WordPress and GDPR: The Definitive 2026 Configuration
WordPress is not GDPR compliant by default. Google Fonts, Gravatar, YouTube embeds, IP logs, analytics plugins: every fresh installation violates several rules. Here's exactly what to fix and with which plugins.
Audit: What WordPress Sends by Default
| Element | Risk | Solution |
|---|---|---|
| Google Fonts (CDN Google) | High | Host locally (OMGF plugin) |
| Gravatar | Moderate | Disable in Discussion > Show Avatars |
| Native YouTube embeds | High | Plugin 'WP YouTube Lyte' (lazy load) |
| Google Analytics | High | Block via CMP or migrate to Plausible |
| Comment IP logs | Low | Plugin 'Remove IP from Comments' |
| HTTPS | SSL certificate Let's Encrypt (free) | |
| Privacy policy page | Important | Create + link in footer and forms |
Discover all active trackers on your WordPress
RGPDScan scans your WordPress site in 60 seconds: Google Fonts, analytics, advertising pixels, third-party scripts.
Essential Plugins for GDPR Compliance
Complete cookie banner, DPO documentation, automatic scans, CF7/Gravity Forms/WooCommerce integration. Free version covers 90% of needs.
Downloads and hosts Google Fonts locally. Eliminates calls to Google servers. Also improves Core Web Vitals (LCP).
Native WordPress API for consent management. Integration with other plugins (Matomo, MonsterInsights, etc.).
Completely disables comments if not used (eliminates IP logs and comment spam).
Loads YouTube embeds in lazy mode (preview image only). YouTube cookies only deposited on click.
Going Further
- WordPress: complete GDPR analysis
- Cookie banner: the 7 mistakes
- Google Analytics legal in France 2026?
- GDPR e-commerce: WooCommerce guide