Let’s get straight to what is definitely required and some useful security tips without too many confusing details of how to do it.
This guide will help ensure you are working towards your WordPress site being GDPR compliant. I have also added a few tips on general security for your WordPress which, is what the GDPR is mostly concerned with and about.
DISCLAIMER: We are not legal professionals and this post is to enable readers to understand the steps they are required to take. This does not guarantee your site will fully comply with GDPR requirements. Always make a full backup of your site before making changes or adding plugins.
1: Update to the Latest WordPress Version
WordPress developers added built-in GDPR settings to the core. If you are already updated you will have noticed some new notification windows and may have followed the directions in them. Here are the important features for you to take action on no matter what kind of service you provide:
- Comment Opt-in
This is now in the comment section by default so no need to do anything.
Define your policy page. You can use the “Create a New Page” but you will need to edit that policy template to disclose all types of data that may be collected by your website e.g. name, email, address etc. Also outling what plugins you use to protect data such as Defender or Wordfence and mention your hosting company server. You will also need to add further information or delete sections that do not apply.
- Data Export and Erase
Visitors email a request via a clear link or contact form on your site. You will be notified and have 30 days to respond by either sending them their data or, deleting it. There are new menu items under Tools to help you achieve this.
Screenshots below to help you recognise access to the new features, click to open.
2: Personal Data – Contact Form Opt-in Checkbox
If you are not collecting personal data you can simply put “By submitting this form I agree to this site’s GDPR Terms” and no checkbox. Should you want to cover all eventualities for now and in the future and, are not concerned over the “extra click”, add a checkbox which must be clicked. Having a checkbox already checked is a no no.
Most contact form plugins now have reCaptcha integration. Contactform 7 is one of the more popular ones and you will see the reCaptcha options in the Integration menu option. Click on the link and follow the instructions to get your reCaptcha credentials of Site Key and Secret Key then, paste them in the fields in the settings panel.
3: Securing Forms and Anti Spam Advice
- Input validation
This is the checking of data type submitted. For example only numbers in a telephone field and valid email addresses in the email field.
- Challenge Response
You will certainly have seen these on many forms and, similar verification methods. These methods mean a visitor has to manually complete a task such as a mathematical sum (2 + 7 = ?) or selecting relevant images to prove they are not an automated spambot.reCaptcha. There is now very simple new reCaptcha method also from google, it is a simple rectangular module with a checkbox and “I am not a robot” text
- Double Opt-In
This is not something that can be applied to the web form, it is in either controlled though your plugin settings or your eMarketing provider settings. This method means the subscriber has to confirm the subscription twice by clicking on a confirmation link sent by email.
- Honeypot Method
The most common example of this is the a single input field which is hidden from visitors. Spam bots still pickup the presence of the field and input text which leads to the submission being automatically rejected. As the visitor cannot see the field it is a clean and aesthetic anti-spam method.
4: Functional Cookies Awareness
Most WordPress sites need at least one non-functional cookie but who doesn’t have a Google Map, analytical statistics or social media feature. A visitor to your site needs to be aware of how your site is tracking their usage before they continue past the first page they land on. Similar to the option checkbox for contact forms a visitor must manually accept your cookies even if they do not choose to read your policy.
- Google Tag Manager
This is another option many larger sites may use albeit rather complex for the layperson. You would need to update these tags as your cookie deployments increase due to plugin installations, or visitor forms change and more.
- 3rd Party Plugin
5: Data Requests/Breaches
- WordPress Update
Mentioned at the beginning of this article WordPress have added a feature to enable site admins to facilitate requests.
- Make it Easy
With or without plugin assistance, you have to make it easy for visitors to request what personal information you hold on them or, to delete their data entirely. Even leaving a comment on your site requires data storage. In order for them to perform their request you will need to create a simple method for them to get in touch such as a dedicated contact form on a page called Privacy Tools. A link to this page should also be clearly available throughout your site, preferably in the header but acceptable in the footer.
- Data Request Response
You must respond to requests within the time limits outlined by current law.
- Data Breach
In the case of a data breach you must notify the ICO as outlined in the GDPR. Depending on the severity of the breach consider whether to notify your customers. In any event you must record all details in your own breach log.
- 3rd Party Plugins
Data Requests can also be managed by a number of recently developed plugins. They offer autogeneration of policies, a data request form page and more. Some automate the whole process with various options.
6: SSL Certificate
An SSL (Secure Sockets Layer) certificate authenticates the identity of a website and encrypts any information sent to the server. Though there is currently no specific text on the use of SSL certificates, GDPR has clear requirements that can only be addressed through the use of SSL certificates.
- Obtaining SSL Certificates
Your hosting provider can usually help you purchase a certificate and quite often they are free if you pay for a year of hosting in advance. It is a straightforward process which also helps validate that your site is legitimately owned by an individual or business.
7: WordPress Admin Login
- Radically Decrease Brute Force and other Hack Attacks
Change the default www.yourdomain.com/wp-admin/ url too something not so obvious but memorable, such as www.yourdomain.com/web-bus/
There are a number of lightweight plugins that can do this and it is surprising it is not part of WP core features.
- Admin Username
When setting up WordPress for the first time do not use the default “admin” username. If you already have “admin” as a username, setup a new user with full administrative controls and then delete the original user. If your installation does not allow this action there are plugins that can change the admin name – don’t forget to delete the plugin after success.
8: Whole Site Security Plugins
Though the GDPR does not set out much about how you can protect your site and does not endorse any particular hosting companies, server models, software, plugins etc., it does say you must make considerable efforts to ensure the safety of user data and, tell your users and visitors how you’re doing it. The plugins below are just a handful of the better known and more widely used, the tip of the iceberg. Some have free versions which you can upgrade for more features so, have a look through the WordPress Plugin Repository and test drive a few before making your mind up.
9: WooCommerce Checklist Link
By now you will be quite overwhelmed, even though I have attempted to keep these steps as short as possible. When you feel ready to look at the further requirements for Woocommerce GDPR I recommend this article at www.businessbloomer.com.(link opens in a new window).