WordPress makes it easy to build a website — but it also makes it surprisingly easy to accidentally violate GDPR, often without knowing it.
Why WordPress Sites Have a GDPR Problem
WordPress powers 43% of all websites on the internet. It's the go-to platform for small business owners, bloggers, freelancers, and online stores. If you're running a WordPress site and you have any visitors from Europe, GDPR applies to you.
Here's the catch: WordPress is built on plugins. There are over 60,000 plugins in the official directory alone, and most of them connect to external services — analytics platforms, ad networks, email marketing tools, payment processors, social media platforms. Every one of those connections potentially transmits visitor data to a third party.
Most WordPress site owners have no idea this is happening. You installed a contact form plugin, a social sharing widget, a live chat tool, and a booking calendar. Each one quietly sends data somewhere. Your visitors haven't consented to any of it.
This guide walks you through exactly what to fix, step by step. No legal background required.
What Makes WordPress Sites Uniquely Risky for GDPR
Before diving into fixes, it's worth understanding why WordPress creates specific compliance risks that other platforms don't always share.
Plugins install third-party scripts without your awareness
When you activate a plugin, it can inject JavaScript, load external fonts, set cookies, and phone home to third-party servers — all without asking you. A popular form builder might send submissions to its own servers. A caching plugin might use a CDN that processes data in the US. A security plugin might report activity to a central service. These are all data processing activities you're legally responsible for disclosing.
Default WordPress behavior transmits data externally
Out of the box, WordPress includes features that send data to external servers. Gravatar — the global avatar service owned by Automattic — loads profile pictures for commenters by transmitting email addresses (as MD5 hashes) to gravatar.com. oEmbed automatically turns YouTube and Vimeo links into embedded players that drop cookies the moment the page loads, before any consent. Even basic WordPress update checks involve external server communication.
WooCommerce stores collect extensive personal data
If you're running WooCommerce, you're collecting names, email addresses, physical addresses, purchase history, and payment information. Order data is personal data under GDPR. That means it must be disclosed in your privacy policy, you must name every processor that touches it (Stripe, PayPal, shipping integrations), and you must have a process for customers who want to access or delete their data.
Most hosting providers process data in the US by default
Data transfers from the EU to the US require appropriate safeguards under GDPR (typically Standard Contractual Clauses). Your hosting provider is a data processor. If you haven't checked where your host processes data or whether they offer a Data Processing Agreement (DPA), that's a gap.
Step 1: Audit What's Actually Running on Your Site
You can't fix what you can't see. Before you change anything, you need a complete picture of what your WordPress site is doing with visitor data.
Use a scanner to find every tracker and cookie
The fastest way to get this picture is to run a free scan at app.custodia-privacy.com/scan. The scanner visits your site the way a real visitor would — it doesn't just read your plugin list, it actually loads the pages and captures every cookie, tracking script, third-party connection, and pixel that fires. This often surfaces things you'd never find manually, including trackers injected by plugins you forgot you installed.
The scan takes about 60 seconds and shows you exactly what needs to be addressed before you go any further.
Also review your installed plugins manually
In your WordPress admin, go to Plugins > Installed Plugins. Go through the list and ask: does this plugin connect to an external service? Common categories to watch for:
- Analytics: Google Analytics, Jetpack Stats, MonsterInsights, Matomo
- Chat and support: Intercom, Drift, Crisp, LiveChat, Tidio
- Email marketing: Mailchimp, Klaviyo, ConvertKit, ActiveCampaign integrations
- Booking and scheduling: Calendly embeds, Bookly, Amelia
- Social sharing and pixels: Facebook Pixel, Pinterest Tag, sharing buttons
- Payment gateways: Stripe, PayPal, Square
- Forms: WPForms, Contact Form 7, Gravity Forms, Ninja Forms
Every plugin in these categories is a potential data processor you need to disclose and handle properly.
Step 2: Review Your WordPress Core Settings
Some compliance issues live in WordPress itself, not in your plugins. These are quick wins.
Disable Gravatar if you don't need it
Go to Settings > Discussion. You'll see an option to show avatar images. If you allow comments and have Gravatar enabled, visitor email addresses are transmitted to Automattic's servers to fetch profile pictures. Disable this unless you have a specific reason to use it. Alternatively, host avatars locally using a plugin.
Address embedded videos
WordPress automatically converts YouTube or Vimeo URLs into embedded players. Those embedded players load third-party JavaScript and set cookies the moment the page loads — no consent required. Under GDPR, this is a problem. You have two options: disable automatic embeds globally, or use a consent wrapper that replaces the embed with a thumbnail until the visitor consents.
To disable all embeds, add this to your theme's functions.php file or use a plugin:
remove_filter('the_content', 'wp_make_content_images_responsive');
wp_deregister_script('wp-embed');
A simpler approach: use a plugin like "WP YouTube Lyte" or "Embed Privacy" that shows a preview image and only loads the actual player after a click (which implies consent).
Check your Privacy settings
Go to Settings > Privacy. WordPress will prompt you to create a privacy policy page and will generate a starter template. This is a good starting point, but as we'll cover in Step 4, the built-in template won't cover your actual plugins and processors. You'll need to customize it substantially.
Step 3: Add a Proper Cookie Consent Banner
A cookie consent banner (sometimes called a cookie notice) is how you get legal consent from visitors before loading non-essential cookies and trackers. Under GDPR, you need active, informed opt-in consent. Cookies cannot fire before the visitor agrees.
Install only one consent plugin. Multiple consent plugins will conflict with each other and create broken behavior.
What to look for in a consent plugin
Not all cookie consent plugins are created equal. Many show a banner but don't actually block the underlying scripts — they're "notice and accept" tools, not real consent management. Look for a plugin that:
- Blocks scripts before consent — non-essential trackers should not fire until the visitor actively clicks "Accept"
- Honors Global Privacy Control (GPC) — a browser signal some users set to automatically opt out of tracking
- Generates consent records — stores proof that each visitor consented (date, time, what they agreed to)
- Supports Google Consent Mode v2 — required if you use Google Analytics or Google Ads
- Offers granular categories — visitors should be able to accept analytics but reject marketing, for example
Options worth considering
WP Cookie Consent and Complianz are both solid free/freemium options with genuine script-blocking capabilities.
Custodia handles cookie consent as part of a full compliance stack — consent management, a privacy policy generated from a real scan of your site, and DSAR handling — starting at $29/month. It's worth considering if you want to handle everything in one place rather than stitching together multiple plugins.
Step 4: Fix Your Privacy Policy
WordPress has a built-in privacy policy generator. It's a decent starting point. But it won't list your actual plugins and third parties, and that's a problem.
GDPR requires your privacy policy to name every service that processes EU visitor data. Not just categories — actual services. "We use analytics tools" is not sufficient. "We use Google Analytics 4, operated by Google LLC, which processes data under Standard Contractual Clauses" is what you're aiming for.
What your policy must cover
- Who you are — your business name, address, and contact details
- What data you collect — form submissions, analytics data, purchase data, cookies, IP addresses
- Why you collect it — the specific purpose for each type of data
- Legal basis — consent, legitimate interest, or contract (be specific for each processing activity)
- Who you share data with — every third-party processor, with their own privacy policy links
- International transfers — if any data leaves the EU/EEA, what safeguards apply
- How long you keep data — retention periods for each category
- User rights — access, deletion, portability, objection, and how to exercise them
Name your processors explicitly
If you run a typical WordPress site, your list probably includes some of these: Google Analytics, Google Ads, Stripe, PayPal, Mailchimp, WPForms, Elementor (if it uses external fonts), Cloudflare, your hosting provider, Jetpack, WooCommerce, and your contact form plugin. Every one of these needs to be named.
The practical challenge: this list changes every time you install or remove a plugin. The Custodia scanner can generate a policy directly from your site's actual scan results, which means it stays accurate as your site evolves.
Step 5: WooCommerce-Specific Compliance
If you run a WooCommerce store, you have additional obligations beyond standard GDPR basics. Order data — names, addresses, purchase history, payment records — is personal data, and you're responsible for all of it.
Disclose your payment processors
Stripe, PayPal, Square, or whatever gateway you use must be named in your privacy policy with a link to their own privacy policy. These are data processors operating under their own terms, but your customers need to know their payment data is being sent there.
Set data retention limits for orders
By default, WooCommerce keeps order records indefinitely. Under GDPR's storage limitation principle, you shouldn't keep personal data longer than necessary. Decide on a retention period (e.g., 7 years for accounting purposes, then delete or anonymize) and use a plugin like WooCommerce GDPR or set up manual deletion workflows.
Enable Guest Checkout
Requiring account creation to purchase forces customers to create a permanent record with you. Enabling Guest Checkout reduces the amount of data you collect and store for one-time buyers.
Go to: WooCommerce > Settings > Accounts and Privacy. Turn on "Allow customers to place orders without an account."
Prepare for customer data requests
WooCommerce customers are data subjects with full GDPR rights. They can request a copy of their order history, ask for their account to be deleted, or ask you to stop processing their data. WordPress has some built-in tools for this (under Tools > Erase Personal Data and Tools > Export Personal Data), but they have limitations — particularly around custom fields and third-party integrations.
Step 6: Contact Form Compliance
Contact forms collect personal data. Every form submission is a data processing event. Under GDPR, you need to handle this properly.
Add a consent checkbox
Before a visitor submits a form, they should actively confirm they understand how their data will be used. Add a checkbox (unchecked by default) with language like: "I agree to my submitted data being collected and stored in accordance with the [Privacy Policy]."
This applies to WPForms, Contact Form 7, Gravity Forms, Ninja Forms, and any other form builder you're using. Most of them support adding a consent checkbox — it's usually in the form builder's GDPR or compliance settings.
State your purpose and retention period
In or near the form, tell users: what will you use their information for, and how long will you keep it? "We'll use your contact details to respond to your inquiry and will delete your message within 12 months" is the kind of clarity GDPR expects.
Collect only what you need
Data minimization is one of GDPR's core principles. If your contact form asks for a phone number and you never call anyone back, remove the field. If you ask for a company name but don't need it, take it out. Every field you remove is data you don't need to protect, disclose, or eventually delete.
Step 7: Set Up DSAR Handling
A Data Subject Access Request (DSAR) is a formal request from someone asking what personal data you hold about them, or asking you to delete it. Under GDPR, you have 30 days to respond. Under CCPA (for California residents), you have 45 days.
WordPress has no built-in DSAR management system. The Tools > Export Personal Data and Tools > Erase Personal Data features handle WordPress user accounts, but they don't cover form submissions, WooCommerce orders, email marketing lists, or CRM records.
What you need
- A public intake form or email address where people can submit requests
- A way to track the 30-day deadline from the date of submission
- A process for searching all your systems — WordPress database, email, CRM, payment processor — to find data related to the requester
- A response template confirming receipt and outlining what you found or deleted
Custodia provides a DSAR intake form that automatically tracks the regulatory deadline, prompts you at each stage, and maintains an audit record of every request and response.
10 Common WordPress GDPR Mistakes to Avoid
Even site owners who try to get compliant often miss some of these:
1. Thinking the cookie banner is enough. Consent management is one piece. You also need an accurate privacy policy, DSAR handling, and data minimization practices. The banner alone does not make you compliant.
2. Using Google Analytics without Consent Mode v2. If you're sending data to Google Analytics before consent (or without using Consent Mode v2 to signal consent status), you may be violating GDPR and Google's own terms of service.
3. Not updating your policy when you add new plugins. Every new plugin that connects to an external service is a new data processor. Your privacy policy must be updated to reflect it.
4. Embedding YouTube or Vimeo without consent protection. Those video embeds drop cookies on page load — before any consent banner has had a chance to fire. Wrap them in a consent layer or replace them with click-to-load previews.
5. Storing form submissions indefinitely. If WPForms or Contact Form 7 stores every submission in your database, and you're not deleting old records, you're likely violating storage limitation rules. Set up automatic purging for records past your retention period.
6. Forgetting that email notifications contain personal data. WooCommerce order confirmation emails, form submission notifications, and similar automated messages contain personal data. Make sure these aren't being forwarded to third-party tools or stored somewhere you haven't accounted for.
7. Using a pre-checked consent checkbox. GDPR requires active consent — the user must take an action to indicate agreement. A checkbox that's already checked doesn't count.
8. Not having a Data Processing Agreement with your hosting provider. Your host processes data on your behalf. GDPR requires you to have a DPA in place. Most major hosts (WP Engine, Kinsta, SiteGround, Flywheel) offer these — but you usually have to request them.
9. Treating EU and US visitors identically. EU visitors need GDPR-level treatment: opt-in consent, specific rights, full disclosure. California residents need CCPA-level treatment. A good consent management platform handles this automatically based on visitor location.
10. Doing this once and never revisiting it. Plugins get updated. New features get added. Trackers appear without notice. Compliance is not a one-time project — it requires ongoing monitoring.
The Fastest Way to Get Your WordPress Site Compliant
The honest answer is that doing all of this manually takes time — hours to audit your plugins, days to write an accurate privacy policy, and ongoing effort to keep everything current as your site changes.
Custodia is built to handle the full compliance stack for WordPress sites. Run a free scan and you'll see every tracker, cookie, and third-party connection on your site within 60 seconds. From there, Custodia generates your cookie consent banner and privacy policy from actual scan data — not templates — and gives you a DSAR intake form with deadline tracking built in.
Plans start at $29/month. For most WordPress site owners, that's less than the cost of a single hour of legal consultation.
Scan your WordPress site free →
No account required. See exactly what your site is collecting before you change a thing.
Last updated: March 2026
Top comments (0)