Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Open source PHP and MySQL content management system focused on blogs and small publishing sites. Self hosted by the operator, it sets a PHPSESSID and administration cookies for authenticated users.
Nucleus CMS is a free and open source content management system written in PHP and backed by a MySQL database. It was first released in the early 2000s as a blog focused publishing engine, with support for multiple weblogs, member accounts, comments, skins and plugins. The application is fully self hosted, meaning the website operator installs the code on their own web server, manages updates and acts as the sole data controller for every visitor or author who interacts with the site.
By default Nucleus CMS sets a PHPSESSID session cookie when an authenticated session starts, a NP_Auth login cookie for the administration area and may set comment author cookies that store the visitor name, email and website on the public side. On the server it stores blog posts, drafts, member accounts (login, hashed password, email, real name), comments, IP addresses of commenters, referrer logs and any data added by third party plugins such as statistics modules or contact form extensions.
The administration session and login cookies are strictly necessary to deliver the editing service that the editor has requested, so they fall under the exemption of Article 5(3) ePrivacy Directive. Comment author cookies, statistics plugin cookies and any social or advertising integration however require prior informed consent. Storing the IP address of commenters and members triggers the GDPR, with a clear legal basis, a retention period and a privacy notice mandatory under Articles 6, 13 and 14.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
On the public side, only the strictly necessary cookies should be set before consent. Comment author cookies, analytics plugins and any embedded media should be loaded after explicit opt in through a cookie banner with refusal as easy as acceptance. Members and commenters must be able to access, rectify and erase their data under Articles 15 to 17 GDPR, and a clear procedure should be documented to delete comments and member accounts on request.
Nucleus CMS is entirely self hosted, so there is no built in transfer to a vendor. The transfer question depends on where the operator runs the web server and the MySQL database. Hosting in the EU or EEA keeps the data inside the GDPR perimeter. Hosting in the United States, the United Kingdom or another third country triggers Chapter V of the GDPR and requires an adequacy decision, standard contractual clauses or binding corporate rules with a documented transfer impact assessment.
Keep Nucleus CMS updated, prefer EU hosting, audit installed plugins for hidden tracking, configure a consent management platform to gate non essential cookies, set a short retention period for IP addresses in comment logs, restrict the administration backend through HTTPS and strong passwords, document the processing in the Article 30 records and update the privacy and cookie policy with a clear mention of Nucleus CMS, the categories of data, the recipients and the retention periods.
Websites using Nucleus CMS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a personal blog or small editorial site running Nucleus CMS, but becomes recommended when the site collects comments at scale, hosts user profiles, processes special category data or targets children. Document the categories of data stored in the MySQL database, retention of comment logs, plugin behaviour and the moderation workflow.
Sample consent text
We use Nucleus CMS to publish this website. The authoring tools set a session cookie and a login cookie when an editor signs in, and may set comment author cookies when you post a comment. Strictly necessary cookies are exempt from consent. You can accept, refuse or withdraw your consent for optional cookies at any time.
Third-party domains contacted
nucleuscms.orgdocs.nucleuscms.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| PHPSESSID | http_session | Session | Identifies the visitor PHP session used by Nucleus CMS for authenticated administration. |
| NP_Auth | http_persistent | 30 days | Keeps editors logged in to the Nucleus CMS administration area between visits. |
| comment_user | http_persistent | 1 year | Stores the commenter name, email and website to prefill the comment form on return visits. |
| loginlang | http_persistent | 1 year | Remembers the language selected in the Nucleus CMS administration backend. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Nucleus CMS sets a PHPSESSID session cookie when an authenticated session starts, a NP_Auth login cookie for editors, and may set comment author cookies storing the visitor name, email and website when commenting. Installed plugins (statistics, contact forms) can add their own cookies.
No consent is needed for the strictly necessary administration session and login cookies, since they support a service requested by the editor. Comment author cookies, statistics plugin cookies and any social or advertising embeds require prior informed consent through a cookie banner.
The administration cookies and editor accounts rely on legitimate interest under Article 6(1)(f) GDPR or on performance of a contract for paid editors. Commenter data and optional cookies rely on consent under Article 6(1)(a) GDPR and Article 5(3) ePrivacy Directive.
There is no built in transfer because Nucleus CMS is self hosted. Transfers happen only if the operator chooses a hosting provider, CDN or backup service in the US or another third country. In that case Chapter V of the GDPR applies and standard contractual clauses with a transfer impact assessment are required.
A DPIA is generally not required for a small personal or editorial blog. It becomes recommended when comments are collected at scale, when special category data is published, when minors are part of the audience or when third party plugins introduce additional tracking or profiling.
Keep the core and plugins updated, prefer EU hosting, restrict the admin backend through HTTPS and strong passwords, gate optional cookies behind a consent management platform, set short retention for IP addresses in comment logs and document the processing in the Article 30 records.
Mature alternatives include WordPress, Ghost, Drupal, Joomla and static site generators such as Hugo or Eleventy. The choice depends on the size of the audience, available technical skills, expected plugin ecosystem and the privacy by design effort the operator is willing to invest.
Add a dedicated entry that names Nucleus CMS, lists PHPSESSID, NP_Auth and comment author cookies with their purpose and duration, mentions any plugin specific cookies, identifies the operator as the data controller and explains how visitors can refuse or withdraw consent and request deletion of their data.