GDPR & WordPress: Technical Measures You Should Implement Now

Torben Simon Meier Last updated 25.03.2020
7 Min.
GDPR  & WordPress

On 25.05.2018 the EU GDPR came into force. We will show you the technical measures you should take in order to operate your WordPress website in a legally secure manner. Without jumping on the panic train, we offer you an overview of the technical precautions that we consider important in light of the GDPR.

Update Info: We have summarized our collective experience in converting RAIDBOXES to the requirements of GDPR in a free WordPress GDPR -Guide summary. This also includes the technical WordPress measures of this article.

line infobox blue

Disclaimer: Our blog post is not legal advice! In the course of our work as WordPress web hoster we have dealt very intensively with the current German data protection regulations and the forthcoming EU-GDPR . However, we are neither lawyers nor data protection experts. For the completeness, timeliness and accuracy of the measures and content provided by us, no liability is assumed by us.

Automattic WordPress plugins

GDPR harmful WordPress plugins remove and replace with GDPR-compliant alternatives

Even those plugins provided by the commercial WordPress company Automattic itself require a valid connection to and thus a direct connection not only to your data, but also, for example, the personal IP of your website visitors. These are the perfect example of the kind of plugins that you are better off replacing with an GDPR compliant alternative since May 25, 2018 – at least until their developers release a legally compliant version of their plugins.

The following Automattic are exemplary WordPress plugins for all representatives of their respective division in the WordPress plugin directory as an example for this article:

In order to continue to operate your website according to your requirements, you can fall back on the following alternatives, which do not pass on any personal data of your visitors.

Collect anonymous visitor statistics

Of course, we would also like to know what works particularly well on our website, what is read or shared, how long visitors stay or how high the bounce rate is. With the EU GDPR, the legal situation will be tightened up a little bit more. You have to make every visitor of your website completely anonymous, just as you did under the previous German data protection regulation. However, no personal data may be transferred to other services.

For this reason, we recommend Statify so that all anonymized personal data remains on your website and is not shared with any other services.

According to the developers of Statify, Plugin does not process, send or store any personal data, such as cookies or IP addresses outside your website.

Use legally compliant avatars for blog and comments

Avatar Privacy by Johannes Freudendahl offers the following features for the implementation of GDPR : First, it does not publish the hash of email addresses if there is no Gravatar account for it. On the other hand, it offers an opt-in or opt-out for the display of the Gravatar in comments and in the user profile. Also, the Plugin provides new default avatars that are loaded from the local server instead of the servers in the US.

An alternative is to completely disable gravatars on your own website:

However, to deactivate Gravatar completely in WordPress you need to change the following settings in the WordPress admin area under the menu item "Settings": Scroll down the submenu under Discussions until you reach the Avatars section. Then you deactivate the selection field: "Avatar display – Show avatars". Click on "save" to apply the settings and clear your website cache. Now your website should no longer communicate with

Double opt-in procedure for comments

Here it is said in advance that the notification of further comments on your own comment already requires that data is passed on. If you want to exclude a negative interpretation of this "grey area", use the free Plugin Subscribe to Double-Opt-In Comments. This way, the visitor has to actively confirm in advance that he really wants to receive notifications about follow-up comments.

Restrict antispam protection to your own website

Antispam Bee can be used in a GDPR -compliant manner if you observe the following setting of Plugins : The "Consider public spam database" feature must be disabled to prevent your visitors' IP addresses from being submitted to the Stop Forum Spam service. The language filter, which uses the Google API, is contrary to the assumption of many data protection-technically unproblematic:

If the speech filter has been activated, the first ten words of each comment are sent to Google's speech recognition service. Three words of the comment content. Not the email address, not the name of the person commenting, not the IP address. Bottom line: no personal data and therefore no problem. - Simon Kraft, member of the Pluginkollektiv

WordPress Backup plugins with alternative solutions

In order to counteract the transfer of personal data to e.g. US servers and as a positive side effect to free up additional performance capacities of your website, we recommend not to use special WordPress Backups plugins in the future.

A better alternative is to use automatic WordPress backups through your WordPress web hoster like e.g. at RAIDBOXES.

Use web server caching instead WordPress of caching plugin

Many cachings plugins, including Automattic's, do a good job of caching your website. By caching, the website can be delivered faster. However, caching is also associated with loss of control over the data.

A legally compliant alternative, which also ensures that the performance-heavy plugins sones disappear, is to use the server-side cache of specialized WordPress hosters.

The advantage: the data is already stored when it is delivered and is located at least RAIDBOXES only on German servers with guaranteed ISO 27001 certification.

compliant with social media WordPress GDPR

Stop problematic social plugins applications, such as the Facebook Like Button, Like Box or Twitter widgets

Share services often use data as soon as your visitors are on the website with active social plugin. Even if a user has not yet shared anything, the data is already being shared. This is still largely unknown, GDPR but in the sense of being critical. While searching for legally compliant solutions, we came across only one free social plugin, which prevents the sharing of data even before you click a share button.

Therefore, at this time, we recommend deleting integrated Twitter widgets, Facebook Like buttons, or the Like Box widget and relying on Shariff Wrapper 's Social Plugin for sharing buttons in posts.

Forms GDPR  WordPress

Contact Forms plugins such as Contact Form 7 & Gravity Forms can also be used with the EU GDPR

New requirements for contact forms

According to the General Data Protection Regulation, sending a form requires the consent of the sender. Not only the personal IP, but also the email address and the content itself are considered data. An opt-in for the consent of data storage can be implemented via an additional acceptance checkbox at Contact Form 7 and Gravity Forms, for example, with the free Plugin WP GDPR Compliance implement.

In the medium to long term, we are convinced that all known Plugin-developers will implement the necessary regulations to comply with GDPR . Until then, GDPR -Plugins can really do a good job!

Newsletter & Email Marketing GDPR  WordPress

Newsletter & Email Marketing

In your newsletter forms, only the email address should be a mandatory field, all other data such as first and last name should only be asked for optionally. As with all forms, the double opt-in procedure also applies to the newsletter form, as well as the greatest possible transparency in the information about what exactly you intend to do or offer with the newsletter.

Double opt-in procedure remains standard

If you haven't done so yet, then always use the double opt-in procedure from now on! With double opt-in, the email recipient must explicitly click on the link in a confirmation email a second time after the first registration in order to be added to the distribution list. This ensures that no one registers for a newsletter in your name and that the actual registration is also desired by you.

Technical measures EU GDPR

Technical measures outside your WordPress plugins

SSL encryption

SSL encryption is not mandatory in GDPR , but without an SSL connection a secure data transmission around your website is not possible. You can also learn more about SSL in our extensive Let's Encrypt SSL Compendium.

You don't want to set up the SSL certificate yourself? Then use, for example, SSL certificates from Let's Encrypt, which you can activate quickly and easily for your WordPress website free of charge with a one-click installation.

Create Google Analytics Opt-Out

In this context, it should be pointed out once again that even before the EU GDPR, the previous still valid German GDPR one has been prescribing the complete anonymisation of visitors for years. To ensure this, the following line of code must be added to the very often used Google Analytics:

ga('set', 'anonymizeIp', true);

Should your javascript snippet have looked like this beforehand:

the code looks like this after adding it:

Furthermore, you must create a possibility in your privacy policy that visitors to your website can be completely excluded from the Google analysis. You can find a free opt-out Plugin for Google Analytics called Google Analytics Opt-Out in the WordPress -Plugin- directory. This installs a cookie that prevents analytics.js from collecting the data.

Anonymized IP addresses in blog comments

WordPress stores the IP addresses of comment writers by default. However, according to the EU-GDPR , the collection of IP addresses is not data protection compliant. You can use a small PHP code in your functions.php to prevent the future storage of IP addresses. We recommend to use a child-Theme for this, so that the code is still integrated after the next update of your Themes . The code to insert is:

function  wpb_remove_commentsip( $comment_author_ip ) {
	return '';
add_filter( 'pre_comment_user_ip', 'wpb_remove_commentsip' );

Finally, you need to manually delete existing IP addresses in the database of your website once retroactively. A good tutorial on how to do this can be found here.

The EU GDPR has many more (new) requirements for you as a website operator than just the technical measures explained above on your WordPress website.

A good investment is, for example, the paid e-book on the EUGDPR of t3n to implement the requirements of the European General Data Protection Regulation in all matters that affect you as an entrepreneur.

We appreciate any feedback and comments under the article.

Related articles

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.