WordPress and GDPR – Does WordPress Breach the GDPR Text?

WordPress and GDPR – Does WordPress Breach the GDPR Text?

WordPress and GDPR – Does WordPress Breach the GDPR Text?

  • 28th November 2017
  • Six Ticks Limited

Will WordPress websites be compatible with GDPR Regulations?

With just over 6 months until the new GDPR text comes into effect, Six Ticks explain the potential pitfalls of open source websites and how some WordPress sites could be in breach of new European GDPR regulations.

GDPR Meaning

You might have heard that the General Data Protection Act (GDPR) is changing.

In May 2018 the European Commission will be implementing new data protection guidelines which will affect organisations across the European Union. The new rules will affect all businesses that deal with any European Citizen's data, so if you use or process even one piece of EU data then you need to start paying attention to GDPR! This includes businesses that are based outside of Europe.

One of the reasons for the update to GDPR compliance is because twenty years have passed since the rules were updated. The world is now online and the new guidelines aim to address the way organisations use and store data in the digital age.

Those found in breach of the guidelines could face heavy fines (up to 4% of global turnover) so organisations across Europe are getting their systems ready.

You can read about the key changes to GDPR in our earlier blog post.

WordPress and GDPR

With the new GDPR guidelines it is important that businesses demonstrate they are protecting customer data and adhering to the rules. Core WordPress websites should almost certainly be GDPR compliant, but there could be issues as soon as even one plugin is installed, or if the site integrates into a 3rd party system.

A plugin is a piece of software or code which enables a WordPress website to do something it couldn't do without it - such as playing a video or collecting data. WordPress websites rely on 3rd party plugins, which are responsible for a history of security flaws, with websites which have plugins successfully targeted by hackers on a regular basis (over two-thirds of successful website hacks on the Internet are on WordPress websites).

The Problem with WordPress and GDPR

Plugins could cause big problems when it comes to the new European GDPR guidelines. Here's why:

  • Most WordPress websites are not fully up-to-date. Under GDPR legislation, your WordPress website must be kept fully up-to-date at all times, along with any plugin that is used.
  • Most plugins are not made in Europe meaning they are not targeted at EU users and GDPR rules.
  • Plugins can change a websites code, meaning the compatible core WordPress code could be deemed incompatible.
  • Some plugins may store data in a way that is not compliant, risking GDPR fines.
  • Some plugins collect and store data in 3rd party databases - this can be a problem when it comes to ensuring the proper collection and protection of customer data.

Some points to note:

  • Every plugin on a website which comes into contact with personal data will need to be fully GDPR compliant - this is your and your web developer's joint responsibility.
  • If a plugin stores or comes into contact with personally identifiable data through any means (name, email, phone, social media, username, etc) you need to ensure there is a method for permanently deleting or 'forgetting' that data on request
  • You must have performed security checks on any company that provide a plugin that stores identifiable data remotely (E.g. MailChimp).
  • Many Plugins require parts of Word Press to be altered for installation. This may not be acceptable for GDPR guidelines, depending on the changes.

How You Can Prepare Your Wordpress Website

GDPR guidelines state you will have to prove that your business has taken every possible precaution to protect collected data. If your Word Press website uses plugins then you need to address the following issues:

  • Ensure your site is updated immediately every time a new security patch is released - this usually occurs every few months.
  • Plugins should be updated as soon as there are new releases - which can happen at any time
  • Your business and your developers are responsible for abiding to GDPR jointly. This is not something you can pass off to your web designers. Make sure your contracts with developers include instant security updates to cover WordPress GDPR and all plugins - updates to Six Ticks websites are FREE!
  • Be aware of WordPress 'installations' where developers have taken WordPress core code and extended or upgraded it themselves. Ensure your agreement with those developers is fully GDPR compliant before you sign on the dotted line.

Need Any Help?

Six Ticks offer professional services in helping organisations to review their systems and prepare for GDPR.

We are currently offering free, no-strings-attached reviews to help assess your website and make recommendations for GDPR compliance.

If you'd like help preparing for the changes to GDPR then get in touch today


We are friendly, approachable and jargon-free. We'd love to hear about your project and see how we can help. Give us a call, or drop us a quick note below and we’ll get back to you within 24 hours.