Below, I discuss how I used two WordPress plugins, Simple Local Avatars and Redirect Gravater requests, to set up my site in such a manner that people with accounts on my site have their local avatars displayed whereas people without local accounts have a locally-served image displayed in lieu of an image from Gravatar’s third-party servers.
If you are just here for the solution, you can skip ahead.
Backstory
By default, WordPress uses gravatars for user (and commenter) profile images. These images are hosted by Gravatar, a third-party service. That is, WordPress tries to contact Gravatar to download a user’s Gravatar image. If the user has a Gravatar account, the image will be pulled from his or her account. If the user does not have a Gravatar account, WordPress will still make the call to Gravatar to fetch a generic image.
I ran into an interesting issue regarding local avatars and Gravatars while setting up The Emu Café Social, a WordPress-powered social publishing site which I encourage you to follow alongside The New Leaf Journal (learn more here).
Long-time readers of The New Leaf Journal will know that I do not like calling on third party resources. This is a big part of the reason why I use Koko Analytics for entirely local page visit counting and why we use system font stacks instead of a third party solution (both points are true of The Emu Café Social as well). For this reason (and a few others), I do not want The New Leaf Journal or my new project to make calls to Gravatar servers on page load.
Please note that I am not suggesting that Gravatar is nefarious. I myself have a Gravatar, and I am not aware of any major issues with the service – albeit one could see potential problems with displaying a single Gravatar attached to an email account wherever it is used. I take no broad position on Gravatar itself or some open source alternatives such as Libravatar. My issue is that I do not want my site making third party calls to summon an avatar. (I have read that there may be some GDPR concerns with Gravatar. While I do not know enough about GDPR to opine on the matter, my guide may have some utility for sites with GDPR concerns.)
Limitations of Local Avatar Solutions
When I learned about WordPress’ avatar handling a couple of years ago (note that I had very little idea about how any of this worked when I started The New Leaf Journal back in April 2020), I installed a plugin called Simple Local Avatars. This is a free and open source plugin developed by 10up, and it is regularly updated with no recently noted coding issues. As the name suggests, the plugin allows people with accounts on a particular WordPress site to upload their own avatars which can then be loaded in lieu of their Gravatar. It works as advertised (although I could see the upload interface being a touch confusing) and perfectly for the purposes of The New Leaf Journal. Our site only has three published authors and we do not deal with comments, so Simple Local Avatars serves our purposes well there.
But what about The Emu Café Social? While I am not allowing open public comments, The Emu Café Social is designed to fully facilitate Webmentions and commenting from friends of the site. The New Leaf Journal supports Webmentions, albeit to a lesser extent than The Emu Café Social at the moment. I decided to link to an article on The Emu Café Social from The New Leaf Journal, which resulted in a Webmention being sent. I accepted the Webmention from The Emu Café Social.
My user icon did not go with the Webmention (either due to our limited Webmention support or server-side rules, I will investigate), and I was surprised to find that although there was a blank image next to my name, uBlock Origin was showing a third-party call to Gravatar.
Interesting.
I dug into the Simple Local Avatar settings hoping to find a solution. Here, I learned that where a user has a local avatar courtesy of Simple Local Avatar, the call to Gravatar is preempted (if that is the correct technical description). However, if the person in question does not have a local avatar – for example a commenter from a different site – Simple Local Avatar does not provide sufficient tools to block the Gravatar call. I did not realize this previously. By default, Simple Local Avatar offers several options for how to handle users with no local avatar. The first six make a call to Gravatar’s servers. There is an option for a default local avatar, which I had configured. However, and unfortunately, the default local avatar only shows if you toggle only use local avatars. I thought this would be the solution to my problem – but that option unfortunately also replaced the user-uploaded local avatars with the default avatar. I alternatively had the option of disabling all avatars, but that would mean that user-selected avatars would not appear – which is not an acceptable outcome for The Emu Café Social.
Not great. Not the best.
Simple Local Avatars + Redirect Gravatar Requests
In short, I have two concerns regarding Avatars. Firstly, I want to have every user of my site upload his or her own Avatar. Secondly, I want to block external calls to Gravatar (at least for visitors) when a “user” has no local avatar. How do we accomplish this?
I was open to using a code snippet if I could find one. However, my brief search revealed results that were not entirely responsive to my query. I searched the WordPress plugin repository for a simple, lightweight solution that ideally would complement Simple Local Avatar. I came across Mr. Bart Kuijper’s Redirect Gravatar Requests. The plugin description was promising, even expressly noting the issue I had limited with Simple Local Avatar for the purpose of blocking third party requests:
When displaying a post or comment with avatars enabled, WordPress will always check for the existence of a Gravatar. (Note: even the default avatars ‘mystery person’ and ‘blank’ are in fact Gravatars served from gravatar.com.) WordPress does this by sending an MD5 hash of every displayed post or comment author’s email address to gravatar.com. Even with many plugins that introduce locally stored default or user avatars, this check still happens.
How does his plugin work?
The way it works is every time WordPress attempts to display an avatar, this plugin first checks if the image is about to be retrieved from gravatar.com. If it is, the URL is changed to the locally stored ‘mystery person’ image (included with this plugin). If the avatar has any other source, this plugin doesn’t interfere.
Moreover, the description suggested that it would complement my existing local avatar solution:
Gravatars are also removed from the Discussion page in Settings and replaced with the locally stored ‘mystery person’ image. Again, any non-Gravatar images are left alone.
In short, this plugin checks if WordPress is about to make a call to Gravatar. If so, the plugin changes the URL so that instead of calling for an avatar from Gravatar, it summons a locally stored image from your own server. However, in the case of a user with a local avatar, such as the ones we set up with Simple Local Avatars, the Gravatar call never happens so Redirect Gravatar requests do nothing. Mr. Kuijper noted how his plugin complements local avatar solutions:
[I]f you enable the display of avatars, but use this plugin to block Gravatars, then you most likely are already using another plugin for custom avatars.
After confirming on Plugin Tests that there were no obvious issues, I installed the plugin. It modified my Discussing Settings options as promised to remove all of the third-party default Gravatar options and replace them with its own locally stored solution. I toggled the locally stored solution on and re-enabled Avatars. Sure enough, on one page with comments, comments and Webmentions by people with accounts on The Emu Café Social had their local avatars displayed. However, my New Leaf Journal Webmention now showed the locally-stored avatar added by the Redirect plugin. My adblocker, uBlock Origin, showed no references to Gravatar.
Success!
Conclusion
If you are interested in blocking third-party requests to Gravatar, I can confirm, on my site at least, that it works as stated. Mr. Kuijper did note that his plugin solution may not work on every theme depending on how the theme is coded to handle Gravatar. I recommend first taking a look at the Simple Local Avatar and Redirect Gravatar requests combination. The first lets users on your site choose their own avatars and the second displays a local blank avatar for commenters or people on your site without a local avatar. If you do not want to deal with profile images at all (local or Gravatar), WordPress allows disabling all avatars from its Discussion menu. Finally, if you want your users to have their own local avatars but prefer to rely on Gravatar for other cases, Simple Local Avatar or a similar solution can achieve this set-up.
(Note: There are a couple of support tickets from prior to the most recent update of Redirect Gravatar requests, which was about one year ago as of September 5, 2023. These note that the plugin was not blocking all Gravatar requests on specific sites. The current version works on The Emu Café Social, but I will monitor it going forward to make sure that it continues to work for all of my use-cases.)