nc_hash=AQERUajaioFXi14F
they do not even need to be running WordPress in order to do this.
While you technically can use the image CDN without running WordPress, I should note that this is not something we allow. As mentioned in the technical documentation I linked to earlier, as well as in our support documentation,
Site Accelerator is only allowed to be used by sites hosted on WordPress.com or on Jetpack-connected WordPress sites. If you move to another platform or disconnect Jetpack from your site, please also switch to another image CDN service. Any abuse of Jetpack or violation of the WordPress.com Terms of Service could result in the suspension of your site from WordPress.com-connected services, including Site Accelerator.
— https://jetpack.com/support/site-accelerator/
If you know of a site that violates those terms of service, you can report it using this form.
the original website’s images may no longer rank on search engines while the duplicated images rank.
This should not be an issue. Jetpack’s image CDN, just like most image CDNs, includes a link to the canonical URL in all images it serves. This allows search engines to only index the original image. You can read more about it here.
As a result, images hosted by Jetpack’s CDN are not indexed by Google.
Here is an example, with the same image as for my Facebook example above (notice the link entry in the response):
$ curl -I https://i2.wp.com/jeremy.hu/wp-content/uploads/watson-5818-1.jpg
HTTP/2 200
server: nginx
date: Tue, 07 Sep 2021 08:54:11 GMT
content-type: image/jpeg
content-length: 330207
last-modified: Tue, 07 Sep 2021 08:54:11 GMT
expires: Thu, 07 Sep 2023 20:54:11 GMT
cache-control: public, max-age=63115200
link: <https://jeremy.hu/wp-content/uploads/watson-5818-1.jpg>; rel="canonical"
x-content-type-options: nosniff
etag: "ff9c633a284c2cd6"
x-bytes-saved: 16850
vary: Accept
x-nc: MISS cdg 5
access-control-allow-origin: *
access-control-allow-methods: GET, HEAD
timing-allow-origin: *
another oversight is that there is no way for Jetpack to purge an entire domain from their image cache so images will remain on WordPress’s servers indefinitely. You can reach out to Jetpack to get them to clear their cache of individual image URLs but considering there may be hundreds of your images currently on their servers that you’re unaware of, this is simply not good enough.
This is correct, and I can see how frustrating this could be. This is unfortunately not an option at the moment, due to the technical setup of our image CDN infrastructure. If that ever changes in the future, we’ll definitely consider introducing a way for site owners to flush cache for images on their site on their own.
if whoever is reading this happens to be a victim of image theft due to Jetpack’s plugin, do what we did and block their Photon/1.0 User-Agent on your server to prevent your images from being cached on WordPress’s servers.
That should indeed work to block your domain’s images from being cached by Jetpack’s image CDN. That may not be enough to block all image theft though, as it will not stop the thieves from hotlinking from your domain directly. To solve that issue, I would recommend setting up hotlink protection on your server so no one can fetch your images outside of your site.
Of course, the developers of Jetpack seem diligent so if they patch these substantial oversights, I will gladly alter my review accordingly.
Following our last conversation, one of my colleagues had filed this ticket:
https://code.trac.www.ads-software.com/ticket/107
I would recommend adding yourself in cc of that ticket if you’re interested. If we could add HTTP Referrer restrictions to images served via our CDN in some scenarios, that would solve the problem you’re facing.
——-
I hope this clarifies things a bit.
