DEV Community

Nevik Schmidt
Nevik Schmidt

Posted on

Your WordPress Site Is Probably Not GDPR Compliant — Here's a 47-Point Checklist

#wordpress #security #tutorial #beginners

Your WordPress Site Is Probably Not GDPR Compliant

I've scanned hundreds of WordPress sites for GDPR compliance. The results are consistently bad — even sites that think they're compliant because they installed a cookie banner plugin.

Here's my 47-point technical checklist. Not legal advice — practical implementation steps.

Why Most WordPress Sites Fail GDPR

Installing a cookie consent plugin does NOT make you compliant. GDPR requires:

  1. Technical measures (Art. 25, Art. 32)
  2. Data minimization (Art. 5)
  3. Legal basis for processing (Art. 6)
  4. Data subject rights (Art. 15-22)
  5. Records of processing (Art. 30)

Most WordPress sites fail on points 1-3 because of external services loading personal data.

The Checklist

🔴 Critical (Abmahnung Risk)

1. Self-host all fonts — remove Google Fonts CDN links
2. Remove Google Analytics or replace with self-hosted Matomo
3. Remove Google Tag Manager
4. Add Impressum page (§5 TMG required)
5. Add Datenschutzerklärung (privacy policy) listing ALL data processors
6. Force HTTPS everywhere with HSTS header
7. Remove Google Maps embeds (use OpenStreetMap instead)
8. Remove YouTube embeds or use youtube-nocookie.com
9. Check contact forms for data processing (Contact Form 7 stores submissions)
10. Disable WordPress REST API for unauthenticated users (if not needed)

🟡 High Priority

11. Install and configure a cookie consent tool (CCM19 or Complianz)
12. Configure cookie consent to block scripts until consent is given
13. Remove Facebook Pixel
14. Remove Google Ads conversion tracking
15. Self-host all JavaScript libraries (remove CDN links)
16. Disable WordPress comments or add consent checkbox
17. Remove Gravatar (leaks IP to Automattic)
18. Disable XML-RPC (security + reduces data exposure)
19. Configure WordPress to not send update notifications to WordPress.org
20. Remove admin email from WordPress headers (X-Powered-By)

🟢 Important

21. Set up automated backups with documented retention policy
22. Implement a data export function for user data (Art. 20)
23. Implement a data deletion function for user data (Art. 17)
24. Add security headers (X-Frame-Options, X-Content-Type-Options, CSP)
25. Remove WordPress version number from HTML
26. Disable file editing in wp-config.php
27. Set proper file permissions (644 for files, 755 for directories)
28. Use a WAF (Wordfence or Cloudflare)
29. Disable XML-RPC pingbacks
30. Limit login attempts

🔵 Data Processing

31. Document all plugins that process user data
32. List all third-party services in privacy policy
33. Create a Verzeichnis von Verarbeitungstätigkeiten (VVT)
34. Set data retention periods for form submissions
35. Set data retention periods for comments
36. Configure automatic spam deletion
37. Review WooCommerce data processing (if applicable)
38. Check if hosting provider has DPA (Data Processing Agreement)

⚪ Forms & Communication

39. Add privacy consent checkbox to all forms
40. Add double opt-in for newsletters
41. Configure email sending via SMTP (not PHP mail)
42. Ensure contact form submissions are stored securely
43. Add a way for users to request their data
44. Add a way for users to delete their data
45. Document how long form data is retained

📋 Documentation

46. Keep a record of all GDPR measures taken
47. Schedule quarterly GDPR reviews

Quick Test

Don't guess — scan your site:

🔍 Free DSGVO Scanner — checks 50+ GDPR criteria in 30 seconds.

Common results for WordPress sites:

  • Score 40-60: Major issues, Abmahnung likely
  • Score 60-80: Some gaps, should fix within 30 days
  • Score 80+: Good, maintain and review quarterly

The Biggest Wins (Do These First)

  1. Remove Google Fonts — 10 minutes, eliminates a common Abmahnung ground
  2. Remove Google Analytics — 5 minutes, eliminates data transfer issue
  3. Add Impressum + Privacy Policy — 30 minutes, legal requirement
  4. Add Cookie Consent — 15 minutes, required for any non-essential cookies

These 4 steps take about 1 hour and address the most common Abmahnung triggers.

Need help making your WordPress site GDPR-compliant? Run the free scanner first, then get professional support.

☁️ Need a Server for Self-Hosting?

I run all my services on Hetzner Cloud — EU-based, from €3.29/mo. Use my link and we both get €20 in credits.

🛡️ Is Your Website GDPR Compliant?

Check in 60 seconds: nevik.de/check — free DSGVO scanner.

💡 Tools I Built: bewertung.nevik.de (Google Reviews) · cv.nevik.de (Free CV Builder)

Follow me on Dev.to for weekly guides on self-hosting, AI tools, and growing your business.

Top comments (0)