=== Mirror Gravatar === Contributors: jwz Tags: Gravatar, Comments Requires at least: 2.7 Tested up to: 6.8.2 Stable tag: 1.5 License: MIT Locally mirror commenters' Gravatar or Mastodon profile images. == Description == Locally mirrors commenters' Gravatar, Libravatar and Mastodon avatars and serves them from your site, rather than loading them from a third-party web site upon each page load. This has several effects: * If most of the comments on a post have no avatar, those turn into _one_ load of a shared image, instead of one for each comment, that happens to return the same "mystery" image. * You will be serving more (small) images. * If a commenter's URL looks like a link to a Mastodon / ActivityPub profile, their Mastodon account's avatar will be displayed. * When commenting, a live preview of the avatar tracks the contents of the "Email" field. * [gravatar.com](https://www.gravatar.com/) and [libravatar.org](https://www.libravatar.org/) no longer have a web-bug on your blog that is loaded by each viewer. Instead of being loaded at every page view, the avatar is loaded just once, on the server-side, at the time each new comment is posted. * If someone changes or deletes their avatar, your site continues displaying the image that was their avatar at the time that they last posted. * Likewise, the user's Gravatar or Mastodon profile is saved along with their comment, viewable by admins even if they later change or delete it. == Security and Privacy == * [Libravatar](https://www.libravatar.org/) is open source. Gravatar is [owned by WordPress](https://en.wikipedia.org/wiki/Gravatar), and their [privacy policy](https://automattic.com/privacy/) says that they don't monetize that info. But hey, corporate policies change, subpoenas exist, and domain names get sold. * Should you trust Gravatar with user data? Well, in 2024, Gravatar announced that they are [pivoting to blockchain](https://jwz.org/b/ykXF), whatever that means, so that's fairly disqualifying. See also [WordPress "growth hacking"](https://jwz.org/b/ykPk) and [WordPress sells users' data to train AI tools](https://jwz.org/b/ykNg). * There used to be a potential issue due to [Gravatars using MD5 hashes](https://en.wikipedia.org/wiki/Gravatar#Security_concerns_and_data_breaches), but these days they use SHA256, so I assume that's no longer a problem. == Screenshots == 1. A copy of the user's gravatar.com profile is saved with the comment. 2. A live preview of the avatar when commenting. == Installation == 1. Upload the `mirror-gravatar` directory to your `/wp-content/plugins/` directory. 2. Activate the plugin through the "Plugins" menu in WordPress. 3. Make sure the directory `/wp-content/plugins/mirror-gravatar/` is writable by your web server. == Changelog == = 1.0 = * Created = 1.1 = * Also mirrors Mastodon avatar images, if the commenter's URL is of the form "https://example.com/@username" = 1.2 = * Minor Mastodon tweaks. = 1.3 = * Prefer SHA256 to MD5, since Gravatar accepts that now. * Added support for Libravatar. = 1.4 = * Oops, I forgot to include the CSS file in the distribution.