Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
WordPress is the world's most popular CMS, powering over 40% of all websites. For GDPR purposes, the core WordPress software has minimal privacy implications — it sets session cookies and comment author cookies that are strictly necessary. GDPR complexity comes from the plugin ecosystem: analytics plugins, contact form plugins, commenting systems, social share buttons, and advertising plugins each introduce their own data processing. Self-hosted WordPress GDPR compliance is the deployer's responsibility. WordPress.com (Automattic) is US-hosted requiring SCCs.
WordPress is an open-source content management system (CMS) powering over 43% of all websites globally. It comes in two forms: WordPress.org (self-hosted, free software you run on your own server) and WordPress.com (hosted by Automattic on US infrastructure). The core WordPress software provides a minimal privacy footprint. GDPR complexity comes almost entirely from the plugin ecosystem — WordPress has over 60,000 plugins, many of which add tracking, analytics, advertising, and communication features.
WordPress core sets: wordpress_logged_in (authentication, session), wordpress_test_cookie (verifies cookies work, session), comment_author (remembers commenter name/email for 1 year). The first two are strictly necessary for site function. The comment_author cookie is a preference cookie that improves user experience. None require consent under most DPA interpretations, though some legal teams prefer to include them in cookie notices.
Every plugin that adds external functionality creates GDPR obligations. Common offenders: Google Analytics plugins (require consent, US transfer), contact form plugins storing submissions (data retention, erasure requests), social share buttons (third-party cookie loading), comment systems like Disqus (extensive tracking), live chat plugins (consent required), and page builder plugins loading Google Fonts CDN. Audit every plugin before installation.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
WordPress.com is hosted by Automattic (US). All site data, user data, and visitor data is processed on Automattic''s US infrastructure requiring SCCs. Self-hosted WordPress on a European server keeps all data in the EU with no third-country transfer required for the hosting itself. For EU organisations with strict data residency requirements, self-hosted WordPress on an EU server is the recommended configuration.
Install a CMP plugin (Cookiebot, Axeptio, CookieYes). Audit all plugins for GDPR implications. Remove unnecessary plugins. Replace Google Analytics with a GDPR-compliant alternative or configure consent. Self-host Google Fonts. Use a GDPR-compliant contact form plugin with data retention controls. Add a comprehensive privacy policy. For WordPress.com, sign Automattic''s DPA.
Websites using WordPress must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for standard WordPress websites. It may become relevant for membership sites processing extensive personal data, healthcare or sensitive data sites, or sites with large-scale behavioural tracking via advertising plugins.
Sample consent text
This website uses cookies. Essential cookies are required for basic site functions. We use additional cookies for analytics and functionality improvements. You can manage your cookie preferences below.
Third-party domains contacted
wordpress.orgwordpress.comautomattic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wordpress_logged_in | session | Session | WordPress authentication cookie for logged-in users — strictly necessary, no consent required |
| wp-settings | persistent | 1 year | WordPress interface preference cookie for logged-in users — strictly necessary, no consent required |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
WordPress core is minimal privacy risk. Compliance depends on plugins and hosting. Self-hosted on EU server with privacy-conscious plugins can be fully compliant. WordPress.com needs SCCs. The responsibility is yours as site operator.
wordpress_logged_in (authentication, session), wordpress_test_cookie (session), comment_author (1 year). No analytics or advertising cookies in core. The first two are strictly necessary.
Jetpack (US), Contact Form 7 (no retention controls by default), Google Site Kit (adds GA4), MonsterInsights, WooCommerce, social share plugins. Audit every plugin before installation.
Yes. Sign Automattic's DPA at automattic.com/privacy. WordPress.com processes all site data on US infrastructure. The DPA includes SCCs for EU transfers.
Install a CMP plugin: Cookiebot, CookieYes, Complianz, or Axeptio (all have free WordPress plugins). Integrate with Google Consent Mode v2 if using Google tools.
Access: Tools, Export Personal Data. Erasure: Tools, Erase Personal Data. For WooCommerce use the built-in customer data tools. Respond within 30 days.
Yes. Enable: order anonymisation after set period, customer deletion, privacy policy at checkout, marketing opt-in checkbox. WooCommerce has built-in GDPR tools at WooCommerce, Settings, Privacy.
For EU organisations yes — no US transfers for hosting, full data sovereignty, no DPA with Automattic needed for hosting itself.