Jetpack Notifications puts Quantcast tracking in your WordPress Admin

WP DoNotTrack user Marco Donati asked why the plugin did not stop Quantcast from being included in the WordPress admin pages. After some research (with the kind assistance of Marco), I discovered not one but two problems;
WP DoNotTrack relies on “output buffering” in WordPress to filter/ modify the HTML when in “Forced (default)” or “SuperClean” mode. Apparently WordPress does not use output buffering in the admin-pages, so WP DoNotTrack did not get triggered. My bad! I’ve updated the code to fallback to “Normal” mode when in admin and will push out a new version with this fix soon.
But then it got slightly ugly; even with this fix in place, the Quantcast-tracker kept on appearing! It was being called from within an iFrame, outside the reach of WP DoNotTrack. The culprit turned out to be the brand new “Jetpack Notifications” feature which -as most of Jetpack- is activated by default. As from Jetpack 1.9, you’ll see a small icon next to the greeting text on the right side of the admin-bar. When you click that icon a drop-down appears which contains the iFrame and the tracking code. To disable, in “Notifications” click on “Learn more” to reveal the “Disable”-button. Click that one and the icon, iFrame and tracker code are gone. Good riddance!
My advice to Jetpack users; explicitly disable any feature you do not use. Jetpack might offer some nice functionality, but of that is available in other plugins as well and being tied in that heavily into wordpress.com does come at a price. Moreover it seems there are some security concerns; as an user with author permissions I had access to the Jetpack overview page and I was able to activate the “Jetpack Comments” feature on Marco’s blog, but I couldn’t disable it. Call me a paranoid security-zealot, but non-administrator users should not really be able to do that, should they?

6 thoughts on “Jetpack Notifications puts Quantcast tracking in your WordPress Admin”

  1. You’re not a paranoid security-zealot, you are right. Thanks for the plugin & this blogpost!
    Trying to keep my site as tracker-free as possible, nothing should be tracking without my approval.

    Reply
  2. Hi, I found out Quant.js is also in Jetpack Comments because of the iFrame. What is your opinion about this blogpost of me and do you think I have to look out for other commenting system because I assume they are going to insert it back again (don’t know for what purpose)….
    Check out this post .
    Kind regards,
    Willem

    Reply
    • Hi Willem; most -if not all- external commenting systems will have some kind of tracking in them and all will inevitably slow down your site. Those are -not coincidentally- exactly the reason why I stick with WordPress own commenting functionality.

      Reply
  3. Hi Frank, I’m going to stick with the original to, from the 100’s of comments almost nobody uses the facebook or twitter login from yetpack, so for the rest I see nog benefit at all.
    Thanks for the quick reply.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.