Posted on

How to Change the Gravatar Image Size in WordPress

Do you want to change the Gravatar image size in WordPress?

Gravatar is a service that connects a user’s email address with a picture. WordPress themes show Gravatars at a set size, but you may prefer to make these images smaller or larger to better suit your website’s design.

In this article, we will show you how to change the size of Gravatar images in WordPress.

How to change the Gravatar image size in WordPress

Why Change the Gravatar Image Size in WordPress?

Gravatar stands for Globally Recognized Avatar. It’s a web service that allows you to create a profile and associate avatar images with your email address.

Most WordPress themes show a Gravatar next to the user’s comment. Some themes also display a Gravatar in the author bio box.

Even if a user doesn’t have a Gravatar account, then your site will still show one of the default WordPress Gravatars.

The default WordPress Gravatar

Sometimes you may want to change the size of your theme’s Gravatars. For example, you may want to make them bigger so that they stand out. This can draw the visitor’s attention to your site’s comment section and help you get more comments on your WordPress posts.

Having said that, let’s take a look at how you can change the Gravatar image size on your WordPress site. Simply use the quick links below to jump to the method you want to use.

Method 1: Change Gravatar Size Using the WordPress Full-Site Editor (Block Themes Only)

If you are using a block-based theme such as ThemeIsle Hestia Pro or Twenty Twenty-Three, then you can change the Gravatar size using the full-site editor.

This method doesn’t work with all themes, so if you are not using a block-enabled theme, then we recommend using method 2 instead.

In the WordPress dashboard, go to Appearance » Editor.

Opening the WordPress full-site editor (FSE)

In the left-hand menu, you can choose whether to edit a template or template part.

To change the Gravatar size for WordPress comments, you will typically select ‘Template Parts’ from the left-hand menu.

Template parts, in a WordPress block-enabled theme

After that, just click on ‘Comments.’

You can now click to select the Comments template part.

The 'comments' template part in the WordPress full site editor

This opens a new menu with settings you can use to customize the comments template part.

You can now go ahead and click on any of the Gravatars in the live preview.

Changing the Gravatar image size using the full site editor

In the right-hand menu, you can select the ‘Block’ tab if it isn’t already selected.

You can now make the Gravatars bigger or smaller by dragging the ‘Image Size’ slider.

Changing the size of a Gravatar using the full site editor (FSE) in WordPress

As you move the slider, all the Gravatars will update automatically, so you can try different sizes to see what looks the best.

When you are happy with the changes you have made, click on the ‘Save’ button.

Saving resized Gravatars using the full-site editor (FSE)

Now if you visit any comment section on your WordPress website, you will see the changes live.

Method 2: Change Gravatar Size for WordPress Comments (Works With All Themes)

If you are not using a block-enabled WordPress theme, then you can change the Gravatar size for WordPress comments using code.

This method requires you to edit theme files, so it’s not the most beginner-friendly option. However, this method should work for most WordPress themes.

If you edit your WordPress theme files directly, then those changes will disappear the next time you update your theme. With that being said, we recommend creating a child theme, as this allows you to update your WordPress theme without losing customization.

After creating a child theme, you will need to connect to your WordPress site using an FTP client such as FileZilla, or you can use the file manager of your WordPress hosting cPanel.

If you are a SiteGround customer, then you can use the Site Tools dashboard instead.

If this is your first time using FTP, then you can see our complete guide on how to connect to your site using FTP.

Once you are connected, you need to go to /wp-content/themes/ and open the folder for your current WordPress theme.

An example of an FTP client

Once here, open the comments.php file and look for a wp_list_comments function. Inside this function, you will find theavatar_size, which sets the size of the Gravatar.

Here’s an example of how this might look:

<?php
wp_list_comments(
    array(
        'avatar_size' => 60,
        'style'       => 'ol',
        'short_ping'  => true,
    )
);
?>
Hosted with ❤️ by WPCode
1-click Use in WordPress

You can simply change the avatar_size to the size you want to use. In the code snippet above, this would mean changing 60 to another number.

Gravatars are square, so WordPress will use the same value for the image’s width and height. This means that you only need to type in one number.

After making this change, make sure to save and upload the file back to your WordPress hosting account. When you are finished, you can visit your WordPress blog to see the change in action.

If the Gravatar image hasn’t changed, then it may be due to the cache. To learn more, please see our guide on how to fix WordPress not updating right away.

If the Gravatar still doesn’t change, then your theme’s CSS could be overriding the settings in the comments.php file.

You can see whether this is the case using your browser’s Inspect tool. The steps will vary depending on which browser you are using, but on Chrome, you can simply right-click or Ctrl-click the Gravatar and then select ‘Inspect’.

Inspecting a WordPress Gravatar using Google Chrome

This will show the page’s HTML and CSS code in a new panel.

In this code, you need to look for the height and width values.

Editing a WordPress Gravatar using Chrome's Inspect tool

If the size is different from what you specified in the comments.php file, then this means your theme’s style.css file is overriding your changes.

If this is the case, then simply switch back to your FTP client. You can now open the theme’s folder and then open the style.css file.

Opening a WordPress theme's style.css file using an FTP client

Here, search for a block of code that has the word avatar.

You will typically find this in a comment-author .avatar CSS class, such as this: 

.comment-author .avatar {
    height: 42px;
    position: relative;
    top: 0.25em;
    width: 42px;
}
Hosted with ❤️ by WPCode
1-click Use in WordPress

You can now go ahead and change the width and height to the values you want for your Gravatars.

After that, simply save your changes. Now if you visit your WordPress blog or website, you will see your updated Gravatar images.

At this point, you may be wondering why we recommend trying to change the Gravatar size in the comments.php file before using the easier CSS method.

Firstly, CSS can sometimes make the Gravatars look blurry, especially if you make the avatars much larger than the original image. Secondly, changing the image size in comments.php often helps your site to load faster.

For more on this topic, see our ultimate guide to boost WordPress speed and performance.

Method 3: How to Change Gravatar Size for Author Bios

If you run a multi-author WordPress site, then an author box can help readers learn more about the post’s author.

If you want to add this feature to your website, then check out our guide on how to add an author info box in WordPress posts.

Many author bios show the writer’s Gravatar along with their bio. To change the default Gravatar size in your author bio boxes, you need to find the theme file that adds the bio.

Simply connect to your site using an FTP client such as FileZilla or the file manager of your WordPress hosting. Once you are connected, go to /wp-content/themes/ and open the folder for your current WordPress theme.

After that, you need to open the template-parts folder.

Editing template parts in a WordPress theme using an FTP client

You now need to find the file that contains the get_avatar code. You will often find this code in a template part file called author-bio.php, single.php file, functions.php file, or similar.

Here’s an example of how this code might look:

<div class="author-bio <?php echo get_option( 'show_avatars' ) ? 'show-avatars' : ''; ?>">
        <?php echo get_avatar( get_the_author_meta( 'ID' ), '85' ); ?>
Hosted with ❤️ by WPCode
1-click Use in WordPress

In the snippet above, you can simply change the number 85 to the size you want to use.

In other themes, the code may look like this:

get_avatar( get_the_author_meta( 'user_email' ), 85);
Hosted with ❤️ by WPCode
1-click Use in WordPress

You can simply replace the number with the value you want to use to make the Gravatar bigger or smaller.

After changing the size, don’t forget to save your changes. You can then visit your website to see the new author bio box in action.

If the Gravatars haven’t changed, then you will need to search for the avatar class in the style.css file by following the same process described above. Once you find this class, you can type in the new Gravatar height and width values.

We hope this tutorial helped you learn how to change the Gravatar image size in WordPress. You may also want to learn how to display round Gravatar images in WordPress or check out our list of the best landing page plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Change the Gravatar Image Size in WordPress first appeared on WPBeginner.

Posted on

How to Disable Gravatars in WordPress

Do you want to disable Gravatars in WordPress?

WordPress uses Gravatars to display user profile photos or Avatars. It is a third-party service that allows users to have the same profile photo on different websites.

Gravatars are highly useful, particularly in WordPress comments. However, some users may not want to use Gravatars at all.

In this article, we’ll show you how to easily disable Gravatars in WordPress. We’ll also show you how to use local avatars instead.

Turn off Gravatars in WordPress

Why Disable Gravatars in WordPress

Gravatars are a third-party service that allows users to add a profile photo to their WordPress website and use it across the internet.

Basically, you create an account and then upload your profile photo.

Managing Gravatar profile

After that, whenever you use that particular email address on a website that supports Gravatar, it will automatically show your profile photo from the Gravatar website.

To learn more see our explainer, What is Gravatar and why you should use it.

However, some website owners may not want to use Gravatars for several reasons.

For instance, they may want to turn it off to improve website performance and speed.

Similarly, some site owners may not want to use Gravatar due to privacy concerns.

That being said, let’s take a look at how to easily disable Gravatars in WordPress.

Disabling Gravatars in WordPress

WordPress makes it super easy to customize or turn off Gravatars on your website.

First, you need to login to the admin area of your website and then go to the Settings » Discussion page.

From here, you need to scroll down to the Avatars section and uncheck the box next to ‘Show Avatars’ option.

Turn off Gravatars in WordPress

Don’t forget to click on the Save Changes button to store your settings.

WordPress will now disable Gravatars across your website. You’ll now see a generic user icon in the admin toolbar instead of your Gravatar image.

User profile photo disabled

Similarly, the comments page inside the admin area will also stop showing Gravatars.

Comments page without Gravatar images

WordPress will also stop showing Gravatar images in the comments area under your posts and pages.

Comments without Gravatars

How to Replace Gravatar with Local Avatars in WordPress?

Some users may want to disable Gravatar but still want to display profile photos under author bios and other places.

This allows you to keep the avatar functionality in WordPress and enable users to upload their own profile photos. At the same time, it disables Gravatars and prevents your website to make any requests to Gravatar website.

To do this, you’ll need to install and activate the WP User Avatars plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit the Settings » Discussion page and check the box next to the ‘Block Gravatar’ option.

Block Gravatar

Don’t forget to click on the Save Changes button to store your settings.

The plugin will now block any requests to Gravatar.com while allowing you to keep avatar functionality.

To upload profile photos, users will need to upload their own images under their profiles.

Simply go to Users » Profile page. From here, you can upload an image from your computer or use one from the media library.

Local avatar

Don’t forget to click on the Update Profile button to save your changes.

WordPress will now use custom profile photos instead of Gravatars. For all unregistered users it will show the default avatar image you have set in the settings.

For all registered users, it will use the custom avatar image that they uploaded. If a user hasn’t uploaded their custom avatar image, then the plugin will use the default avatar image.

We hope this article helped you learn how to disable Gravatars in WordPress. You may also want to see our guide on how to make a membership website in WordPress, and our comparison of the best WordPress page builder plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Disable Gravatars in WordPress first appeared on WPBeginner.

Posted on

Gravatar Says It Was Not Hacked After “Have I Been Pwned” Service Notifies Users of a Breach

Gravatar is fielding questions today after “Have I Been Pwned,” a data breech checker service, tweeted New scraped data: Gravatar had 167M profiles scraped in Oct last year via an enumeration vector. 114M of the MD5 email address hashes were subsequently cracked and distributed alongside names and usernames. It claims 72% of these email addresses were already logged with the service.

The tweet referenced a BleepingComputer article from October 2020 titled, “Online avatar service Gravatar allows mass collection of user info,” which explains how the hashes were originally obtained. After Italian security researcher Carlo Di Dato was unable to get an answer from Gravatar, he demonstrated to the publication how one could access user data by using a numeric ID associated with each profile to fetch it. He then wrote a test script that sequentially visits profile URLs from IDs 1 to 5000 and said he was able to collect JSON data of the first 5000 Gravatar users with no issues.

Many Gravatar users were startled and upset by notices from Firefox Monitor and Have I Been Pwned this morning, stating that their information had appeared in a new data breach.

The BleepingComputer article has gained more attention after Have I Been Pwned’s disclosure today, spurring Gravatar to respond on Twitter:

Gravatar helps establish your identity online with an authenticated profile. We’re aware of the conversation online that claims Gravatar was hacked, so we want to clear up the misinformation.

Gravatar was not hacked. Our service gives you control over the data you want to share online. The data you choose to share publicly is made available via our API. Users can choose to share their full name, display name, location, email address, and a short biography.

Last year, a security researcher scraped public Gravatar data – usernames and MD5 hashes of email addresses used to reference users’ avatars by abusing our API. We immediately patched the ability to harvest the public profile data en masse. If you want to learn more about how Gravatar works or adjust the data shared on your profile, please visit Gravatar.com.

Gravatar does not consider the incident to be a data breach, which is why the service did not disclose the changes made in response to the security researcher in 2020.

The Automattic-owned service is used across WordPress websites, GitHub, Stackoverflow, and other places online. Security researchers and privacy advocates have warned about privacy attacks on Gravatar for years. Many have demonstrated how readily available user information is and how easy it is to scrape it.

In July 2013, Dominique Bongard spoke at Passwordscon in Las Vegas about De-anonymizing Members of French Political Forums. He explained how a custom crawler could be written to acquire MD5 hashes for forum users and demonstrated that an attack with custom cracking software was able to recover 70% of Gravatar users’ email addresses.

Bogard noted that de-anonymizing members of political forums can be particularly dangerous in places where the forums’ users have no constitutional right to free speech, or where participants may be likely to get harassed or attacked.

Wordfence published an advisory regarding Gravatar in 2016, which referenced Bongard’s research, as well earlier work done in 2009 where a researcher proved that he could reverse engineer ~10% of gravatar hashes into email addresses.

Wordfence founder and CEO Mark Maunder explained how using email address hashes can lead to people to googling the extracted hash to find other websites and services that an individual is using.

“For example: A user may be comfortable having their full name and profile photo appear on a website about skiing,” Maunder said. “But they may not want their name or identity exposed to the public on a website specializing in a medical condition. Someone researching this individual could extract their Gravatar hash from the skiing website along with their full name. They could then Google the hash and determine that the individual suffers from a medical condition they wanted to keep private.”

Many Gravatar users were not satisfied with the service’s explanation that all of the information users entered was public, which disqualified the incident from being labeled a breach. In the same explanation, however, the service claims the API was abused, instead of admitting that it was vulnerable and could have been better protected.

After years of researchers demonstrating that this was possible, is scraping Gravatar an unethical data acquisition because the scraper is abusing the service’s architecture? Or is it unethical that Gravatar made it possible to harvest profile data en masse for years?

“If someone is able to use an API for other than its intended purpose and can gather information which otherwise wouldn’t be available through ‘standard’ means… it’s a breach,” Twitter user @RegGBlinker commented on the matter.

Gravatar undoubtedly wants to minimize the damage done by the breach notices sent out this morning to its users, but making this an issue of semantics was not reassuring. Most users did not intend to share their Gravatar emails with whoever has the motivation to scrape the data that was exposed for harvesting. Even if that data was dumped through “abuse” of their API, it feels like a breach to those who expected that user data would not be available for distribution elsewhere.

The incident serves as a reminder that, as Gravatar emphasized today, the data users choose to share publicly is made available by the service’s API and is not private. As a user, there are risks to enjoying the convenience of not having to upload your profile photo multiple times across various websites. Publishers who want their sites to offer a more privacy-conscious option should look to alternatives like Local Gravatars or Pixel Avatars.

Posted on

Privacy-Conscious WordPress Plugin Caches and Serves Gravatar Images Locally

Ari Stathopoulos released his new Local Gravatars plugin last week. The goal of the plugin is to allow site owners to take advantage of the benefits of a global avatar system while mitigating privacy concerns by hosting the images locally.

In essence, it is a caching system that stores the images on the site owner’s server. It is an idea that Peter Shaw proposed in the comments on an earlier Tavern article covering local avatar upload. It is a middle ground that may satisfy some users’ issues with how avatars currently work in WordPress.

“I am one of the people that blocks analytics, uses private sessions when visiting social sites, I use DuckDuckGo instead of Google, and I don’t like the ‘implied’ consents,” said Stathopoulos. “I built the plugin for my own use because I don’t know what Gravatar does, I don’t understand the privacy policies, and I am too lazy to spend two hours analyzing them. It’s faster for me to build something that is safe and doesn’t leave any room for misunderstandings.”

He is referring to Automattic’s extensive Privacy Policy. He said it looks benign. However, he does not like the idea of any company being able to track what sites he visits without explicit consent.

“And when I visit a site that uses Gravatar, some information is exposed to the site that serves them — including my IP,” said Stathopoulos. “Even if it’s just for analytics purposes, I don’t think the company should know that page A on site B got 1,000 visitors today with these IPs from these countries. There is absolutely no reason why any company not related to the page I’m actually visiting should have any kind of information about my visit.”

The Local Gravatars plugin must still connect to the Gravatar service. However, the connection is made on the server rather than the client. Stathopoulos explained that the only information exposed in this case is the server’s IP and nothing from the client, which eliminates any potential privacy concerns.

The Latest Plugin Update

Stathopoulos updated the plugin earlier today to address some performance concerns for pages that have hundreds or more Gravatar images. In the version 1.0.1 update, he added a maximum processing time of five seconds and changed the cache cleanup process from daily to weekly. Both of these are filterable via code.

“Now, if there are Gravatars missing in a page request, it will get as many as it can, and, after five seconds, it will stop,” said Stathopoulos. “So if there are 100 Gravatars missing and it gets the first 20, the rest will be blank (can be filtered to use a fallback URL, or even fall back to the remote URL, though that would defeat the privacy improvement). The next page request will get the next 20, and so on. At some point, all will be there, and there will be no more delays.”

He did point out that performance could temporarily suffer when installing it on a site that has individual posts with 1,000s of comments and a lot of traffic. However, nothing would crash on the site, and the plugin should eventually lead to a performance boost in this scenario. For such large sites, owners could use the existing filter hooks to tweak the settings.

Right now, the plugin is primarily an itch he wanted to scratch for his own purposes. However, if given enough usage and feedback, he may include a settings screen to allow users to control some of the currently-filterable defaults, such as the cleanup timeframe and the maximum process time allowed.

The Growing List of Alternatives

With growing concerns around privacy in the modern world, Local Gravatars is another tool that end-users can employ if they have any concerns around the Gravatar service. For those who are OK with an auto-generated avatar, Pixel Avatars may be a solution.

“I’ve seen some of them, and they are wonderful!” Stathopoulos said of alternatives for serving avatars. “However, this plugin is slightly different in that the avatars the user already has on Gravatar.com are actually used. They can see the image they have uploaded. The user doesn’t need to upload a separate avatar, and an automatic one is not used by default.”

He would not mind using an auto-generated avatar when commenting on blogs or news sites at times. However, Stathopoulos prefers Gravatar for community-oriented sites.

“My Gravatar is part of my online identity, and when I see, for example, a comment from someone on WordPress.org, I know who they are by their Gravatar,” he said.

Posted on

Local Avatars in WordPress? Yes, Please

It is an age-old question. OK, well, it’s really a 10-year-old feature request, but that is age-old in software development years. Should WordPress have a local avatar system?

Let’s be honest. Most of us have kind of gritted our teeth and quietly — and sometimes not so quietly — lived with the Automattic-owned properties that are integrated directly with the core WordPress software. At least Akismet is a plugin and somewhat detached from the platform. But, avatars, a feature courtesy of Automattic’s Gravatar service, is baked deep into the platform. Users must disable avatars completely or opt into another plugin to distance themselves from it.

There are the obvious privacy concerns that some people have around uploading an image to the Gravatar service and creating an account with WordPress.com. Even aside from such concerns, regardless of whether they are warranted, new users who are unfamiliar with local avatar plugins are essentially guided to create an account with a third-party service to have one of the most basic features expected from a CMS.

Not all WordPress installs have access to Gravatar, such as within companies that use intranets. Some countries have the power to effectively block access to the service, as shown by the move China made in 2013 to block WordPress.com and Gravatar, leaving users to seek out alternatives.

The itch that many want to scratch is to simply remove Automattic-connected services from the core software. Gravatar’s inclusion in WordPress has hampered any chance of competing services gaining a foothold. To be fair, at the time of Gravatar’s initial inclusion in WordPress, there were few good options. It made sense to leverage a working solution that would get an avatar system rolling. And the notion of a globally-recognized avatar is noble — one service to control your avatar across the web. However, having that service under the control of a for-profit U.S. company will always be an issue that could potentially hold it back from being the service that the web truly needs. It will certainly always be a contentious issue in the WordPress community. Even those of us who love the software and services that Automattic offers can see the problem.

WordPress should be agnostic about what services it includes out of the box. Gravatar should be a separate plugin, even if it is bundled with core a la Akismet. Local avatars is not an insurmountable feature, and it might just be time to make the change.

While possible to build into core, it is not a simple matter of plugging in an image upload form on the user profile screen. The feature carries its own privacy concerns too. For example, uploading images currently requires certain permissions that would also provide the user with access to the entire media library. There is the question of how to deal with registered vs. non-registered users in such a system along with several other hurdles.

Recent chatter in the 10-year-old ticket and the #core-privacy and #core-media Slack channels have reignited the idea of local avatars. There is also an early spreadsheet on local avatar requirements and research.

Much of this discussion is amidst the backdrop of the WP Consent API proposal, which seeks to create a standardized method for core, plugins, and themes to obtain consent from users. Presumably, Gravatar usage would tie into this API somehow.

Matt Mullenweg, the co-founder of WordPress and CEO of Automattic, seems open to the discussion. “It’s exciting to see this older ticket picking up so much steam,” he said on the Trac ticket. However, he further pushed for a separate featured plugin that focused on broader privacy concerns.

In many ways, local avatars feel like the early days of the web in which users had to upload a custom avatar to every single website they joined. At times, it could be tedious. Gravatar solved this issue by creating a single service for people to bring their avatars along their journey across the net. However, we have seemingly come full circle in the last few years. With the passage of the European GDPR and other jurisdictions beginning to follow suit with similar privacy laws, it easy to see why there is renewed discussion around Gravatar in core.

We should have local avatars because it is the right thing to do. Provide a basic avatar upload system on the user profile screen. Beyond that, let users choose what they want by installing their preferred plugin without guiding them toward one particular service over another.

If nothing else, I’m excited about a wider discussion around local avatars in WordPress and welcome the possibility of such a featured explored via an officially-sanctioned plugin.