Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
WP Engine is a managed WordPress and headless WordPress hosting platform headquartered in Austin, Texas, powering over 1.5 million websites worldwide. It runs on Google Cloud Platform and offers EU data centres in Frankfurt and London. WP Engine signs a Data Processing Addendum with customers and supports Standard Contractual Clauses for transfers outside the EEA.
WP Engine is a managed WordPress and headless WordPress hosting platform founded in 2010 and headquartered in Austin, Texas. It powers more than 1.5 million websites globally, running on Google Cloud Platform with data centres in multiple regions including the United States, Frankfurt and London. For European customers, WP Engine offers a Data Processing Addendum, Standard Contractual Clauses and the ability to select EU only hosting regions.
At the infrastructure level, WP Engine processes server logs, visitor IP addresses, request headers and bandwidth usage. The hosting itself does not inject tracking cookies into visitor browsers. However, the WP Engine customer portal (my.wpengine.com) and marketing site (wpengine.com) set first party cookies for authentication, session management and analytics. Optional features such as Global Edge Security route visitor traffic through Cloudflare, which may set its own security cookies including __cf_bm and cf_clearance.
WP Engine acts as a data processor under Article 28 GDPR. Customer site owners remain controllers for visitor data. WP Engine publishes a Data Processing Addendum, a list of sub processors and Standard Contractual Clauses. The ePrivacy Directive does not require consent for the hosting infrastructure itself because it does not store information on the visitor device. However, any plug ins, analytics or marketing tools running on top of WordPress remain subject to consent rules.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No visitor consent is required for the WP Engine hosting layer itself, since it does not place cookies on visitor browsers. Consent is required for any third party tools installed on top of WordPress, such as Google Analytics, Meta Pixel or marketing tags. If Global Edge Security via Cloudflare is enabled, the security challenge cookies generally fall under the strictly necessary exemption of Art. 5(3) ePrivacy.
WP Engine is a US company and its support, billing and administrative functions are based in the United States. Visitor data hosted on customer sites stays in the chosen region, so European customers can keep visitor data inside the EEA by selecting Frankfurt or London. Support access from US staff and certain global services still constitute transfers to a third country and rely on Standard Contractual Clauses and the EU US Data Privacy Framework when the recipient entity is certified.
Sign the WP Engine Data Processing Addendum from the customer portal, choose a European data centre region during provisioning, document the list of sub processors in your Record of Processing Activities, run a Transfer Impact Assessment if any function involves US based staff, configure Global Edge Security carefully and disclose Cloudflare as a sub processor in your privacy policy, and review WP Engine''s published sub processor list at least annually for changes.
Websites using WP Engine must obtain user consent under GDPR regulations.
DPIA considerations
WP Engine acts as a data processor under Art. 28 GDPR for customer site data. Key DPIA considerations: (1) server region choice, selecting US data centres triggers a third country transfer requiring a Transfer Impact Assessment; (2) access by US based support staff may constitute onward transfer subject to the same safeguards; (3) backups are retained across regions, verify retention and deletion policies; (4) server logs include visitor IP addresses processed under legitimate interest for security purposes; (5) Global Edge Security and DDoS protection use Cloudflare as a sub processor, adding an additional data flow that must be mapped; (6) the customer portal and the wpengine.com marketing site set their own cookies, separate from hosted customer sites.
Sample consent text
Our website is hosted by WP Engine, a managed WordPress hosting provider. WP Engine processes connection logs, IP addresses and security data on our behalf to deliver the site. We have signed a Data Processing Addendum with WP Engine and rely on Standard Contractual Clauses for any transfers outside the EEA.
Third-party domains contacted
wpengine.commy.wpengine.comwpenginepowered.comwpengine.iowpecdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wpe-auth | Functional | Session | Used on the WP Engine customer portal (my.wpengine.com) to maintain an authenticated session for customers. |
| _wpe_aff | Marketing | 30 days | Stores the WP Engine affiliate referrer on the marketing site wpengine.com to attribute new sign ups to a partner. |
| __cf_bm | Functional | 30 minutes | Cloudflare bot management cookie set in front of WP Engine sites when Global Edge Security is enabled. Used to distinguish humans from automated traffic. |
| cf_clearance | Functional | 30 days | Cloudflare cookie indicating that the visitor has passed a security challenge. Set when Global Edge Security is enabled. |
WP Engine collects user analytics data — you legally need a consent banner. Try FlowConsent free.
No, the WP Engine hosting infrastructure itself does not place cookies on visitor browsers. Cookies appear only on the WP Engine customer portal (my.wpengine.com) and the marketing site (wpengine.com), where they are used for authentication, session management and analytics. If you enable the optional Global Edge Security feature, Cloudflare may set strictly necessary security cookies (__cf_bm, cf_clearance) in front of your site.
No, you do not need consent for the WP Engine hosting layer itself because it does not store information on the visitor device. Consent is, however, required for any third party tools you install on top of WordPress, such as Google Analytics, Meta Pixel or marketing scripts. Disclose WP Engine as a sub processor in your privacy policy without a consent prompt.
The processing relies on contract performance (Art. 6(1)(b) GDPR) between you and your visitor for delivering the website, and on legitimate interest (Art. 6(1)(f) GDPR) for security logging, DDoS protection and abuse prevention. WP Engine itself acts as a data processor under Art. 28 GDPR through the Data Processing Addendum you sign with them.
By default, customer sites are hosted on Google Cloud Platform infrastructure in the United States. You can choose EU regions in Frankfurt (europe-west3) or London (europe-west2) at provisioning. Even with an EU region, US based support staff and certain global services access data, which constitutes a transfer to a third country covered by Standard Contractual Clauses and, where applicable, the EU US Data Privacy Framework.
A DPIA is not strictly mandatory for hosting alone, but it is strongly recommended when you process special category data, run a high traffic site, or use the US data centre. The key risks to document are third country transfers, sub processor access (including Cloudflare for Global Edge Security), and the retention of server logs containing visitor IP addresses.
Sign the WP Engine Data Processing Addendum in the customer portal, select an EU data centre during provisioning, document WP Engine and Cloudflare in your sub processor list, run a Transfer Impact Assessment if US staff access is in scope, configure WordPress to avoid unnecessary cookies, and review WP Engine's sub processor list at least once a year.
EU based managed WordPress hosts include Kinsta (which also offers EU regions on GCP), Raidboxes (Germany), Savvii (Netherlands), 20i (UK), Pressidium (UK) and Hetzner with managed WordPress add ons. Choosing an EU controller and EU data centre simplifies your compliance posture by removing the third country transfer question.
Add WP Engine as a hosting sub processor in your privacy policy, name the data centre region you selected, mention any cookies on the WP Engine customer portal if you let visitors access it, and disclose Cloudflare if Global Edge Security is enabled. Include a link to WP Engine's sub processor list and Data Processing Addendum. If you choose a US region, document your Transfer Impact Assessment and reference the Standard Contractual Clauses.