Last week, I raised concerns about Google’s FLoC, and how it harms website owners (and users) by opting them into a tracking program without their explicit consent. It appears that others in the WordPress community share my views, as evidenced by the lively community discussion on whether or not WordPress should block FLoC by default. Several WordPress core developers have chipped in, and it’s fascinating to see where this leads us.
My personal opinion, of course, is that of course, WordPress should block FLoC by default!
Implications of WordPress Blocking FLoC
WordPress powers 40% of the web. If WordPress were to opt its users out of this by default, it means that 40% of the web goes dark to Google Chrome’s algorithm. That’s a death sentence to FLoC. I fail to see how Google can construct any kind of meaningful model when it can’t take into account 40% of the user’s browsing history.
And if WordPress goes down this route, I can see other CMS providers doing the same. If the number of participating websites drops even further, it’s goodbye to Google’s hopes of making FLoC a standard feature.
But is it a Security Update?
There appears to be plenty of support in the WordPress community for this move. However, a related question is whether or not this should be treated as a security update. The implications would be the following:
- The next minor release of WordPress would have the patch
- The patch will be back-ported to older WordPress versions
It’s obvious that labeling FLoC as a “security vulnerability” will require a lot more work and updates to existing installations. So is it justified?
In my opinion, it all depends on whether or not we consider FLoC in Chrome to be “malware”. That’s a pretty big accusation to make. After all, Google is a reputable company, and the notion of them openly bundling malware into their browser appears absurd.
Consider, however, the manner in which we would respond if it was anyone other than Google doing this. Let’s assume your VPN network tracked which sites were visiting, and compiled a profile on you based on your browsing history. It would be flagged as malware instantly! So why does Google get a free pass on behavior that is clearly “malware-like”?
Also, the Malwarebytes website has also recommended disabling FLoC. It’s not a good look when a security company flags your browser for undesirable behavior!
How to Disable FLoC on WordPress Sites
If you currently don’t want users’ history tracked when they visit your WordPress website on Google Chrome, add this piece of code to your functions.php:
function remove_floc( array $headers ) : array {
$permissions = [];
if ( ! empty( $headers['Permissions-Policy'] ) ) {
// Abort if cohorts has already been added.
if ( strpos( $headers['Permissions-Policy'], 'interest-cohort' ) !== false ) {
return $headers;
}
$permissions = explode( ',', $headers['Permissions-Policy'] );
}
$permissions[] = 'interest-cohort=()';
$headers['Permissions-Policy'] = implode( ',', $permissions );
return $headers;
}
add_filter( 'wp_headers', 'remove_floc' );
This code will add a header to your website that will instruct Chrome not to use the visit of the user for purposes of fingerprinting and building a profile segregated into cohorts. Now it’s entirely up to Chrome of course as to whether or not they honor this request. It might turn out that if enough websites opt out of FLoC, they’ll start collecting user history by force.
But that will open up another can of worms, and lead to considerably more backlash. So I don’t know what’s going to happen in the future. Will Google go back to 3rd party cookies if the FLoC initiative fails? Who knows?
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply