5 plugins for better data protection in WordPress
At the end of May, like every website operator, I was busy preparing my blog for the new General Data Protection Regulation. In total, I installed five new plugins for better data protection in WordPress, which may be interesting for one or the other reader. So here is a brief summary.
Embed videos and respect privacy
With Embed videos and respect privacy , videos from Youtube can be integrated without data being sent to Google with each call. The plugin shows a static placeholder for this and only establishes the connection when the user clicks the play button.
Here is an example video:
In addition to YouTube, the plugin also works for Vimeo and other services integrated with oEmbed. We recommend installing the current version 2.0 of Github , as the plugin on WordPress.org has unfortunately not yet been updated.
Borlabs cookie
When the new General Data Protection Regulation came into force, I still used the GDPR Pixelmate plugin for the cookie notice, which, however, always caused a reload of the website when accepting the cookies and also had problems with the caching of the website.
That's why I've now switched to Borlabs Cookie , which looks much more sophisticated and works very smoothly. The plugin costs 29 € / website and is definitely worth the money.
For detailed information and helpful CSS snippets for styling adjustments, I recommend the article Borlabs Cookie: Introduction & Instructions from Webtimiser.
Avatar privacy
With Avatar Privacy , the Gravatar images are cached locally for comments and external requests to Gravatar.com are avoided. The IP address of visitors is not passed on to other servers.
Improve the privacy of your users and visitors with Gravatar opt-in and local avatars.
Local emoji
In older browsers, emojis are loaded as graphics from WordPress.org. With Local Emoji, there is also a plug-in here to remove this request to an external server and to integrate the graphics locally from your own server.
I became aware of Avatar Privacy and Local Emoji through Florian Brinkmann. He presented the two plugins in more detail in his article Load gravatars and emoji fallbacks for WordPress sites from your own server .
Remove Comment IPs
The Remove Comment IPs plugin removes the IP addresses stored in WordPress comments from the database. In order for antispam plugins to reliably ward off any spam comments, the IPs are only deleted after 60 days.
If you want to completely prevent the storage of IP addresses in comments, you will find some options in the article WordPress and GDPR: Remove IP address in comments .
Improve data protection in WordPress
All the plugins presented improve data protection in WordPress in one way or another. The loading of resources from external servers is reduced or only takes place with the consent of the user, data that are no longer required such as IPs of commenters are deleted and certain cookies are only used with the permission of the visitor.
Which plugins do you use for better data protection in WordPress?
Hello Brian,
Thank you for the informative contribution. At the moment all of my websites are offline. In order to go online again at some point, I am tinkering with a WordPress installation on my localhost that works entirely without data processing, apart from the legally required log files by my hoster. Personally, I have decided to deactivate everything that somehow sets cookies or calls home. The comments are deactivated so that no data is processed about them either. I use Autoptimize to consistently deactivate Google Fonts and Emojis, of course also for optimization. However, the plugin has these two additional functions, which ultimately also represents optimizations with a view to performance 😉 Finally: With Statify I count page views and completely dispense with detailed visitor statistics in favor of data protection.
Hello, Jens,
With pleasure. I didn't know that Autoptimize also provided additional functions for this. Thank you for the addition.
I also think it is a good idea to collect no or as little personal data as possible on your WordPress installation. I can't quite leave Google Analytics myself, but at least some things are switched off with the 5 plugins.
Many Greetings,
Brian
Hello Brian,
Thank you for your answer! An addendum to Autoptimize. It seems to be the only or at least one of the few plugins that really consistently cuts the lines to Google or the Google Fonts. There are still a few others who are probably not so consistent, at least the result of my research and my own trial and error. It was only when these functions were activated that the well-known browser add-ons including developer tools indicated that there was no longer any communication with Google. As a layperson, I can and must hopefully rely on it 😉
Since I am talking to a theme developer 😉 It is extremely important that the function is provided in a theme to really switch off Google Fonts. I've been planning to take a closer look at your themes for a long time. At the moment the project has been postponed because I am - as written - offline.
I can absolutely understand that you do not want to do without Google Analytics at the moment, because you are dependent on more detailed statistics in the sense of marketing with your business. I only have a small blog, which I only maintain for purely private leisure time.
Greetz!
Yes, many of the popular plugins for removing Google Fonts are only designed for the default themes like TwentySixteen etc. It is generally difficult for a plugin to block the integration of Google Fonts because each theme loads the fonts with a different style handle. In addition to themes, some plugins also incorporate fonts from Google.
Google Fonts can be identified, for example, in the Chrome Developer Tools in the Sources tab, using the URL fonts.googleapis.com and fonts.gstatic.com. This actually shows whether Google Fonts are being loaded.
In my own themes, with the latest updates, the fonts are now integrated locally instead of being downloaded from Google: https://themezee.com/de/2018/04/updates-fuer-die-dsgvo/
Many Greetings,
Brian
And local hosting or integration of Google Fonts is unobjectionable in terms of licensing law? In other words: what do you have to consider?
The license of the font must be observed and adhered to before it is integrated. The license always depends on the respective font.
Almost all of the Google Fonts are licensed under the SIL Open Font License, which allows integration and hosting. In my themes, I always refer to the fonts used and their licenses in the readme.txt. An overview of the licenses for all Google Fonts can be found at https://fonts.google.com/attribution .
The license must be checked for other font sources, as these are often not open source. License fees may have to be paid after page views etc. or the font must be purchased for commercial use. A transfer within a theme is also often not permitted.
Many Greetings,
Brian
Moin Brian,
Thank you for recommending the YouTube plug-in, I was still missing a convenient solution.
If I can also make a recommendation that could be of particular interest to websites that use ads, then the privacy module from Advanced Ads. This can not only understand solutions such as Borlabs Cookie and control advertisements depending on the (not) given consent, but also switch between personalized and non-personalized AdSense advertisements.
If you want to find out more, have a look here: https://wpadvancedads.com/manual/ad-cookie-consent/
Moin Joachim,
With pleasure. Thank you for adding Advanced Ads, it sounds very useful to anyone who uses it to advertise. I can generally recommend Advanced Ads to manage advertisements, great plugin. The privacy module was previously unknown to me.
Many Greetings,
Brian
Hello Brian,
thanks for the valuable tips! With "Embed videos and respect privacy" the responsive implementation is - depending on the theme - very poor. In terms of its approach, however, the plugin is definitely going in the right direction.
Best regards
David
Hello David,
Yes, that can be good. The iFrame for the integrated videos from YouTube, for example, has a fixed height, which is why only the width is automatically adjusted on mobile devices. I think I adjusted the plugin's CSS a bit for that.
Many Greetings,
Brian
Here is my CSS code, if that helps 🙂
.video-wrapped {min-height: 420px !important;
display: flex;
align-items: center;
justify-content: center;
}
.video-wrapped.video-wrapped-clicked {
min-height: 0! important;
}
.video-wrapped .video-wrapped-play {
margin: 0;
}
LG,
Brian
Thanks for the great overview Brian!
Regarding the comment IPs, I can warmly recommend https://wordpress.org/plugins/gdpr-comments/ . Also has the option to add an extra checkbox.
Hello Tim,
Thank you for the plugin tip. I really like the option of anonymizing comment IPs instead of deleting them. It is very nice that the anonymization can also be carried out for existing comments.
Many Greetings,
Brian
Nice overview! I use Remove IP to avoid saving the IPs for the comments! I then threw out the old IPs via an SQL query. I see you still use Analytics - I've replaced that with Matomo / Piwik.
With pleasure! Thank you for another alternative with Remove IP: https://de.wordpress.org/plugins/remove-ip/
Yes, I am relatively familiar with GAnalytics and do a lot of analysis there on a regular basis. In my theme shop in particular, the configuration of the entire tracking is more complex and a quick change with a few clicks is not possible. That's why I shy away from switching to another tool like Matomo.
Many Greetings,
Brian
Hello Brian,
I use the free “Slimstat” plugin instead of Google Analytics Dashboard, which according to the manufacturer is fully GDPR compatible. I am not yet familiar with all areas, but the wealth of information that can be expanded through various add-ons seems enormous to me.
Maybe worth a look.
By the way, every time I visit your site I am asked again whether it is okay to set a plugin. AdBlock and uOrigin are switched off.
Kind regards and thanks for all the helpful information,
Olaf
Hello Olaf,
Thank you for the tip on Slimstat.
Mmh normally the plugin should set a cookie with your selection so that the cookie notice is not displayed again. This does not work if the setting of cookies has been prohibited in the browser settings or the incognito mode of the browser is used. Then the cookie notice keeps popping up.
There may also be a problem with caching, then it is actually the blog. I will check, thank you very much for the hint.
Many Greetings,
Brian
Due to Gravatar's data protection problem, I had deactivated the profile pictures before the GDPR came into effect. To prevent the comment area from looking so bare, https://wordpress.org/plugins/wp-first-letter-avatar/ was used. That looks nice. Unfortunately, the last update was a year ago.
With the GDPR, I have completely closed the comments on my reanimated blog. So many rights, obligations and opportunities for abuse collide there that I want to observe the legal situation first.
There are several legal bases for data processing. To make everything dependent on consent, which can be obtained using a checkbox, is not a viable solution for moderating comments for me.
Thank you for the tip about WP First Letter Avatar, I didn't know the plugin yet. Great idea as an alternative to Gravatar, looks great.
Switching off the comment function completely would be too drastic for me. I assume that the comments with the new WordPress Core checkbox meet all data protection requirements.
Many Greetings,
Brian
I agree with the previous speaker. Actually, a checkbox for a declaration of consent without a reasonably functioning age verification is problematic. At least that's how a specialist lawyer once explained it to me. Sounded plausible to me, even though I'm not a specialist myself.
Brian, if I were you I would do the same. But you get lively comments. If you can rarely expect comments with a mini blog and are otherwise harassed by spambots, the GDPR (bureaucratic) effort and benefit are no longer an acceptable ratio.
I'm only a legal layman. As a freelancer, however, I had to read the regulation and interpretations. The legal basis of consent seems the most convenient. But it is tricky. If only because consent can be withdrawn at any time.
The age verification that Jens mentions is necessary with the consent (Art. 8 GDPR). Germany did not use the scope of the regulation to lower the age limit to 13. I.e. a 14-year-old cannot even send a message using the contact form if, as the website operator, this is explicitly made dependent on consent to data processing. What a restriction on freedom on the Internet!
It is understandable to switch off the comment function completely for infrequent comments. I do 🙂 on other websites too
I don't think it's a problem that consent can be revoked. If you wish, all personal data must also be deleted. The age verification is interesting, but as is so often the case, it is not really suitable for everyday use 🙂