GDPR & WordPress: Technical Measures You Should Implement Now

Order your GDPR Compliant Package here for € 75.00
Our GDPR and legal compliance pack includes the following:

  • Privacy policy
  • Website terms and conditions
  • Data processing agreement (controller-processor)
  • Consultancy agreement (standard)
  • Commission agreement (optional)
  • Non-solicitation agreement (optional)
  • Non-disclosure agreement (optional)
  • Assignment of intellectual property rights (optional)
  • Email disclaimer

Additionally we check your compliance regarding Google Services such as Maps, reCaptcha, Email Forms and general Cookie Settings.

On May 25, 2018, the EU General Data Protection Regulation (GDPR) comes into effect. We show you which technical measures you should implement immediately to ensure that running your WordPress website is legally compliant. While seeing no need for pressing the panic button, we offer you an overview of important issues around GDPR which we consider technically reasonable.

Disclaimer: Our blog entry is not legal advice! Within the scope of our business as WordPress hosting provider we have dealt quite extensively with the applicable laws governing data protection in Germany as well as the upcoming EU-regulation GDPR. We are neither legal professionals nor data protection experts. We are not liable for the completeness, topicality and accuracy of the provided measures and contents.

Remove critical WordPress plugins on your website and replace them with GDPR-compliant alternatives

All plugins which are provided by the commercial WordPress enterprise Automattic themselves need a valid connection to and thus not only a direct connection to your data but also, for example, the personal IP of your website visitors. They are the perfect example for the kinds of plugins you should react upon prior to May 25, 2018 by substituting them with an alternative compliant with the EU GDPR regulation – at least until the plugin developers release a legally compliant plugin version in the future.

The following Automattic WordPress plugins serve as representative examples for each category in the WordPress plugin repository and are used in this article for illustration purposes:

To keep your website GDPR-safe you can resort to following alternatives which do not transmit personal data of your visitors.

Gather anonymous visitor statistics

Of course, we would also like to know about which parts and contents of our website work especially well usability-wise, what people like to read or share, for how long visitors stay or how high the bounce rate is etc. The EU GDPR will tighten up legal regulations. As was already required under the previous German data protection act, you ought to anonymize every visitor of your website entirely. In addition, no personal data is allowed to be transferred to third-party services.

This is why we recommend Statify, so that all anonymized personal data stay on your website and are not passed on to other services.

According to the developers of Statify, the plugin does not process, send or save any personal data, e.g. cookies or IP addresses beyond your website.

Use legally compliant avatars for your blog and comment sections

Important: To deactivate Gravatar completely in WordPress, you need to adjust following settings in the WordPress admin area under the menu item ‘Settings’. Go to the submenu ‘Discussions’ and scroll all the way down to the avatar section.

Now you can deactivate the selection box ‘Avatar Display – Show Avatars’. Click on Save to apply the settings and delete your website’s cache. Now your website should not communicate with via Gravatar any longer.

Double-opt-in feature for comments

It should be noted in advance that notifications for follow-up comments to your own comment already imply that data is being transmitted. To prevent possibilities of misinterpretation within the grey zone, use the free plugin Subscribe to Double-Opt-In Comments to let your visitor confirm in advance whether notifications about follow-up comments are desired.

Restrict antispam protection to your own website

Antispam Bee can be used GDPR-compliantly, if you pay attention to the following plugin settings! The setting ‘Use a public antispam database’ as well as the feature ‘Allow comments only in certain language’ need to be deactivated in the plugin settings, otherwise your visitors’ IP addresses will still be transferred to the service Stop Forum Spam and the speech recognition comment text will be sent to Google Translate.

Replace WordPress backup plugins with alternative solutions

For countering the transmittance of personal data to (for instance) US-American servers, and freeing further performance capacities of your website as a positive side effect, we recommend to abstain from specific WordPress backup plugins in the future.

A better alternative is using automated WordPress backups provided by your WordPress hosting service, e.g. at RAIDBOXES.

Webserver-Caching statt WordPress-Caching-Plugin nutzen

Many caching plugins, including the one by Automattic, do a good job in speeding up your website. Using caching the website can be delivered faster. But caching might also come along with loss of data control. 

A legally secure alternative, which additionally makes performance-burdening plugins disappear, is using server-side caching provided by specific WordPress hosting services. 

The advantage of such an approach: The cached data is stored – at least in the case of RAIDBOXES – on German servers with guaranteed ISO 21007-certification and does not transmit user data to external services.


Prohibit illegal connections of social plugins, such as the Facebook Like Button, Like Box or Twitter Widgets

In many cases, social sharing services already process data as soon as your visitors are on a website with an active social plugin. Even if a user hasn’t shared anything yet, the data is already transmitted. These circumstances are largely unknown, yet very critical in the context of GDPR. While researching for legally compliant solutions we only came across one single social plugin for free which prevents data transfer prior to clicking a share button.

At this time, we therefore recommend the deletion of integrated Twitter Widgets or Facebook Like Buttons or the Like Box, and to rely on the social plugin by Shariff Wrapper for share buttons in posts.

Adjust contact form plugins like Contact Form 7 & Gravity Forms to GDPR

New requirements for contact forms

According to the general data protection regulation, sending a form presumes the sender’s consent. The definition for data not only comprises the personal IP, but also the email address and the content per se. An opt-in to confirm prior consent for data storage can be implemented by adding an Acceptance Checkbox for Contact Form 7 and by using the free plugin WP GDPR Compliance for Gravity Forms.

We are convinced that, in the medium to long term, all popular plugin developers will implement the necessary requirements to meet the GDPR. Until then, the WP GDPR Plugin will do a very good job!


Newsletter & email marketing

In your newsletter forms, the email address should be the only mandatory field, all other data such as first and surname should be requested optionally. The double opt-in procedure and greatest possible transparency hold for all forms, including the newsletter form. You should disclose what exactly you aim at or offer with your newsletter.

Double opt-in procedure remains standard

In case you haven’t done it by now, start using double-opt-in immediately! The double-opt-in procedure requires the email receiver to explicitly click on a link in a confirmation mail after the first registration. Only then the person is added to the mailing list. This ensures that nobody can sign up for a newsletter on your behalf and the registration is actually approved by you. The confirmation mail is not allowed to contain advertisement or any other content.

More technical measures beyond your WordPress plugins

SSL encryption

Although SSL encryption is not an obligation according to GDPR, secure data transmission around your website is simply not possible without an SSL encrypted connection! You can learn more about SSL in our extensive Let’s Encrypt SSL site.

Don’t want to set up the SSL certificate by yourself? Use, for example, Let’s Encrypt SSL certificates. Via free 1-click installation you can activate an SSL certificate for your WordPress website, fast and easy.

Create an opt-out for Google Analytics

Once more, we would like to point out in this context that, prior to the EU GDPR, the current applicable German data protection law has been stipulating entire anonymization of visitors since years. To guarantee this by now at the latest, the very often used Google Analytics should be extended by following line of code:

ga('set', 'anonymizeIp', true);

In case your Javascript Snippet looked like this previously:

(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
ga('create', 'UA-XXXXXXXX-X', 'auto');
ga('require', 'displayfeatures');
ga('require', 'linkid', 'linkid.js');
ga('send', 'pageview');

The code will look like this after the addition:

(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
ga('create', 'UA-XXXXXXXX-X', 'auto');
ga('require', 'displayfeatures');
ga('require', 'linkid', 'linkid.js');
ga('set', 'anonymizeIp', true);
ga('send', 'pageview');

Moreover, you ought to create a possibility in your privacy policy, so that your website visitors can be excluded entirely from the Google analysis. You can find a free opt-out plugin for Google Analytics named Google Analytics Opt-Out in the WordPress plugin repository. It installs a cookie which prevents analytics.js from collecting data.

Anonymized IP addresses in blog comments

WordPress stores the IP addresses of comment authors by default. However, gathering the IP address is not compliant with data protection according to EU GDPR. Thanks to a small PHP snippet in your functions.php of your active WordPress theme you can prevent the storage of IP addresses in the future. We recommend you use a child theme to keep the code integrated even after your theme updates. The code to be inserted is as follows:

function  wpb_remove_commentsip( $comment_author_ip ) {
	return '';
add_filter( 'pre_comment_user_ip', 'wpb_remove_commentsip' );

Finally, you need to delete still existing IP addresses in your website’s database retroactively in a one-time manual action.
The EU GDPR has a lot more (new) requirements for you to meet as a website owner than the described technical measures on your WordPress website.

We tried to be as compliant as possible on this Website implementing all the steps above.If you need help to get GDPR Complient on your Website please contact me for a quote.
Order your GDPR Compliant Package here for € 30.00

First published by  by Torben