WordPress Exposé
site logo

Find information on WordPress users, comments, and Gravatars


What is this and how does it work?

The site relies on a series of design decisions made by the developers of WordPress and Gravatar. In newer versions of WordPress, a list of all users who have posted content is publicly available. The information about these users includes their display names, their usernames, and their “Gravatar.”

Gravatar is a service that can provide a unique avatar for each email address. They’re used by sites like Stack Overflow, Discourse, and thousands of other forums and blogs that include commenting systems.

Unfortunately, the standard implementation exposes a “hash” of the user’s email address in the Gravatar URL. In some cases, this makes it easy to reveal the actual email address of the user attached to a Gravatar. These Gravatars are also automatically created for users, and the hashed email address is available even if they’ve never created an account with Gravatar.


Are all Gravatars vulnerable?

Because of the system’s fundamental design, all Gravatars are vulnerable to a persistent person with a beefy GPU and a copy of Hashcat. This site has a relatively small list of emails and their associated hashes, so you’ll likely find that 10%-25% of the Gravatars are reversible.

Here's a short reading list on Gravatar's privacy issues:

  1. Gravatars: why publishing your email's hash is not a good idea (Andreas Viklund)
  2. Gravatar Advisory: How to Protect Your Email Address and Identity (WordFence)
  3. Is using Gravatar a security risk? (StackExchange)
  4. Crypto weakness in Web comment system exposes hate-mongering politicians (Ars Technica)

I tried several sites and they didn't work.

Not all websites are vulnerable to this tool. For it to work, a site must:

  1. Be built on the standard, self-hosted version of WordPress. Sites that do not use WordPress will not work, and sites that are hosted on the commercial wordpress.com service will not work.
  2. Have the v2 REST API running and exposed to unauthenticated users. The v2 REST API was merged into core in WordPress version 4.7, so most sites with versions lower than that will not work. Additionally, many sites block unauthenticated access to the /users endpoint. In general, most of the larger publishers that use WordPress do not expose this information. Examples of publications that do work are https://boingboing.net, https://www.wired.com, and https://techcrunch.com.
  3. Use the standard WordPress commenting system. Third party commenting systems like Disqus and Facebook will not work, unless they also save the comments back to the site's database as standard comments.

How can I protect my site?

If you maintain a WordPress-based website:

  1. Disable Gravatars entirely. This is the simplest solution for most sites - simply turn off Gravatars by going to Settings / Discussion and uncheck the "Show Avatars" option.
  2. Block unauthenticated requests to the /users and /comments API endpoints. There are many plugins that will do this. The Disable REST API plugin is a good one and allows you to selectively require auth for different endpoints.
  3. Use a third-party commenting system. Disqus has its own issues, but their avatars do not expose the commenters' emails.
  4. Push WordPress to remove Gravatar integration. In my opinion, Gravatars simply shouldn't be publicly accessible for users and comments in a default WordPress installation. As a creator or contributor to a website, do you expect your email or photo to be exposed to everyone on the web, even if your theme doesn't include author photos? Of course not.