Data Protection in WordPress

Data Protection in WordPress Cyber Security

A self-hosted version of WordPress offers the advantage that it can be configured very easily in a data protection-friendly way. With a few simple steps, the basic installation can be brought to a very good state and thus a correct technical data protection can be implemented.

As little data as possible should be stored in order to harm as few users as possible in the event of a data leak. IP addresses should not be stored at all and the transmission must be encrypted. In this article, I describe the technical implementation of data protection and not the organizational side, such as creating a privacy policy.

Web host logging

By default, the web server stores log files of every resource accessed. In addition to the time, the type of retrieval, the identifier of the web browser and the IP address are also stored.

Therefore, it is necessary to check whether your own web host stores log files with the IP addresses. Often there is an option not to store log files at all or to remove the IP address or replace it with a placeholder.

Enable HTTPS

In order for visitors’ data to be encrypted during transmission, HTTPS must be enabled. Nowadays, every web host offers HTTPS support. Unfortunately, some web hosts still do so for a fee, but more and more often they do so for free using Let’s Encrypt. After HTTPS has been activated at the web hoster, the settings of WordPress have to be adjusted. To do this, in the menu item “Settings > General” the WordPress address and the website address must be changed from HTTP:// to HTTPS://.

The next step is to add the following code to the top of the .htaccess file, which is located in the root directory of every WordPress installation. This automatically redirects all calls to the HTTPS variant.

Customize comment function

The comment function allows visitors to comment on content below an article or on a subpage. Besides the rarely used function of registration, this is the main function where visitors can submit data. When commenting, the external service Gravatar is integrated and the IP address is stored.

WordPress displays small photos (avatars) for each author of a comment. As a default, a general graphic is displayed. If a visitor enters his email address, it is linked to the service Gravatar. If the commenter has an account there, the photo is loaded from Gravatar. Since this happens automatically, the function should be deactivated. To do this, the Avatar display option must be deactivated in the “Settings > Discussion” menu item.


WordPress can be extended with additional functions using plug-ins. However, these plug-ins can also collect and store additional data or, in the worst case, pass it on. Therefore, mainly plug-ins should be chosen that have a description of what data is processed. Again, the fewer plug-ins, the better.

Conclusion WordPress Privacy

With these simple steps, WordPress data protection can be improved in a targeted manner. In addition, WordPress offers help in creating a privacy policy. For this purpose, there is an extra page type. And under “Tools” there are the two options “Export personal data” and “Delete personal data”.




Rate article
Add a comment