WordPress Friends Plugin and Why I Don’t Want the Added Users

This post contains my thoughts on the Friends plugin for WordPress in which I asked about the users that are created. https://wordpress.org/support/topic/users-and-activitypub/

Hello Alex,

Thank you for your reply to my question regarding the Friends plugin.

First just let me say that you have created an awesome plugin. I am sure that my lack of knowledge regarding historical site to site communications clouds my judgement on having a user created. In response to your reply and question back to me of: “this is a thing that people frequently seem to dislike about the plugin. Could you enlighten me about your reasons?”

My site, which is a combination of a personal blog and eventually commercial blog, hopefully one day to sell my photography, has only ever had one user me. At the most two, a test user, me.


I think to sum it up, I want to follow you but don’t want to be your partner for life. Adding a user is like a partner for life.

Website to Website Communication: I use the Webmention plugin to communicate with other websites. I use this to comment on or reply to other websites.

Attribution: When I want to share a post from another person’s website, I will type the author’s name and URL into the post and attribute it properly. So I don’t need features like that.

Quantity/Maintenance: I follow to many people and websites at the moment, I wouldn’t want to have that number of users in my User list. I love the idea of the /friends/ page with the feed of what I am following. On the surface this looks like a lot of maintenance to have all of these followed people as users, though I understand that we don’t do a lot with the Users in our websites daily. Understood that the maintenance would be done in the Friends plugin.

Performance: I am assuming there is no performance degradation with the content of all of those users coming in, but if so, I wouldn’t want any performance degradation.

Privacy: In one of your videos I saw that the Friend, which is a user, could with the correct permissions, see your private posts. I am sure this is a setting, but I don’t want anyone to see a post that I have marked as private. In essence as soon as you allow this, that post is public anyway because the other person could copy or screenshot that post. This would not be a common use case for me. (Though I do have a custom post type that I use to share things with my family that I don’t want in my regular post types.) Additionally, I would just add a password to the post if it was private.

Alex, as I read a little more about your Friends plugin, I am thinking it was definitely ahead of its time. Providing the capability to let your friends read your private posts, if allowed, and providing the interaction features, is awesome!

Security: Understanding that the users don’t have elevated privilege, what if something goes wrong and they do? Recently the Advanced Custom Fields plugin vulnerability “allows any unauthenticated user to steal sensitive information for, in this case, privilege escalation on the WordPress site tricking a privileged user to visit the crafted URL path.” https://wptavern.com/advanced-custom-fields-plugin-patches-reflected-xss-vulnerability I don’t know what that is exactly :-), but the words user and escalated privilege stand out. To me, every user that I add to my website, adds a risk that someone out there can exploit.

Misc: I am sure that someone with a more technical background can provide additional reasons for not wanting the added users.


How can you make the Friends plugin, combined with the Mastodon Access plugin, and ActivityPub plugin act like a true Mastodon or other ActivityPub site with following, replies, mobile posting, mobile likes, boosts, and follows?

I have read that Friends uses the common WordPress infrastructure. Could you possibly have a Friends plugin that gives an option to have the users in a customer table for Friends plugin users that don’t want to add actual WordPress Users?

The Setup I Would Want

  • My site viewable on Mastodon or other ActivityPub sites. [Done – Available with the ActivityPub plugin.]
  • To be able to use my site to communicate with other sites. [Done – Available with the Webmention plugin.]
  • To be able to use a mobile app to create post and follow others. [Experimenting with the Enable Mastodon Apps plugin without success, but let’s consider this almost done. I just need to submit a ticket to see what I am doing incorrectly.]
  • To be able to follow other ActivityPub users, in my case Mastodon users and sites with ActivityPub support, and see the follower number increase in my profile on the platform. [Can’t do this.]
  • Feedreader: I like the implemented feedreader and would want to use this in my RSS reader. [I can probably do this, but haven’t gotten that far yet.]



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.