GDPR Essentials banner

Let’s get straight to what is definitely required and some useful security tips without too many confusing details of how to do it.

This guide will help ensure you are working towards your WordPress site being GDPR compliant.  I have also added a few tips on general security for your WordPress which, is what the GDPR is mostly concerned with and about.

DISCLAIMER: We are not legal professionals and this post is to enable readers to understand the steps they are required to take. This does not guarantee your site will fully comply with GDPR requirements. Always make a full backup of your site before making changes or adding plugins.

1: Update to the Latest WordPress Version

WordPress developers added built-in GDPR settings to the core. If you are already updated you will have noticed some new notification windows and may have followed the directions in them. Here are the important features for you to take action on no matter what kind of service you provide:

  • Comment Opt-in
    This is now in the comment section by default so no need to do anything.
  • Privacy Policy Generator
    Define your policy page.   You can use the “Create a New Page” but you will need to edit that policy template to disclose all types of data that may be collected by your website e.g. name, email, address etc.  Also outling what plugins you use to protect data such as Defender or Wordfence and mention your hosting company server. You will also need to add further information or delete sections that do not apply.
  • Data Export and Erase
    Visitors email a request via a clear link or contact form on your site. You will be notified and have 30 days to respond by either sending them their data or, deleting it.  There are new menu items under Tools to help you achieve this.

Screenshots below to help you recognise access to the new features, click to open.

2: Personal Data – Contact Form Opt-in Checkbox

  • Failsafe
    If you are not collecting personal data you can simply put “By submitting this form I agree to this site’s GDPR Terms” and no checkbox.  Should you want to cover all eventualities for now and in the future and, are not concerned over the “extra click”, add a checkbox which must be clicked.  Having a checkbox already checked is a no no.
  • Unchecked
    If you are collecting personal data you must add an “unchecked” box and an html text link to your Privacy Policy page (to open in a new window or popup window).  Most people will not read your Privacy Policy but the law is that the visitor must tick the box themselves to accept your terms before sending their information.  Most contact form plugin developers have added the feature but it isn’t always an automatic process.
  • Privacy Policy
    This is different to a Privacy Statement. A Privacy Policy is internally focused telling employees what they may do with personal information while a Privacy Statement is externally facing telling customers, regulators, and other stakeholders what the organisation does with personal information.
  • reCatptcha
    Most contact form plugins now have reCaptcha integration.  Contactform 7 is one of the more popular ones and you will see the reCaptcha options in the Integration menu option.  Click on the link and follow the instructions to get your reCaptcha credentials of Site Key and Secret Key then, paste them in the fields in the settings panel.

3: Securing Forms and Anti Spam Advice

  • Recaptcha
    This is by far the best method, the visitor is asked to prove they are human.  You will need to set this up via google and ontain codes to enter into your form settings. Click here to read more on Google Recaptcha.
  • Input validation
    This is the checking of data type submitted.  For example only numbers in a telephone field and valid email addresses in the email field.
  • Challenge Response
    You will certainly have seen these on many forms and, similar verification methods.  These methods mean a visitor has to manually complete a task such as a mathematical sum (2 + 7 = ?) or selecting relevant images to prove they are not an automated spambot.reCaptcha.  There is now very simple new reCaptcha method also from google, it is a simple rectangular module with a checkbox and “I am not a robot” text
  • Double Opt-In
    This is not something that can be applied to the web form, it is in either controlled though your plugin settings or your eMarketing provider settings.  This method means the subscriber has to confirm the subscription twice by clicking on a confirmation link sent by email.
  • Honeypot Method
    The most common example of this is the a single input field which is hidden from visitors. Spam bots still pickup the presence of the field and input text which leads to the submission being automatically rejected. As the visitor cannot see the field it is a clean and aesthetic anti-spam method.

4:  Functional Cookies Awareness

  • Failsafe
    Most WordPress sites need at least one non-functional cookie but who doesn’t have a Google Map, analytical statistics or social media feature. A visitor to your site needs to be aware of how your site is tracking their usage before they continue past the first page they land on. Similar to the option checkbox for contact forms a visitor must manually accept your cookies even if they do not choose to read your policy.
  • Cookie Policy Page
    Your Cookie Policy must contain clear information about how your visitors activity is logged, analysed and more.  It must contain a list of the cookies being used.  There are plugins and online resources which can help with generating cookie policies but be aware, it is difficult to guarantee 100% perfection.
  • Google Tag Manager
    This is another option many larger sites may use albeit rather complex for the layperson.  You would need to update these tags as your cookie deployments increase due to plugin installations, or visitor forms change and more.
  • 3rd Party Plugin
    Complianz have developed a free and pro version of their plugin which has a cookie detector feature which then populates a Cookie Policy, plus adds a cookie banner for your visitors.  You can visit their site here for the Pro version or find the free version in the WordPress repository here 

5: Data Requests/Breaches

  • WordPress Update
    Mentioned at the beginning of this article WordPress have added a feature to enable site admins to facilitate requests.
  • Make it Easy
    With or without plugin assistance, you have to make it easy for visitors to request what personal information you hold on them or, to delete their data entirely. Even leaving a comment on your site requires data storage. In order for them to perform their request you will need to create a simple method for them to get in touch such as a dedicated contact form on a page called Privacy Tools.  A link to this page should also be clearly available throughout your site, preferably in the header but acceptable in the footer.
  • Privacy Policy and Privacy Statement 
    How to get in touch should be clearly outlined in the Privacy Policy and Privacy Statement with a link to your Privacy Tools page.  The Pro version of Complianz has a wizard that can generate these important pages.
  • Data Request Response
    You must respond to requests within the time limits outlined by current law.
  • Data Breach
    In the case of a data breach you must notify the ICO as outlined in the GDPR. Depending on the severity of the breach consider whether to notify your customers. In any event you must record all details in your own breach log.
  • 3rd Party Plugins
    Data Requests can also be managed by a number of recently developed plugins. They offer autogeneration of policies, a data request form page and more.  Some automate the whole process with various options.

6: SSL Certificate

  • Encryption
    An SSL (Secure Sockets Layer) certificate authenticates the identity of a website, that is owned by a verified person or company and encrypts any information sent to the server.  Though there is currently no specific text on the use of SSL certificates, GDPR has clear requirements that can only be addressed through the use of SSL certificates.
  • Obtaining SSL Certificates
    Your hosting provider can usually help you purchase a certificate and quite often they are free if you pay for a year of hosting in advance. It is a straightforward process in some cases but if you outsource a free SSL certificate you may need a developer to install it if you are not confident yourself.

7: WordPress Admin Login

  • Radically Decrease Brute Force and other Hack Attacks 
    Change the default url to something not so obvious but memorable, such as
    There are a number of lightweight plugins that can do this and it is surprising it is not part of WP core features.
  • Admin Username
    When setting up WordPress for the first time do not use the default “admin” username. If you already have “admin” as a username, setup a new user with full administrative controls and then delete the original user.  If your installation does not allow this action there are plugins that can change the admin name – don’t forget to delete the plugin after success.
  • Hosting Redirect Login – Advanced Login Protection
    May WordPress dedicated hosting companies now facilitate logging in via your web hosting Control Panel. The traditional wp-admin login screen being no longer accessible.

8: Whole Site Security Plugins

Though the GDPR does not set out much about how you can protect your site and does not endorse any particular hosting companies, server models, software, plugins etc., it does say you must make considerable efforts to ensure the safety of user data and, tell your users and visitors how you’re doing it.  The plugins below are just a handful of the better known and more widely used, the tip of the iceberg.  Some have free versions which you can upgrade for more features so, have a look through the WordPress Plugin Repository and test drive a few before making your mind up.

9: WooCommerce Checklist Link

By now you will be quite overwhelmed, even though I have attempted to keep these steps as short as possible. When you feel ready to look at the further requirements for Woocommerce GDPR I recommend this article at opens in a new window).