Did you know that the Gravatars Jeopardize the privacy of the users of your website?


One of the elements that few people are aware of is its implications on the performance and privacy of a website is Gravatars, that box that we all have in our WordPress, in the comment settings, which allows you to display some icons next to the people who leave a comment, in the tab of the author of a post, or even in your user profile.

If you use the Gravatar service, it will become part of your digital identity, whether you comment on blogs and forums, sign up for WordPress.org, or participate in a WordCamp.

We all should already know about the implications of Gravatars on the performance of the web, but today we’re going to go a little further, also seeing why Gravatars also compromise the privacy of your web users, and how to solve it.

Why do Gravatars jeopardize privacy?

The answer is as simple as referring to their own description of the service on their own website:

Your Gravatar is an image that appears next to your name when you write comments or news in a blog. Avatars help identify your posts on blogs and forums, why not anywhere?

In other words, when you use gravatars, or activate gravatars on a site, the gravatars let you know that a user who comments on that site is the same as on others because the email is associated with an image.

But that would not be a problem if you, being subject to the laws regulating privacy and protection of personal data, had no responsibility for it, but you do, and the implications on the privacy of Gravatars are important.

If we add to that the privacy policy of Automattic, the company that owns the Gravatar service, is also not anything impressive in terms of monitoring, recovery and deletion of personal data, then we conclude that you have responsibility for the privacy of your users who use Gravatars.

But, since it is an external service, and your users don’t have to be privacy experts, you should safeguard their privacy by taking responsibility for it, don’t you think?

Is there a solution?

More than one, my young apprentice.

Deactivates avatars and gravatars

The first, and simplest, is simply not to use avatars or Gravatars. Just disable them in the comment settings and save your changes.

Not only will you avoid external queries to the Gravatar server every time there is a comment on a post, you will also protect the privacy of your visitors in this way.

Another, not so obvious, would be for you to take responsibility for the gravatars and store them locally.

For this we have a couple of very interesting plugins…

Local Gravatars

To begin with, Ari Sthatopoulos has created a plugin, Local Gravatars, which gets the gravatars not hosted on the Gravatar.com server but locally.

To do this, he connects from time to time to his servers and downloads the gravatars, serving them locally from your website, so at any time you can delete all the information about a particular user.

By the way, no requests are made to the Gravatar.com server to display the Gravatars on your site every time you visit, which also improves performance.

Using the plugin is simple, just install it and activate it. If you want to keep using the Gravatar service avatars on your site but improving your users privacy is a great option.

Avatar Privacy

The best of the best is Avatar Privacy, which goes a few steps further than the previous one, offering a layer of privacy more in line with European regulations such as the GDPR.

The plugin offers some countermeasures to deal with the privacy issues intrinsic to the use of Gravatar:

  1. All images are stored or generated on your server, rather than on Gravatar.com.
  2. Only users and commentators who explicitly give their consent will get their image, their avatar, from Gravatar.com. By doing so their email will be associated with the Gravatar.com account.
  3. To prevent Gravatar.com from tracking visitors to your site, Gravatars are cached locally and the only IP sent to Gravatar.com will be that of your server, not your visitors.
  4. Instead of MD5, the plugin uses SHA256 to identify avatars. This means that your web users cannot be tracked elsewhere on the Internet. (It also means that the avatars generated will be different on other sites).
  5. The plugin does nothing to address the problem of false identities. But come on, using Gravatar doesn’t protect you from this either, anyone can register any email and associate it to an image of you and “comment on your behalf”.

Technical issues aside, when you activate the plugin, the following is added:

  • New comment settings to choose different automatically generated avatars, gravatar or custom avatars.
  • New profile settings for users to upload their custom avatar.
  • New consent boxes in comments to accept Gravatar avatars or upload a custom one, depending on what has been configured in the settings.
  • New text to be added to the privacy policy.

As you see in these screenshots, complete:

If you are committed to the privacy of your users regarding the avatars in the comments this is the plugin.

Local non-Gravatar avatars

And finally, if you simply do not want to use the Gravatar service, you can use any local avatar plugin, of which I recommend any of the following…

Read this post in Spanish: ¿Sabías que los gravatares comprometen la privacidad de los usuarios de tu web?

How useful was this post?

Click on a smiley to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top