Also known as Koszko, Wojtek is a software freedom proponent, from Poland. He is an Informatics graduate of AGH University of Science and Technology at Kraków. We asked him to help us if not completely eliminate, then at least reduce the amount of, proprietary code on our WordPress website.
He has experience in many programming languages. JavaScript is one he’s been recently hacking around a lot. PHP, on the other hand, is one of the tools he’ll be utilizing to help us here.
Wojtek’s own disclaimer : The below solutions are somewhat hacky. Some of them may break upon a mere theme update.
“How can we cleanse all our WordPress from the bad-stuff ?”
We humbly asked..
Wojtek goes on saying :
For some things we’ll need to either modify your WP (WordPress) theme… or create a child theme that inherits from it. You can find some tutorials for writing themes online.
In my case I had “Twenty Sixteen” theme installed. I created a child theme inheriting from it. A general overview of steps is
- create some directory to develop the child theme in,
- create “style.css” inside it and put theme’s metadata in it,
- add “functions.php” and other files to the theme according to your needs,
- wrap theme’s directory into a zipfile,
- go to your WP administration panel, and in the themes manager choose to upload your child theme to the server,
- enable your newly-installed theme and see if it works correctly.
In “style.css” I put the following :
/*
Theme Name: Twenty Sixteen Child
License: Creative Commons Zero 1.0
Template: twentysixteen
Version: 1.8
*/
Another file that is very useful is “functions.php”. In my case it
looks like this
<?php
add_action('wp_enqueue_scripts', 'twentysixteen_child_enqueue_styles');
function twentysixteen_child_enqueue_styles() {
wp_enqueue_style("twentysixteen-style", get_parent_theme_file_uri ('/style.css'));
}
/*
* Various function definitions and statements come here, only some of them directly related to making WP ethical.
*/
?>
OK, let’s get to work. First, we can get rid of Google fonts. They are third-party resources loaded from Google server upon user’s visit to site. As such, they serve as Google’s powerful user-tracking tool. WP enables them by default (even its Debian package which I have been using, shame).
I was able to disable them by adding the following to “functions.php”
add_action('wp_enqueue_scripts', 'lbp_twentysixteen_child_dequeue_google_fonts', 20);
function lbp_twentysixteen_child_dequeue_google_fonts() {
wp_dequeue_style('twentysixteen-fonts');
}
I think I recall that this removed most but not all Google fonts from the site. And that I ended up applying some CSP rules for font blocking in addition to using my custom child theme.
I might be mistaken here but nevertheless, I ended up additionally appending the following line to /usr/share/wordpress/.htaccess
Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:; font-src 'self' 'unsafe-inline' data:; connect-src 'self';"
I suppose you know what this does. If not, you can look up “Content Security Policy” and “.htaccess”. Here I added more rules than needed to merely block remote fonts. The “connect-src” piece would effectively break all features that integrate with other sites. This is perfect for users’ privacy but I admit it’s not suitable for every site.
The .htaccess to modify (or maybe even create?) is just inside WP installation’s root directory. It might be something different than /usr/share/wordpress if you didn’t install from an APT package as I did.
One might be worried that blocking remote fonts will break something on the site. I don’t recall anything bad happening in my case, but I haven’t tested the solution extensively, either. If you experience some issues, we can look into them together.
Second issue is that WP does not communicate its JavaScript license to site visitors. What if someone wants to avoid nonfree JS (everybody should)? A perfect solution would be to make the site compliant with GNU LibreJS.
This seemed hard to approach, though. That’s why I resorted to just adding a footer notice stating that page’s JS is free/libre software (it really is, as long as we’re not using unofficial plugins or themes).
I achieved this by copying over “footer.php” from the parent WP theme (located under /var/lib/wordpress/wp-content/themes/twentysixteen/ in my case) to my child theme and modifying it… I know, it’s a brutal way. Perhaps you’ll find a better one (a plugin must exist…). If not, this is what I changed in the file: I replaced the following code at the bottom
<a href="<?php echo esc_url( __('https://wordpress.org/', 'twentysixteen')); ?>" class="imprint">
<?php printf( __('Proudly powered by %s', 'twentysixteen'), 'WordPress'); ?>
</a>
With something along the lines of
Ethical website powered by
<a href="<?php echo esc_url( __('https://wordpress.org/', 'twentysixteen')); ?>" class="imprint">
WordPress</a>.
<a href="<?php echo esc_url( __('<HERE WENT LINK TO A SEPARATE PAGE EXPLAINING JS ISSUES>', 'twentysixteen')); ?>" class="imprint">
The JavaScript code used is Libre Software.
</a>
Another thing that annoyed me with WP was that when I logged in to the dashboard, it would show me a dashboard widget with WP news and information about WordPress events. Since IIRC it was causing third-party connections from the browser, I wanted to disable it. I found a ready solution that involved adding the following to “functions.php”
/*
* https://github.com/dimadin/disable-wordpress-events-and-news-dashboard-widget/blob/master/disable-wordpress-events-and-news-dashboard-widget.php
* Author: Milan Dinić
* License: GPL (whatever that is supposed to mean...)
*/
function dweandw_remove() {
remove_meta_box('dashboard_primary', get_current_screen(), 'side');
}
add_action('wp_network_dashboard_setup', 'dweandw_remove', 20);
add_action('wp_user_dashboard_setup', 'dweandw_remove', 20);
add_action('wp_dashboard_setup', 'dweandw_remove', 20);
Note that this only affects users who are logged in to the site. Mere visitors don’t see the dashboard.
Another issue was the post editor that did not work without JS. Just as the previous issue, this one only affects logged-in users (assuming configuration forbids anonymous users from posting). It might seem irrelevant given that there’s already a way to add a JS license notice to the site… But I wanted the editor to be functional without JS anyway. After all, script-less browsing is safer. Why make it impossible?
Here, the solution was simple. I just installed the “Classic Editor” plugin from the admin panel. I hope it’s still well supported nowadays…
Last but not least, on my WP page I disabled Gravatar. IIRC it can be done from admin panel (is it called dashboard formally?). I don’t have any proof that it is actually an unethical service. But I did not make use of it and it was causing third-party connections. Why keep it on in such case?
I explained the things needed to make a fresh WP install more freedom-friendly. Unfortunately, it seems ushby.org also uses some plugins that cause concerns…
Finding and describing a replacement for each one would be a chore. I’ll instead just make a quick list for now. The following are third-party domains ushby.org currently integrates with.
- askubuntu.com
- fonts.googleapis.com
- google.com
- googlesyndication.com
- googletagmanager.com
- gstatic.com
- paypalobjects.com
- stackexchange.com
- w.org
AskUbuntu.com and StackExchange.com are just images. It would perhaps be slightly more privacy-friendly to have them hosted under ushby.org. I don’t know how that widget was added technically, so I don’t know if it is possible to change this easily. Anyway, the images are not a big deal.
fonts.googleapis.com was already discussed, next.
google.com is from reCAPTCHA which must have been added to WordPress with some plugin. Since reCAPTCHA is nonfree software and horrible for privacy, I’d call it an outstanding problem right now.
googlesyndication.com is a Google ads domain. Again, nonfree software, tracking and must have been added manually.
googletagmanager.com is part of Google Analytics. As above.
gstatic.com is a support domain for Google fonts and captcha. Nothing interesting about it.
paypalobjects.com is from your “Donate” button. PayPal also relies on nonfree software and has blocked Wikileaks’ account in the past. Hence I’d suggest adding other donation methods. At least as an option. But regardless of what third-party payment providers are used, there is no need for their third-party nonfree JS to be executed upon user’s every visit to the site… A “Donate” button that is just a hyperlink, without any <script> s, would be a suitable replacement for the current one.
w.org is a WordPress domain. Here it is used just for the sound icon in mailpoet widget. Same comment applies as in case of images from StackExchange.
I guess I should’ve investigated into and commented on all the Google stuff on the page before diving into the details of making child themes…
Anyway, you now have an exhaustive summary of everything that can be changed. I played just a tiny bit with WordPress before, hence I am surely missing some knowledge that would be useful here.
I hope you’ll find your way to make the site more ethical without sacrificing the functionalities you care about.
End of the Interview.
If you like Wojtek‘s skills and his way of working, you might be interested in visiting his own website where he promotes free/libre software and his project Haketilo that helps users avoid proprietary JavaScript. With him you will definitely swim deeper into a new realm of knowledge and at the same time become more capable.
All this information we obtained was given to us under the terms of Creative Commons Zero 1.0. We provide it under the same thing.
Photo by Jade – Her Instagram
More Credits :
WordPress icons created by Roundicons – Flaticon
Programming language icons created by Freepik – Flaticon
Html icons created by Freepik – Flaticon
