There are a lot of WordPress plugins – free or paid – that either store personal data in a database (IP address is enough) or send it to external servers Some of these plugins can be disabled by adjusting the settings for saving or sending data, others can’t, which means: you delete that plugin and/or look for an alternative that complies with data protection laws.
Please note, this article is about WordPress plugins and their data collection frenzy, which generally does not comply with the requirements of the General Data Protection Regulation (GDPR), and therefore does not give a personal opinion. This is also not legal advice and if you need concrete help with implementing the DSGVO on your website, you may want to consult a lawyer.
Which plugins are safe?
These few plugins offered are notably very popular with most bloggers and therefore frequently used. Therefore, they should not cause any problems with regard to data protection laws, but there are no 100% guarantees.
Plugins for search engine optimization
A plugin like Yoast SEO is safe according to its developer, because it doesn’t store any personal data. And All in One SEO Pack is supposed to be absolutely safe.
Google Analytics in combination with appropriate plugins – for example Google Analytics for WordPress from MonsterInsights – is secure with some adjustments such as signing a contract and IP anonymization, but those who want to refrain from this can use the Statify plugin for example. According to the developers, it does not store any personal data.
Social media plugins
It is better not to use popular official plugins for some parts of social media content, as they collect data before the first click. It is recommended to use Shariff Wrapper instead of official plugins, as they collect data before the first click. For anti-spam rules, it is recommended to remove the checkboxes “Consider public spam database” and “Block comments from certain countries”, as both functions access external servers.
Contact form plugins
The popular Form 7 contact form plugin has many great features for all types of users. To integrate the consent notice into the form, the installation of the WP GDPR Compliance plugin is required.
For backups or website backups, you can use BackWPup and Updraft. These plugins collect personal data if the website or blog collects it, for example in comments. For backups to be data compliant, you should not be able to retrieve any personal data from the site.
Among many popular caching plugins, WP SuperCache is classified as DSGVO compliant.
WP Surveys should be set to “Do not connect to survey logging method options”. However, this disabling could allow multiple surveys.
Which plugins are not safe?
Probably the most critical plugins are the social media plugins that are made available to users by networks like Facebook. They already transfer data to the service provider if you are just visiting the website and have not yet performed any social media actions like sharing or comparing.
But other sharing plugins that use the original buttons of individual networks should not be used either.
Another problematic plugin is Jetpack, which transfers some data to WordPress.com, such as email addresses of registered users, comments, etc. The exact data that is collected and stored can be found in the Jetpack support. The plugin is supposed to be DSGVO compliant in the new version.
The Akismet anti-spam plugin also sends data to external servers, so I delete it directly when I create a new website with WordPress. An alternative is the Anti-Spam-Bee mentioned above.
These plugins have been considered unsafe for years and thus have been “blacklisted” for some time.
The problem for most WordPress users is probably to find out which plugins are safe to use and which ones are not, because after all there is no internal clue whether and if so, which data the respective plugin collects and stores.
This is a risk you have to take, but without taking this risk you would surely be more worried. The DSGVO is a good opportunity to reduce the number of plugins used in your installations and to inform yourself in the many blog posts that have created lists of safe and unsafe plugins and to stay up to date on this topic.
Disable Google Fonts and Emojis on a Blog
In addition to plugins, there are Google Fonts and Emojis that are loaded externally and therefore also collect data. If you want to remove these elements from your blog or website, you can do so with the Autoptimize plugin in the Extras tab (remove emojis, remove Google fonts).
However, it may happen that the plugin does not work properly with all WordPress themes. In this case, the alternatives Disable Emojis and Disable Embeds.
In many themes, Google fonts can be replaced by the usual standard fonts Arial, Tahoma, Helvetica etc. in the theme settings.
Remove IPs from comments
If you don’t want to save the IPs of users who comment anymore, because they belong to personal data, you can do it with the Remove IP plugin. The deletion of IPs already saved in old comments is not performed. To prevent this code from being constantly deleted during updates, the use of a child theme can be advantageous.
Embedded YouTube videos are usually inserted into the site or blog with the embedded code. This also does not comply with the new data protection guidelines, as a data connection is already established when the page in which a video is embedded is called up. With the Embed Videos and respect Privacy plugin, data is only transferred when the Play button is clicked.
The fact that you now have to consider whether or not plugins comply with data protection regulations takes away the pleasure of searching for and installing other useful functional extensions for your blog.