WordPress powers over 43% of all websites on the internet. Unfortunately, its plugin ecosystem and default settings create privacy compliance gaps that most site owners don't even know about. Here's how to make your WordPress site fully GDPR-compliant.
Common WordPress Privacy Issues
| Issue | How It Happens | GDPR Risk |
|---|---|---|
| Gravatars load from external servers | WordPress default for comments | Data sent to Automattic servers without consent |
| Google Fonts loaded externally | Many themes load from fonts.googleapis.com | IP addresses sent to Google (§2.2 ruling, 2022) |
| Embedded YouTube/Vimeo videos | Standard embeds load trackers immediately | Cookies set before consent |
| Contact form data stored indefinitely | Default behavior of most form plugins | No data retention policy |
| Plugin analytics and tracking | Jetpack, WooCommerce, etc. | Hidden data collection |
| WordPress.com stats | Jetpack Site Stats module | Data sent to Automattic |
Essential Settings Changes
1. Disable Gravatars
Go to Settings → Discussion → uncheck "Show Avatars." This prevents external requests to Gravatar servers that transmit visitor data without consent.
2. Self-Host Google Fonts
Install the "OMGF (Optimize My Google Fonts)" plugin, or manually download and host fonts locally. After the 2022 Munich court ruling, loading Google Fonts externally without consent is a GDPR violation with fines starting at €100 per visitor.
3. Enable Privacy-Friendly Embeds
Use "WP YouTube Lyte" or "GDPR-compliant YouTube Embed" plugins that load a thumbnail placeholder instead of the full YouTube player. The actual video only loads after user click.
4. Configure WordPress Privacy Page
Go to Settings → Privacy and set your Privacy Policy page. WordPress will link to it automatically in login/registration forms and the site footer (theme-dependent).
Recommended Plugins
| Plugin | Purpose | Free/Paid |
|---|---|---|
| Complianz | Cookie consent + privacy policy generation | Free + Premium ($45/yr) |
| CookieYes | Cookie banner with auto-scanning | Free + Premium ($89/yr) |
| OMGF | Self-host Google Fonts | Free |
| WP YouTube Lyte | GDPR-compliant YouTube embeds | Free |
| Flamingo | Contact form submissions with export/delete | Free |
| WP GDPR Compliance | Comment and form consent checkboxes | Free |
WooCommerce-Specific Issues
If you run WooCommerce, additional compliance steps are needed:
- Order data retention: Set up automatic anonymization of old orders (WooCommerce → Settings → Accounts → Personal data retention)
- Marketing consent: Don't pre-check the marketing opt-in checkbox at checkout
- Payment gateways: Document all payment processor data flows in your privacy policy
- Abandoned cart plugins: These track users without consent — ensure they respect consent state
- Reviews: If you collect reviews, add a consent checkbox and disclose storage
WordPress Security Hardening
GDPR requires appropriate security measures. For WordPress:
- Add security headers via your server config or a plugin like Headers Security Advanced & HSTS WP
- Install Wordfence or Sucuri for firewall protection
- Enable two-factor authentication for admin accounts
- Keep WordPress core, themes, and plugins updated
- Use SSL/HTTPS (Let's Encrypt is free)
- Limit login attempts to prevent brute force attacks
Audit Your WordPress Site
Even with the right plugins, WordPress sites accumulate compliance issues over time as themes update, plugins change behavior, and new content is added.Run a free PrivacyChecker scan to identify all cookies, trackers, and third-party requests on your WordPress site — including those hidden inside plugins.