WordPress 10 min read·

WordPress and GDPR: The Definitive 2026 Configuration

WordPress is not GDPR compliant by default. Google Fonts, Gravatar, YouTube embeds, IP logs, analytics plugins: every fresh installation violates several rules. Here's exactly what to fix and with which plugins.

Audit: What WordPress Sends by Default

ElementRiskSolution
Google Fonts (CDN Google)HighHost locally (OMGF plugin)
GravatarModerateDisable in Discussion > Show Avatars
Native YouTube embedsHighPlugin 'WP YouTube Lyte' (lazy load)
Google AnalyticsHighBlock via CMP or migrate to Plausible
Comment IP logsLowPlugin 'Remove IP from Comments'
HTTPSSSL certificate Let's Encrypt (free)
Privacy policy pageImportantCreate + link in footer and forms

Discover all active trackers on your WordPress

RGPDScan scans your WordPress site in 60 seconds: Google Fonts, analytics, advertising pixels, third-party scripts.

Essential Plugins for GDPR Compliance

Complianz RGPD/CCPA

Complete cookie banner, DPO documentation, automatic scans, CF7/Gravity Forms/WooCommerce integration. Free version covers 90% of needs.

Recommended
OMGF | Host Google Fonts Locally

Downloads and hosts Google Fonts locally. Eliminates calls to Google servers. Also improves Core Web Vitals (LCP).

Recommended
WP Consent API

Native WordPress API for consent management. Integration with other plugins (Matomo, MonsterInsights, etc.).

Recommended
Disable Comments

Completely disables comments if not used (eliminates IP logs and comment spam).

WP YouTube Lyte

Loads YouTube embeds in lazy mode (preview image only). YouTube cookies only deposited on click.

Recommended

Going Further

Frequently Asked Questions

Is WordPress GDPR compliant by default?
No. WordPress core collects data without prior information (IP address logs in comments, external Gravatar, YouTube embeds with cookies, Google Fonts called from Google servers). Configuration and plugins are needed to achieve compliance.
What is the best GDPR plugin for WordPress?
Complianz GDPR (freemium, very complete, cookie banner + DPO documentation) is the 2026 reference. Cookiebot (external SaaS, automatically scans cookies). WP Consent API (free, native WordPress integration). For small sites: 'GDPR Cookie Consent' plugin by WebToffee.
Should Google Fonts be disabled in WordPress?
Strongly recommended. The German CNIL (LfDI Baden-Württemberg) has condemned sites using Google Fonts via Google CDN (IP transfer to USA). Solution: download fonts locally via the 'OMGF | Host Google Fonts Locally' plugin or use only system fonts.
Is Contact Form 7 GDPR compliant?
Contact Form 7 is neutral by default. To make it compliant: add a consent checkbox (plugin 'Contact Form 7 – GDPR'), don't store submissions in the database (or configure a retention period), and disable reCAPTCHA v3 tracking if not necessary.
Does WooCommerce require specific GDPR configuration?
Yes: enable the privacy policy page in Account > Privacy, configure order retention period (WooCommerce > Settings > Advanced > Privacy Policy), disable default customer data tracking, sign DPAs with payment extensions.
Is Jetpack (Automattic) GDPR-problematic?
Potentially. Jetpack sends data to Automattic servers (USA). Riskiest modules: Stats (analytics), Protect (IP sharing with wpcom.com), advertising. Disable non-essential modules or use alternatives (Matomo for analytics).

Check your WordPress in 60 seconds

Automatic detection: Google Fonts, Gravatar, embeds, analytics, pixels. Free detailed report.