GDPR & WordPress: Technical Measures You Should Implement Now

Torben Simon Meier Last updated on 25.03.2020
7 Min.
GDPR  & WordPress

On 25.05.2018 the EU GDPR came into force. We will show you the technical measures you should take in order to operate your WordPress website in a legally secure manner. Without jumping on the panic train, we offer you an overview of the technical precautions that we consider important in light of the GDPR.

Update Info: We have used our accumulated experience in order to make RAIDBOXES compliant with the requirements of the GDPR free WordPress GDPR Guide in summary. This also includes the technical WordPress measures of this article.

line infobox blue

Disclaimer: Our blog post is not legal advice! In the course of our work as WordPress hosters we have been very intensively engaged with the current German data protection regulations and the upcoming GDPR. But we are neither lawyers nor data protection experts. We assume no liability for the completeness, topicality and correctness of the measures and contents provided by us.

Automattic WordPress plugins

GDPR harmful WordPress plugins remove and replace with GDPR-compliant alternatives

Even those plugins provided by the commercial WordPress company Automattic itself require a valid connection to and thus a direct connection not only to your data, but also, for example, the personal IP of your website visitors. These are the perfect example of the kind of plugins that you are better off replacing with an GDPR compliant alternative since May 25, 2018 – at least until their developers release a legally compliant version of their plugins.

The following Automattic are exemplary WordPress plugins for all representatives of their respective division in the WordPress plugin directory as an example for this article:

In order to be able to continue to operate your website according to your requirements, you can fall back on the following alternatives, which do not pass on any personal data of your visitors.

Collect anonymous visitor statistics

Of course, we would also like to know what works particularly well on our website, what is read or shared, how long visitors stay or how high the bounce rate is. With the EU GDPR, the legal situation will be tightened up a little bit more. You have to make every visitor of your website completely anonymous, just as you did under the previous German data protection regulation. However, no personal data may be transferred to other services.

For this reason we recommend Statifyso that all anonymous personal data remains on your website and is not passed on to any other services.

According to the developers of Statify, this does Pluginnot process, send or store any personal data, such as cookies or IP addresses, outside of your website.

Use legally compliant avatars for blog and comments

Avatar Privacy from Johannes Freudendahl offers for the implementation of the GDPR following features: Firstly, the hash of email addresses is not published if there is no Gravatar account for it. On the other hand, it offers an opt-in or opt-out for displaying the Gravatar in comments and in the user profile. In addition, the Pluginnew default avatars are loaded from the local server instead of the servers in the USA.

An alternative is to completely disable the gravatars on your own website:

However, to deactivate Gravatar completely in WordPress you need to change the following settings in the WordPress admin area under the menu item "Settings": Scroll down the submenu under Discussions until you reach the Avatars section. Then you deactivate the selection field: "Avatar display – Show avatars". Click on "save" to apply the settings and clear your website cache. Now your website should no longer communicate with

Double opt-in procedure for comments

Here it is said in advance that the notification of further comments on one's own comment already requires that data is passed on. If you want to exclude a negative interpretation of this "grey area", use the free Plugin Subscribe to Double-Opt-In Comments. This means that the visitor must actively confirm in advance that he really wants to receive notification of follow-up comments.

Restrict antispam protection to your own website

Antispam Bee can be used GDPR-compliant if you plugins observe the following setting of the: The "Include public spam database" feature must be disabled to prevent the IP addresses of your visitors from being sent to the Stop Forum Spam be transmitted. The speech filter, which uses the Google API, is, contrary to the assumption of many data protection experts, technically unproblematic:

If the speech filter is enabled, the first ten words of each comment are sent to the Google speech recognition service. Three words of commentary content. Not the e-mail address, not the name of the person commenting, not the IP address. The bottom line: no personal data and therefore no problem. – Simon Kraft, Member of the plugin collective

WordPress Backup plugins with alternative solutions

In order to counteract the transfer of personal data to e.g. US servers and as a positive side effect to free up additional performance capacities of your website, we recommend not to use special WordPress Backups plugins in the future.

A better alternative is to use automatic WordPress-Backups over your WordPress hosts such as RAIDBOXES.

Use web server caching instead WordPress of caching plugin

Many cachings plugins, including Automattic's, do a good job of caching your website. By caching, the website can be delivered faster. However, caching is also associated with loss of control over the data.

A legally compliant alternative, which also ensures that the performance-heavy plugins sones disappear, is to use the server-side cache of specialized WordPress hosters.

The advantage: The data is already stored when the product is delivered and is at least RAIDBOXES only on german servers with guaranteed ISO 27001 certification.

compliant with social media WordPress GDPR

Stop problematic social plugins applications, such as the Facebook Like Button, Like Box or Twitter widgets

Share services often use data as soon as your visitors are on the website with active social plugin. Even if a user has not yet shared anything, the data is already being shared. This is still largely unknown, GDPR but in the sense of being critical. While searching for legally compliant solutions, we came across only one free social plugin, which prevents the sharing of data even before you click a share button.

We therefore recommend at this time to delete integrated Twitter Widgets, Facebook Like Buttons or the Like Box Widget and to remove them for sharing buttons in posts on the social plugin of shariff wrapper bet.

Forms GDPR WordPress

Contact Forms plugins such as Contact Form 7 & Gravity Forms can also be used with the EU GDPR

New requirements for contact forms

According to the basic data protection regulation, the sending of a form requires the consent of the sender. Not only the personal IP, but also the e-mail address and the content itself are considered as data. An opt-in for the consent to data storage can be obtained by means of an additional acceptance checkbox at Contact Form 7and Gravity Forms, for example, with the free Plugin WP GDPR Compliance implement.

In the medium to long term, we are convinced that all known plugin -developers will implement the necessary regulations to meet this GDPR. Until then GDPR plugins really good services!

Newsletter & Email Marketing GDPR WordPress

Newsletter & Email Marketing

In your newsletter forms only the e-mail address should be a mandatory field, all other data such as first and last name should only be requested optionally. As with all forms, the double opt-in procedure applies to the newsletter form, as well as the greatest possible transparency in the details of what exactly you want or offer with the newsletter.

Double opt-in procedure remains standard

If you haven't done it yet, from now on always use the Double-Opt-In procedure! With double opt-in, the e-mail recipient must explicitly click a second time on the link in a confirmation e-mail after the first registration in order to be added to the distribution list. This ensures that nobody registers for a newsletter in your name and that the actual registration is also desired by you.

Technical measures EU GDPR

Technical measures outside your WordPress plugins

SSL encryption

SSL encryption is not mandatory in the GDPR, but without a SSL connection is a secure data transmission around your website is not possible. You can also learn more about SSL in our extensive Let's Encrypt SSL Compendium.

You do not want to set up the SSL certificate yourself? For example, use SSL certificates from Let's Encrypt, which you free per 1-click installation quickly and easily for your WordPress website.

Create Google Analytics Opt-Out

In this context, it should be pointed out once again that even before the EU GDPR, the previous still valid German GDPR one has been prescribing the complete anonymisation of visitors for years. To ensure this, the following line of code must be added to the very often used Google Analytics:

ga('set', 'anonymizeIp', true)

If your Javascript Snippet looked like this before:

the code looks like this after adding it:

Furthermore, you must create a possibility in your data protection regulations that visitors to your website can be completely excluded from Google analysis. You can find a free opt-out Pluginfor Google Analytics with the name Google Analytics Opt-Out in the WordPress -Plugindirectory. This installs a cookie which prevents analytics.js from collecting the data.

Anonymized IP addresses in blog comments

WordPress saves the IP addresses of the comment writers by default. However, the recording of the IP address isGDPR not in conformity with data protection regulations in the EU. You can use a small PHP code in your functions.php to prevent the future saving of IP addresses. We recommend to use a childTheme for this purpose, so that the code is still integrated after the next update of your Themesfunctions.php. The code to be inserted is:

function  wpb_remove_commentsip( $comment_author_ip ) {
	return '';
add_filter( 'pre_comment_user_ip', 'wpb_remove_commentsip' );

Finally, you have to manually delete any existing IP addresses in the database of your website. A good guide on how to do this can be found here.

The EU GDPR has many more (new) requirements for you as a website operator than just the technical measures explained above on your WordPress website.

A good investment is for example the chargeable E-Book on the EU GDPR of t3nin order to implement the requirements of the European data protection basic regulation in all matters that affect you as an entrepreneur.

We welcome any feedback and comments under the article.

Related articles

Comments on this article

Leave a comment

Your email address will not be published. Required fields are marked with * .