Even as someone who generally tries not to piss people off on the internet, I feel we can agree it’s best opsec practice to avoid leaving sensitive information like a home address places where you’re bound to lose track of it. I realized recently that most of the shot-on-iPhone images I post to the internet have geolocation info still embedded in them. The more conscientious avenues of sharing like Facebook and Instagram make a point of deleting all such info before serving images to the public. WordPress, for some reason, doesn’t bother.

(That’s not my blog… not anymore).

So, realizing that most of my blog post images are tagged with the location of my house, what should I do about it?

Driving Exiftool

Exiftool is a command line application. The host I use already has it installed on my server, so I did most of this on that machine via SSH. Alternately, you could install it on your Mac with homebrew: brew install exiftool .

After SSHing to my host, I cd ‘d to wp-content/uploads where WordPress stores all your media files. From there, there are a few commands:
(Note: these all take a while, since exiftool processes only about 3 files/sec regardless of whether it’s modifying them).

1. Find all sensitively-tagged images:
   find . -printf ‘%p\n’ -type f -exec exiftool -GPSLatitude {} \;
   On Mac:
   find . -print -type f -exec exiftool -GPSLatitude {} \;
   This finds all files (-type f), recursively under the current directory (.), prints the filename and a newline (-printf ‘%p\n), and executes exiftool (-exec) to output the GPSLatitude tag for the file in question ({}). You could add something like -name \*.jpg  to pick only .jpg filenames, for find . -name \*.jpg -printf ‘%p\n’ -type f -exec exiftool -GPSLatitude {} \;
   If a given file has geotag data, you’ll see the GPSLatitude tag after its name.
2. Scrub the geolocation info from all of those images:
   We’ll slightly modify the exiftool command to set the geotag for every image, to nothing:
   find . -printf ‘%p\n’ -type f -exec exiftool -geotag= {} \;
   Mac:
   find . -print -type f -exec exiftool -geotag= {} \;
   The print statement probably isn’t strictly necessary, but might be useful if exiftool errors out.
3. Exiftool will rename any file it modifies to “filename<_original>” in case you screw something up. We should scrub those away, since they still contain geotag data, and will still be available to anyone who cares to list your image directories.
   find . -type f -name \*_original -delete
   This will unceremoniously delete anything suffixed with “_original.”
4. Re-run the command from (1) to check that you’ve done the deed.

If you run into errors, check out the exiftool FAQ. I encountered at least one image with corrupt exif data and was able to fix it with entry 20.

After scrubbing, you can use a plugin like VA Removing Exif to automatically scrub EXIF data from all uploaded images going forward. It’s a little brute force just to get rid of geotag info, but it does appear to work with minimal fuss still as of WordPress 4.9.2.

Thanks to this superuser post and all its contributors for getting me on the right track. And to this askubuntu thread too.