David Cameron Law

@abigailm and @torbjornm

I fully understand, every bit of code I consider using is manually checked for potential problems (not just security, also performance as it’s important to Google rankings: I won’t use plugins which use Jquery for example) before it’s installed on a live site: I download the code, check it out in a text editor for anything untoward, run the code on a localhost install (under multiple environments), finally test on a live site I don’t mind loosing monitoring what it does.

You shouldn’t assume because a plugin is in the official WordPress plugin repository it’s safe, it’s only marginally safer than randomly downloading code from a random site. If I spent a few hours specifically looking for problem plugins I’d safely bet I’d find one.

You can see the failings in the system with this plugin, I looked at the code multiple times and was so tunnel visioned on privacy (the tracking code) I missed the hacking code for at least a couple of updates and the code was blatant and obvious and about one scroll below where I was looking at the tracking code! Same with the plugin team, they missed it at least twice after the plugin was removed and checked before being reinstated.

Couldn’t see the wood for the trees comes to mind!

A while back I found an Amazon affiliate plugin in the repo which added the plugin developers affiliate IDs to most of the affiliate links, another one which added a link back to the developers website that was hidden by javascript…. I’m just a WordPress user like you, just so happens I check out every bit of code I’m considering using and when I find a problem go to the trouble of emailing the plugin team.

There are thousands of plugin updates every week, they aren’t checked by the plugin team until someone (like me) emails them on [email protected] to inform them there’s an issue. The plugin repository works on trust and as you’ve seen with this plugin it can go badly wrong.

6 weeks ago this was posted in this support forum: https://www.ads-software.com/support/topic/display-widget-inserted-spammy-links/, the plugin was removed from the repo soon after (I assumed someone had contacted the plugin team direct), a week or so ago the plugin was reinstated with the same hacking code, so I guess it was another issue why the plugin was removed!

I’ve seen this with multiple plugins, an issue is reported in the support forum, but the problem remains weeks/months/years later: I guess no one emailed the plugin team (or there wasn’t a problem). You have to remember in these forums users jump to the wrong conclusion all the time: “I installed plugin XYZ, next day my site was hacked, it was plugin XYZ at fault” (most of the time the user will be wrong).

Had I not got annoyed at @displaywidget on this thread https://www.ads-software.com/support/topic/payday-loans-seo-spam/#post-9478813 I wouldn’t have emailed the plugin team about the hacking code and the plugin would still be live infecting thousands of new sites everyday (there’s still about 50,000 infected sites that need an update).

If you see a problem with a plugin do not assume posting on the support forum will mean the plugin team will see/act on it, email them on [email protected] direct and they’ll look into it: in my experience within 24 hours. They are very responsive, I’ve an email thread related to this plugin with 12 email responses from the plugin team. Give them a week and check if the issue was fixed, if not email again.

I got another response from Otto (plugin team) and he mentioned either rolling the plugin back to v2.05 (with a new version number so users have an update under their Dashboard) or using my v3.0.0 code with the bug fixes. Since the old code was working fine on 200,000+ sites without an update for years he mentioned closing the plugin after the one update.

As I understand things it would mean users would be able to install/update the plugin, but no one would be developing/supporting it (no contributors).

I’m surprised they haven’t already rushed this out and forced an update, there’s around 50,000 sites running hacked code, the old developer will be still posting SPAMMY links to these sites (damaging their Google rankings) and could be adding backdoors to those sites for future hacking: every hour that passes could mean more sites compromised to a degree where they need a full security audit.

This is a SEVERE holy crap security issue and should be treated as such.

If concerned about my v3.0.0 code you could also downgrade to v2.05 https://downloads.www.ads-software.com/plugin/display-widgets.2.05.zip (that’s the official WordPress Plugin Repository source: there’s no security issues with it), that version was on 200,000+ sites (probably still running on over 100,000 sites) with only minor bug issues for years (see this forum for issues).

[ Signature moderated ]

Received a response from Otto (the plugin team) regarding the 3.0.0 update zip file I made/sent them.

They don’t want it: he wrongly thought I was asking to take control of this plugin: no thanks, don’t trust the forum moderators to be fair, so can’t offer long term support here (can I be moderated for saying I don’t trust the moderators to be fair for example???).

Since the repository don’t want my v3.0.0 update I’ve uploaded it to https://stallion-theme.co.uk/display-widgets-plugin-review/ (zip file link near the top).

It’s a direct update from the 2.05 code so it does NOT include any of the code added by the now banned contributor @displaywidget and will use your current Display Widget settings.

The main bug fix is with transients, there was a mistake in which filter was used to refresh the transient cache.

Also cleaned the code a little, the 2.05 code had a bunch of &’s added to some of the code to suppress error message: shouldn’t suppress error messages, you should fix the issue.

And added one small feature I took from the Display Widgets SEO Plus Plugin code which was a requested feature by a plugin user https://www.ads-software.com/support/topic/new-feature-request-widget-name-and-display-name/

This was a really quick update, there’s still issues with the WPML language plugin support (I fixed these in the Display Widgets SEO Plus version), but it would have taken a lot more time to add those fixes.

You shouldn’t need any support for the 3.0.0 update, but if you do post it at https://stallion-theme.co.uk/display-widgets-plugin-review/.

If a new developer takes control of this plugin start with above v3.0.0 so my code is over wrote when you push your first update and feel free to use my v3.0.0 code as your starting point.

[ Signature moderated ]

When I was moderated here I got really annoyed and removed all my plugins from the repository (I was REALLY annoyed, I tried to help people and got moderated for my trouble!!!): I’ve lost some trust in the WordPress team over this and haven’t decided what to do with the Display Widgets SEO Plus Plugin so currently it’s not available.

Otto (from the plugin team) emailed me. The @displaywidget developer has been banned from the WordPress site and won’t be given another chance (finally). This means the Display Widgets Plugin is officially closed.

This unfortunately means there’s tens of thousands (I think more than 50,000!) of WordPress sites running the hacking code (v2.6.*) and won’t even know there’s a problem!!!

I’ve run out a quick update for the plugin v3.0.0 which is the v2.05 code (that was the last good version before @displaywidget bought it and started adding malicious code) with a few bug fixes and also added the ability to hide widget titles (one of the Display Widgets SEO Plus Plugin users requested the feature).

I’ve sent the update to the plugin team, it’s up to them if they use it. If not I’ll upload it to https://stallion-theme.co.uk/display-widgets-plugin-review/ but that would mean users would have to use FTP to update and most of the 200,000+ active installs won’t update that way, so there would still be a lot of hacked sites.

[ Signature moderated ]

The Display Widgets Plugin v2.6.3.1 has been removed from the plugin repository.

If you run any version above 2.05 your site is at risk, the hacking code was added during version 2.6.1-

https://plugins.svn.www.ads-software.com/display-widgets/tags/2.6.1/geolocation.php
https://plugins.svn.www.ads-software.com/display-widgets/tags/2.6.2/geolocation.php
https://plugins.svn.www.ads-software.com/display-widgets/tags/2.6.2.1/geolocation.php
https://plugins.svn.www.ads-software.com/display-widgets/tags/2.6.3/geolocation.php
https://plugins.svn.www.ads-software.com/display-widgets/tags/2.6.3.1/geolocation.php

It’s in all those versions.

And the 2.6.0 code added the huge private server download, so the only safe version is 2.05 https://downloads.www.ads-software.com/plugin/display-widgets.2.05.zip which is the version before @displaywidget bought this plugin from the original developer.

Still can’t get over the wordPress plugin team have reinstated this plugin three times, how many times before they remove @displaywidget as a contributor? He can’t be trusted.

[ Signature moderated ]

I removed the plugin from the repository, see https://www.ads-software.com/support/topic/plugin-removed-from-repository-3/. When a plugin is removed the support forum remains, but the Description page etc… is no loger available which is why you can’t find it via a search.

Currently there isn’t a download available, I’ve been too busy to decide what to do with my plugins (removed them all) in the future.

I sort of understand what you are aiming for, but the hidden class CSS is added by the plugin by default so it’s always hidden?

The “https://stallion-theme.co.uk/wp-content/plugins/subscribe-to-comments-reloaded/includes/css/stcr-plugin-style.css” file from “/subscribe-to-comments-reloaded/includes/css/stcr-plugin-style.css” is loaded (by default?) which means the relevant form code is hidden no matter what the user wants to output.

The problem occurred a while back during an update, but I was too busy to troubleshoot so downgraded. Yesterday I upgraded to the latest version, the notify form etc… was hidden so I looked into it. Easy fix was remove the hidden CSS class from the “/subscribe-to-comments-reloaded/wp_subscribe_reloaded.php” file.

If you view an example post on my site https://stallion-theme.co.uk/how-to-install-free-ssl-certificates-using-letsencrypt-and-certbot/ the hidden class has been removed (I modified the “wp_subscribe_reloaded.php” file otherwise there’s a hidden CSS class in the code).

View my minified CSS file https://stallion-theme.co.uk/wp-content/cache/minify/eeed6.css (using W3Total Cache to combine and minify CSS files) and at the top is the “.hidden{display:none !important}” class from the “stcr-plugin-style.css” file.

Unless I’m missing something for the plugin to work without modifying the code, either the “hidden” class needs removing from the “wp_subscribe_reloaded.php” file or the “stcr-plugin-style.css” file can’t be enqueued by default.

Options set:

Show StCR checkbox / dropdown - yes
StCR Position - yes

Am I correct in assuming those are the right settings for a site running custom comment form code? The theme used (Stallion Responsive) is available at https://stallion-theme.co.uk/stallion-responsive-theme/ (there’s links to zip files). Runs in demo mode without a license, but the comment output isn’t any different whether in full or demo mode.

Thanks.
[ Signature moderated ]

Glad you like the plugins Buddypress support ??

Just tested the settings in the screenshot (with a Text widget) and it worked as expected.

Could it be you are seeing the cache?

Try CTRL F5 when viewing a page which should show the widget to force a refresh. Since it’s the search pages you can also try new searches, if you search for a phrase you’ve never searched for before there shouldn’t be a cache.

Try emptying your browsers cache (under the browsers options).

If you use a caching plugin try emptying/rebuilding the plugins cache.

If still not working am I interpreting your title “Widget not showing at first page of all search results” to mean it’s not showing on Page 1, but is working on Pages 2,3,4…? That would be strange.

Is the URL format of your search results similar to: domain.com/?s=searchphrasehere? If it’s something else are you using a plugin which does something to search results?

David

@displaywidget

I don’t see any comment about my behavior being reprehensible, nice paraphrasing!

It’s WordPress’s support forum, so I have no issue with them saying what they said or closing topics etc…

Rather than speculate on your intentions or try to get you to fix the privacy issues I’ll give you a few days to see if your research points you in the right direction, if not I’ll take any further concerns direct to the ICO for them to deal with.

Oh, one last very important thing for you and your users (my earlier comment regarding being banned by Google), go research Google Geo-distributed crawling.

For example:

Googlebot uses well-established IP addresses that appear to come from the United States. With geo-distributed crawling, Googlebot can now use IP addresses that appear to come from other countries, such as Australia.

It’s a risk assuming Googlebot only connects with a US IP.
[ Signature moderated ]

@displaywidget
User agent is sent as we auto block all GoogleBot/Bing etc to stop un-necessary API calls.

Oh boy, are you trying to get your Display Widget users sites banned from Google!

By blocking Googlebot you (or to be more precise Display Widget users) are serving Google different content than the visitors see!

Have you considered turning this into a blackhat SEO tool, the blackhat SEO community would love this for serving Google different content ??

[ Signature moderated ]

• This reply was modified 7 years, 2 months ago by Jan Dembowski.

Privacy is a can of worms and with a potential 200,000+ users that’s potentially billions of data points, you really should be on top of this and not making it up as you go along. Have you read and complied with this: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/

Also see: https://webarchive.nationalarchives.gov.uk/20100402111239/https://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/collecting_personal_information_from_websites_v1.0.pdf for example:

Some IP addresses are ‘static’, and these are different. Like some cookies, they can be linked to a particular computer which may then be linked to an individual user. Where a link is established and profiles are created based on static IP addresses, the addresses and the profiles would be personal information and covered by the Act. However, it is not easy to distinguish between dynamic and static IP addresses, so there is limited scope for using them for personalised profiling.

I note you completely ignored how you informed me you were tracking my visit and how you gained my consent! Obvious why you didn’t answer, you don’t have a way to gain my consent etc…

For the record this is the Display Widget plugin users responsibility to inform/gain consent, not yours, but your terms suggest it’s your responsibility. You need to pass that responsibility on to the site owners, they will require their own privacy policy indicating their data is tracked by a third party (you).

It’s the equivalent of adding AdSense ads (or other Google products which track user data), the site owner needs a privacy policy like this one: https://stallion-theme.co.uk/privacy-policy/ I link to that one from all my sites, the top and bottom line changes depending upon where you visit from, saves me having to have a privacy page for every site (I own over 100 domains). I even have my premium theme users linking to that privacy policy (the theme has multiple ad platforms built in) so they don’t need their own, there’s thousands of sites linking to it. Yes, I’m giving you a hint of how to solve this issue ??

If I used the geolocation tracking widget logic I’d add that GeoIP2.io is tracking my visitors data to the above privacy policy.

I’d still like to see a copy of your policies and practices relating to the management of my information. I’m assuming you’ve gone to the trouble of creating a policy? You are legally required to have one as you are tracking user data which can be personally identifiable: some IPs can be tracked to house address and with the data tracked you are building a profile of the visitor. If someone is looking at porn they don’t want you to have that information, especially if you don’t have a privacy policy of how you manage their data!

If you are ONLY using the IP address and site URL why are you collecting:

IP Address
Webpage Visited
Site URL
User Agent
etc…

If you only collected IP and site URL you can achieve geolocation tracking by country AND check sites for excessive usage.

From a monetary perspective the data (IP + site URL visited) doesn’t have much value and though still a privacy issue it’s understandable to track that information.

Update the plugin to only track what you need and not the additional (valuable) data which can be used to build a profile. This would suggest you aren’t trying to collect valuable user data, leave as is and you pretty much confirm you bought a plugin with 200,000+ active users to mine their visitors data for monetary gain.

You need to be very careful with this, you don’t want to have any ICO complaints made against you. I recently reported a UK business to the ICO for email SPAMMING me

If you wish to switch from the Display Widgets plugin (any version) to the new Display Widgets SEO Plus Plugin (any version: I suggest the latest version 3.0.0) the easiest way is:

Under your “Dashboard” >> “Plugins” deactivate the Display Widgets Plugin.

Under your “Dashboard” >> “Plugins” >> “Add New” : Use the Search form to find the Display Widgets SEO Plus Plugin – searching for “Display Widgets” will list it near the top.

Install and activate the Display Widgets SEO Plus Plugin like you would any plugin.

Can also do this via FTP, download the latest Display Widgets SEO Plus Plugin zip file (currently v3.0.0), extract on your PC. Upload (via FTP) the /display-widgets-seo-plus/ folder to your /wp-content/plugins/ folder and under “Dashboard” >> “Plugins” deactivate the “Display Widgets” plugin activate the “Display Widgets SEO Plus” plugin.

Go to “Appearance” >> “Widgets” and check any widgets with these old Display Widgets options, the info below is direct from the FAQ-

Display Widgets SEO Plus uses the same database names etc… for some of the old Display Widgets v2.05 options, though some have been split into two options, so when switching to Display Widgets SEO Plus it’s recommended you check each widgets settings.

Some of the old 2.05 options under “Miscellaneous +/-” have been split into two options. If you have

“Miscellaneous +/-” – “Archives” Ticked
“Miscellaneous +/-” – “Single Post” Ticked
“Miscellaneous +/-” – “Search” Ticked

You will find the new Display Widgets SEO Plus options:

“Content Types +/-” – “All Archives – Pages 2,3,4…” is Ticked
“Content Types +/-” – “All Posts – Pages 2,3,4…” is Ticked
“Content Types +/-” – “All Search Results – Pages 2,3,4…” is Ticked

You would be missing Page 1 of the set, to replicate the original 2.05 options set these to ticked:

“Content Types +/-” – “All Archives – Page 1 Only”
“Content Types +/-” – “All Archives – Pages 2,3,4…”
“Content Types +/-” – “All Posts – Page 1 Only”
“Content Types +/-” – “All Posts – Pages 2,3,4…”
“Content Types +/-” – “All Search Results – Page 1 Only”
“Content Types +/-” – “All Search Results – Pages 2,3,4…”

The Display Widgets v2.05 the “Categories +/-” options have changed in the new plugin.

The “All Categories” option has been removed and replaced with two options:

“Content Types +/-” – “All Category Archives – Page 1 Only”
“Content Types +/-” – “All Category Archives – Pages 2,3,4…”

The list of Categories ticked under “Categories +/-” in Display Widgets 2.05 will still be ticked under “Categories +/-” of the new plugin, but you will need to set and additional option (a dropdown selection form) of what you want to happen in those selected Categories.

These are the new “Categories +/-” settings:

Category Page 1 and All it’s Posts
Category Pages 1,2,3… and All it’s Posts
Category Page 1 and NOT it’s Posts
Category Pages 1,2,3… and NOT it’s Posts
Categories Posts ONLY Page 1
Categories Posts ONLY Pages 1,2,3…

Rather than one Categories option, we have six.

The remaining Display Widgets v2.05 options are pretty much the same as the corresponding Display Widgets SEO Plus options, though some have different names and the Language options (for the WPML language plugin) work correctly (partially broken in the old plugin v2.05).

For most sites it’s going to be a case of quickly checking if one of the settings under “Content Types +/-” is only set to “….. – Pages 2,3,4…” and if it is tick the corresponding “….. – Page 1 Only” option. And checking if you need to set an option for categories selected.

When happy everything is working correctly you can safely delete the old Display Widgets plugin folder either using FTP or under your Dashboard via the “Plugins” menu. Deleting the Display Widgets plugin folder or the Display Widgets SEO Plus Plugin folder won’t delete any of the widget options (they are safely stored in the WordPress database).

[ Signature moderated ]

I’m the developer of the Display Widgets SEO Plus plugin https://www.ads-software.com/plugins/display-widgets-seo-plus/ which I’ve just (minutes go) updated to version 3.0.0. Thanks for using my plugin, by upgrading you’ve avoided a bit of an update disaster ??

Display Widgets SEO Plus is built from the old Display Widgets v2.05 code found here https://downloads.www.ads-software.com/plugin/display-widgets.2.05.zip (that’s relatively stable code 200,000+ sites have been using for years).

In November 2016 I used the v2.05 code to build a forked (new) plugin (called Display Widgets SEO Plus), this includes bug fixes and new features not fixed/added to v2.05 or the recent 2.6.* Display Widgets plugin updates.

Although Display Widgets SEO Plus v3.0.0 will use your current Display Widgets v2.05, 2.6.0, 2.6.1 and 2.6.2 settings (other than the geolocation widget logic options that tracks your visitors!) the two plugins in feature terms are beginning to diverge.

I would suggest if you plan to upgrade your remaining Display Widgets site to this plugin, do it now.

I’m concentrating on adding new widget logic options like support for all the core conditions (is attachment, is singular, is page, is post etc…) and bbPress, BuddyPress, WPML plugin support (Woocommerce plugin support next).

The new Display Widgets plugin developer appears to be moving into the tracking your visitors rather than adding useful widget logic features.

Personally I wouldn’t install the Display Widgets plugin versions 2.6.0, 2.6.1 or 2.6.2 on a live site, they track your visitors data and are bug ridden. If you plan to stay with the Display Widgets plugin I would strongly advise downgrading to the old plugin v2.05 at https://downloads.www.ads-software.com/plugin/display-widgets.2.05.zip and never update.

Or if you want what Display Widgets v2.05 offered with bug fixes and more widget logic options upgrade to Display Widgets SEO Plus v3.0.0.

I also extensively test my updates on a dozen plus live sites and half a dozen localhost test environments with strict error reporting enabled to avoid the sort of mess the Display Widgets v2.6.1 update just created: take a look at the Display Widgets support forum: https://www.ads-software.com/support/plugin/display-widgets (what a mess).

I’m surprised anyone is sticking with the new Display Widgets developer, he/she is making a mess of what used to be a great plugin.

David

@displaywidget wrote…
My hosting provider, of course, has apache log Enabled, so technically yes, they/i have access to IP addresses of those using service. But if you explain to me how I can monetize this, I will do it because I haven’t found a way to turn an apache log into cash haha. This seems to be what other users are suggesting here, but clearly it’s not the case. Why do I collect also website URL? Because I want to run analytics on this information and see if some websites are abusing of this FREE service, and maybe implement a blacklist, or eventually do something where those who exceed a certain amount of requests will need to purchase a license directly from IP2Location. See where I’m going with this? Also because, again, what else could I do with this information? If you explain how I can make money by just collecting IP and URL, please tell me… I have a big family to feed

Are you relatively new to how websites work?

I ask because if what you wrote earlier and above is honest you are seriously naive.

Had your first update (v2.6) remained live and lets say half the 200,000 Display Widget users had upgraded the plugin (the first one you connected to https://w-p.io*) would have been contacted for every pageview from those 100,000 websites!!!!

* Why did you change from connecting to https://w-p.io in v2.6 to connecting to https://geoip2.io in 2.6.1 and 2.6.2?

That could be tens of millions of pageviews a day. For example if the average Display Widget user site generates only 100 pageviews a day, that’s 10,000,000 connections to your webhost everyday for no monetary gain.

I hope your webhost is either very understanding or you have deep pockets!!!!

Pull out a calculator and please do some basic calculations.

Or put another way you’ve gathered data from 10,000,000 pageviews from 100,000 websites in a 24 hour period or the data from 3,650,000,000 (3.65 billion) pageviews in a year without having to pay the website owners for their valuable user data! Realistically the average site is going to generate significantly more than 100 pageviews a day, collecting billions of data points is the foundation of a serious business.

If you are being truthful and are a naive plugin developer who is using a standard webhosting package your domain would go down for misuse of resources.

For those who care about Google rankings, consider Google takes pagespeed into account, having to connect to an external server slows a site down and can have an impact on Google rankings. What happens to the connection if your server goes down or has connection issues? Do I see a 10 second timeout** setting in the code, do you think waiting 10 seconds for a connection in 2017 is acceptable?

** If the new plugin developer stops maintaining this plugin and he/she lets the https://geoip2.io domain expire, the Display Widgets plugin 2.6.1 and 2.6.2 code might (I didn’t check in detail what would happen) wait 10 seconds before determining the URL doesn’t exist potentially hanging your site for that amount of time. It’s rarely ever a good idea to set a timeout at 10 seconds.

On a practical perspective what happens to the widgets if the site can’t connect to https://geoip2.io to check the API? Will the widgets be shown/hidden for countries not set???

If you use the IP tracking feature of the Display Widgets plugin versions 2.6, 2.6.1, 2.6.2 run your site through services like these with the feature enabled and disabled:

https://developers.google.com/speed/pagespeed/insights/
https://gtmetrix.com/
https://tools.pingdom.com/

To see if it’s slowing you down (compare the enabled/disabled results). If you keep using the feature recheck in a months time when more users are hammering the plugin developers webhost.

You are collecting unnecessary user data.

Had you only tracked the IP address it has no serious value and would allow the country specific functionality to work (you don’t need the site URL, page URL or the user agent for that functionality).

You say you only store the tracking data in your normal weblogs, but Display Widget users (and WordPress) have to take your word for that and now you are implying you didn’t buy the plugin when you did (why would anyone trust your word?). No one (other than you) knows what the script the tracking data is running through is doing with the data, it would be childs play to collate and store it for future use/sale.

There’s a major trust issue here, no one knows who you are, you’ve only been on WordPress a month or so and the only info we have on you is these two domains: https://geoip2.io/ and https://w-p.io/ and you were willing to buy the Display Widgets plugin from the original developer which you are now implying you didn’t buy! Why are you trying to cast doubt on how you obtained control of the plugin?

You could provide some information about yourself helping users decide if you are trustworthy.

Who are you?
You mention creating other plugins, which ones?
You say you’ve used the plugin on your sites for years, which sites?
Why should Display Widget users trust you with their visitors valuable user data?
Add some details to your WordPress profile so we can check out who you are.

The WordPress plugin repository runs on trust, after the initial release of a plugin (WordPress checks the code) we (plugin developers) are trusted on future updates (they aren’t checked/tested) meaning as plugin developers we can do anything we like: we could upload code to destroy a users site for example!!!

It’s WordPress users like me who self-police the repository for plugins breaking the rules. I’ve reported half a dozen plugins over the past 10 years (including your code twice) for breaking the rules.

If you see something in a theme/plugin (that’s in the repository) you think is iffy, email the plugin repository at [email protected] (they appreciate AND act on the feedback).

By tracking IP (country, region and possibly city and even more detailed location data) and tracking the page the visitor is on you have the potential to collect and store valuable date.

You will have where people are visiting a site from (country, region, city, potentially even zip code***).
The visitors user agent (how they are connecting).
When they are visiting a specific webpage.
The webpages viewed on a Display Widgets site.
The total number of visitors to a specific webpage.
The total number of visitors to a site.

*** We don’t know which package you have from https://www.ip2location.com/buy if you are paying for the more expensive packages you get some seriously useful data – IP-Country-Region-City-Latitude-Longitude-ZIPCode-TimeZone-ISP-Domain-NetSpeed-AreaCode-Weather-Mobile-Elevation-UsageType Database

That data has significant value. Also Display Widget users have to rely on you buying a new license every year, minimum license fee $50. What happens if you decide to stop paying?

I was an SEO consultant for ~12 years, some SEO’s pay for that sort of data on a competitors site. An SEO could analyse which webpages are popular, where they are visiting from etc… It’s the equivalent of giving partial access to a websites log files, about the only important metric that’s missing is how the visitor got to the site (direct visit, search engine)!!!

Also gives you data about the popularity of those websites, if you know how many visitors a site generates you have data which can be used in making deals for backlinks, guest posts, purchasing a site…

Add to all this tracking you now add a responsibility on the Display Widget users to add a privacy statement to THEIR sites indicating a third part (you) are tracking their users data, otherwise they’ll fall foul of various privacy laws (recent EU laws for example).

I note in the 2.6.2 code you’ve linked to your T&C page at https://ps.w.org/display-widgets/assets/tc.html which includes:

We will collect website information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. Before or at the time of collecting such information, we will identify the purposes for which information is being collected. We will collect and use such information solely for fulfilling those purposes specified by us and for other ancillary purposes, unless we obtain the consent of the individual concerned or as required by law. Website data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date. The following data is currently collected for analysis and in order to optimize GeoIP2.io’s performance:

Website and Page URL – Collected to track service usage by Country, Region and Domain; we reserve the right to blacklist certain domains that exceed reasonable service usage
Visitor’s User Agent and IP Address – Required to determine Visitor’s Country of origin

How are you gaining consent of the visitors whose data you are collecting?
How are you “identify(ing) the purposes for which information is being collected”?

I don’t see anything in the code that gives Display Widget users the ability to inform their visitors you are collecting data and I don’t see an opt out (where’s the consent)?

At best you only have the consent of the Display Widget user (the site owner), not the actual visitor to said site (it’s the visitor whose consent you require). To meet the above T&Cs the Display Widget plugin users would have to add a privacy page mentioning a third party (you) is tracking the data. When/how do you plan on letting users know they need a privacy page if they use this new feature?

Display Widget users would have to add a privacy page like mine https://stallion-theme.co.uk/privacy-policy/ which I add because I use ad platforms like AdSense and they track data: see the “Third Party Advertisements” section.

which will also send these advertisers (such as Google through the Google AdSense program) information including your IP address, your ISP , the browser you used to visit our site, and in some cases, whether you have Flash installed. This is generally used for geotargeting purposes

I see you “track service usage by Country, Region and Domain”, so you are tracking to at least region.

You don’t need the user agent to determine country, you just need the IP.

Oh and in localhost testing I couldn’t get the geolocation tracking to work. I’m in the UK, set a widget to show on en-gb (also tested gb, GB, en-gb, EN-GB, GBR, gbr since the list at https://www.nationsonline.org/oneworld/country_code_list.htm doesn’t match the format listed on the widget (on the widget it says use en-gb)) and it didn’t load when viewing the relevant page. Tried it with only setting gb, GB, en-gb, EN-GB, GBR, gbr (nothing else ticked) and tried things like ticking front in case it required two options (front page when gb, GB, en-gb, EN-GB, GBR, gbr).

David

Glad you got it working and thanks for letting me know.

David

@displaywidget

Are you saying you didn’t buy the Display Widgets plugin?

If you didn’t buy it I’d be interested to hear how you got access.

David