This is a concise, simple explanation of GDPR brought to you by Syed Balkhi and his Editorial Staff of WordPress experts.

Are you confused by GDPR, and how it will impact your WordPress site? GDPR, short for General Data Protection Regulation, is a European Union law that you have likely heard about. We have received dozens of emails from users asking us to explain GDPR in plain English and share tips on how to make your WordPress site GDPR compliant. In this article, we will explain everything you need to know about GDPR and WordPress (without the complex legal stuff).

Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.

To help you easily navigate through our ultimate guide to WordPress and GDPR Compliance, we have created a table of content below:

Table of Content

• What is GDPR?
• What is required under GDPR?
• Is WordPress GDPR Compliant?
• Areas on Your Website that are Impacted by GDPR
• Best WordPress Plugins for GDPR Compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

You’ve likely gotten dozens of emails from companies like Google and others regarding GDPR, their new privacy policy, and bunch of other legal stuff. That’s because the EU has put in hefty penalties for those who are not in compliance.

Fines

Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.

This brings us to the big question that you might be thinking about:

Does GDPR apply to my WordPress site?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).

If your website has visitors from European Union countries, then this law applies to you.

But don’t panic, this isn’t the end of the world.

While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

The EU isn’t some evil government that is out to get you. Their goal is to protect consumers, average people like you and me from reckless handling of data / breaches because it’s getting out of control.

The maximum fine part in our opinion is largely to get the attention of large companies like Facebook and Google, so this regulation is NOT ignored. Furthermore, this encourage companies to actually put more emphasis on protecting the rights of people.

Once you understand what is required by GDPR and the spirit of the law, then you will realize that none of this is too crazy. We will also share tools / tips to make your WordPress site GDPR compliant.

What is required under GDPR?

The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.

The personal data includes: name, emails, physical address, IP address, health information, income, etc.

While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).

For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.

Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.

This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure). I’m looking at you Zenefits, still waiting for my account to be deleted for 2 years and hoping that you stop sending me spam emails just because I made the mistake of trying out your service.

Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.

This will hopefully prevent cover-ups like Yahoo that was not revealed until the acquisition.

Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.

To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user asks you to do that. Businesses have to report data breaches and overall be better about data protection.

Sounds pretty good, in theory at least.

Ok so now you are probably wondering what do you need to do to make sure that your WordPress site is GDPR compliant.

Well, that really depends on your specific website (more on this later).

Let us start by answering the biggest question that we’ve gotten from users:

Is WordPress GDPR Compliant?

Yes, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. WordPress core team has added several GDPR enhancements to make sure that WordPress is GDPR compliant. It’s important to note that when we talk about WordPress, we’re talking about self-hosted WordPress.org (see the difference: WordPress.com vs WordPress.org).

Having said that, due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Ok, so you might be thinking what does this mean in plain English?

Well, by default WordPress 4.9.6 now comes with the following GDPR enhancement tools:

Comments Consent

By default, WordPress used to store the commenters name, email and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.

Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.

Data Export and Erase Feature

WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.

The data handling features can be found under the Tools menu inside WordPress admin.

Privacy Policy Generator

WordPress now comes with a built-in privacy policy generator. It offers a pre-made privacy policy template and offers you guidance in terms of what else to add, so you can be more transparent with users in terms of what data you store and how you handle their data.

These three things are enough to make a default WordPress blog GDPR compliant. However, it is very likely that your website has additional features that will also need to be in compliance.

Areas on Your Website that are Impacted by GDPR

As a website owner, you might be using various WordPress plugins that store or process data like contact forms, analytics, email marketing, online store, membership sites, etc.

Depending on which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.

A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Let’s take a look at some of the common areas that you would need to address:

Google Analytics

Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:

1. Anonymize the data before storage and processing begins
2. Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking

Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck.

They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read if you’re using Google Analytics on your site).

Contact Forms

If you are using a contact form in WordPress, then you may have to add extra transparency measures especially if you’re storing the form entries or using the data for marketing purposes.

Below are the things you might want to consider for making your WordPress forms GDPR compliant:

• Get explicit consent from users to store their information.
• Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
• Disable cookies, user-agent, and IP tracking for forms.
• Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
• Comply with data-deletion requests.
• Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.

The good part is that if you’re using WordPress plugins like WPForms, Gravity Forms, Ninja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.

Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.

WPForms, the contact form plugin we use on WPBeginner, has added several GDPR enhancements to make it easy for you to add a GDPR consent field, disable user cookies, disable user IP collection, and disable entries with a single click.

Email Marketing Opt-in Forms

Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.

This can be done with either:

1. Adding a checkbox that user has to click before opt-in
2. Simply requiring double-opt-in to your email list

Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketers on the OptinMonster blog.

WooCommerce / Ecommerce

If you’re using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with GDPR.

The WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cooke Notices.

Best WordPress Plugins for GDPR Compliance

There are several WordPress plugins that can help automate some aspects of GDPR compliance for you. However, no plugin can offer 100% compliance due to the dynamic nature of websites.

Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they’re talking about, and it’s best for you to avoid them completely.

Below is our list of recommended plugins for facilitating GDPR compliance:

• MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon.
• WPForms – by far the most user-friendly WordPress contact form plugin. They offer GDPR fields and other features.
• Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others.
• Delete Me – a free plugin that allows users to automatically delete their profile on your site.
• OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
• Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.

We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offer substantial GDPR compliance features.

Final Thoughts

Whether you’re ready or not, GDPR will go in effect on May 25, 2018. If your website is not compliant before then, don’t panic. Just continue to work towards compliance and get it done asap.

The likelihood of you getting a fine the day after this rule goes in effect are pretty close to zero because the European Union’s website states that first, you’ll get a warning, then a reprimand and fines are the last step if you fail to comply and knowingly ignore the law.

The EU is not out to get you. They’re doing this to protect user’s data and restore people’s trust in online businesses. As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adopted globally.

It will be good for all involved. These new rules will help boost consumer confidence and in turn help grow your business.

We hope this article helped you learn about WordPress and GDPR compliance. We will do our best to keep it updated as more information or tools get released.

If you liked this article, then please subscribe to our YouTube Channel. You can also find us on Twitter and Facebook.

Additional Resources

• GDPR Hysteria Part I and Part II by Jacques Mattheij
• Data protection infographic by European Commission
• Principles of the GDPR by European Commission
• GDPR and MonsterInsights – everything you need to know
• GDPR Enhancement Features for Your WordPress Forms
• GDPR Compliance for WooCommerce Stores
• GDPR and OptinMonster – Good read if you have email marketing opt-in forms

Legal Disclaimer / Disclosure

We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

WPBeginner founder, Syed Balkhi, is also the co-founder of OptinMonster, WPForms, and MonsterInsights.

PDF files can be weaponized by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction and only by opening a file, according to Assaf Baharav, a security researcher with cyber-security company CheckPoint.

This means a curious end user who opens a PDF attachment they did not ask for can be pnwed in about 15 seconds. Good thing this nasty is not in the wild just yet…

Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.

“The PDF specification allows loading remote content for the GoToE & GoToR entries,” Baharav told Bleeping Computer. More detail and links at the KnowBe4 blog:
https://blog.knowbe4.com/pdf-files-can-be-abused-to-steal-windows-credentials

5 Reasons Your Business Needs HTTPS

The rules have changed about what good website security means—starting with a new minimum requirement for all website pages to support encrypted connections. The good news is you’ll gain other valuable benefits by adhering to this new standard. First, let’s get on the same page by reviewing a few basics.

What’s HTTPS?

When your customers land on a web page that’s not protected by any type of SSL Certificate they’ll see http:// at the beginning of the website address in the browser bar. This used to be perfectly fine unless your webpage involved a login ID, password, form or payments. Enter the era of mega cybercrime.

HTTP has one glaring flaw—it’s not secure. Any information transmitted via an HTTP connection is vulnerable to being tampered with, misused or stolen. Your visitors deserve to know any data they share with you is safe from prying eyes.

Installing an SSL Certificate changes the browser bar address to https:// to clearly show visitors the connection is encrypted, meaning the server is authenticated and data is protected in transit. No wonder web browsers have made HTTPS the new standard for website security.

HTTPS Is Good for Your Bottom Line

Enabling encrypted connections is one great reason to protect your website with an SSL Certificate.  But, it’s not the only reason. Here are some other ways HTTPS brings value to your business:

1. Speeds Up Performance—Being the slow kid on the block and the last one picked for dodgeball is a bummer. Being slow online could cost you everything. HTTP is being replaced by a newer faster version—HTTP/2. Encrypted connections are required to unlock the latest speed and security features.
2. Increases Search Engine Traffic—Google includes SSL as a ranking factor. How’d you like to boost your search visibility up to 5%? Be found above the competition by encrypting every page of your website.
3. Enables Mobile Options—Salesforce reports 71% of marketers believe mobile is core to their business. Mobile’s most popular features—geolocation, motion orientation, microphone, fullscreen and camera access—require HTTPS to be enabled by most browsers
4. Protects Your Brand Reputation—A recent CA Security Council Report shows a mere 2% of customers would proceed past the “Not Secure” warnings that are due to kick in July 1 for all web pages without HTTPS connections. Show visitors your brand values their security by protecting your website with an SSL Certificate.
5. Delivers a Seamless Experience—Don’t let visitors engage with several pages on your site only to be get broadsided with a “Not Secure” warning on pages you haven’t protected. They’ll reward you for taking the extra steps to give them an end-to-end encrypted experience.

Identity Validation Matters, Too

HTTPS is no longer optional if you want to build relationships and a business online. The good news it adds a lot of value to your business. But, SSL Certificates do more than enable HTTPS.
They also authenticate or validate your identity so visitors know it’s really you on the other end of their connection. We’re here to help you find the right level of validation based on your goals.

Click here to learn more and request pricing for the purchase and installation of your SSL Certificate.

A secure web is here to stay.

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.

In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.

Developers have been transitioning their sites to HTTPS and making the web safer for everyone. Progress last year was incredible, and it’s continued since then:

• Over 68% of Chrome traffic on both Android and Windows is now protected
• Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
• 81 of the top 100 sites on the web use HTTPS by default

Contact us today to make your visitors comfortable by securing your website.

Chrome is dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help developers migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages. The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.

Lighthouse is an automated developer tool for improving web pages.

Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP. Developers, check out our set-up guides to get started.