How to use Wordfence in a GDPR-compliant manner!

Wordfence GDPR compliant in WordPress websites

The security of one’s own WordPress website should be a matter of the heart for every website owner, because unfortunately not every user of the World Wide Web has good intentions – on the contrary. As currently the most popular CMS solution, WordPress is therefore an optimal target for hacker attacks. One security vulnerability and bang, they snap.

Therefore, it is not so far-fetched that website operators do not want to rely solely on the protection provided by WordPress itself and resort to special security plug-ins to optimally protect their website against attacks.

The plugin Wordfence, which is used by more than 4 million WordPress websites, is often chosen as the saviour in this case. But is its use even compliant with the GDPR?

Attention: This article is not legal advice! We as developers of WordPress plugins and contractors of website projects have dealt intensively with this topic, as it is essential in our daily work. However, we are neither lawyers, nor can we guarantee the completeness, timeliness and accuracy of the following information. In case of doubt, always consult a lawyer.

Wordfence – what is it?

Wordfence is one of the big players in terms of WordPress security plugins. The plugin combines a variety of configurable security features – even in the free version. It has a good firewall and essential functions to make your WordPress more secure.

Wordfence is essential for many WordPress website owners, as malware and hacking can lead to drastic consequences such as performance problems and data theft. By embedding malicious code and harmful scripts, hackers can easily spy on website visitors’ data. But the basic functionality of your website can also suffer from the altered code.

Even Google does not like it when a website falls victim to a hacker attack. Unfortunately, in this case you, as the website operator, are the one who suffers. The probability that Google will blacklist your site is not exactly low. As a result, you can expect high losses in the Google ranking. It is almost impossible to regain your original position.

Wordfence increases the security of your website by covering the following functions, among others:

  • Regular website scan and check for security vulnerabilities
  • Protection against brute force attacks (trying out all possible passwords until the correct one is found) through maximum number of login attempts
  • Detection of manipulated plugins
  • Regular updates
  • Information about code changes
  • Simple virus scanner of your WordPress website
  • etc.

As you can see, Wordfence is theoretically a super plugin to significantly increase the security of your WordPress website quickly and easily.

💡 Speaking of security vulnerabilities: If you care about the well-being of your website and the data processed on it, you should definitely keep your hands off illegal, free downloads (e.g. Nulled Plugins). Even if the low cost factor seems tempting, you should not save money in this case. Nulled versions are a paradise for malware and hacker attacks.

Is Wordfence compliant with data protection?

Security function or not – but what about data protection compliance? Because in order to make your WordPress website more secure and, for example, to detect brute force attacks, Wordfence stores the IP address of your visitors.

Attention, alarm bells on: The IP address can be considered personal data. Personal data may not be collected, processed or stored without further ado. This requires the active and informed consent of the visitor (opt-in).

Wordfence by default transmits the IP address of part of your visitors to their cloud service (in the USA). Since the end of the Privacy Shield – a data protection agreement between the USA and the EU – the USA is considered by the ECJ to be an unsafe third country with an inadequate level of data protection, the transfer of personal data may generally only take place with the consent of the website visitor.

However, you may not have obtained this consent at the time of the data transfer. We therefore recommend that you deactivate the corresponding feature in your Wordfence plugin installation under Wordfence > All Options > Brute Force Protection > Additional Options > Participate in the Real-Time Wordfence Security Network.

The bruteforce protection also works without the feature to be switched off. The only difference is that it is no longer supported by the cloud database.

How can I use Wordfence in a privacy-friendly way?

Basically, in contrast to other plugins, you need to take comparatively few measures when using Wordfence in order to be able to use the WordPress plugin in compliance with the GDPR. Nevertheless, you must fulfil some criteria in order to use Wordfence in a legally compliant manner with regard to data protection.

📝 Privacy Policy

It is very important that you include Wordfence in your privacy policy. You should explain in detail:

  • Why and how you process personal data in the course of using Wordfence
  • On which legal basis according to Art. 6 GDPR the processing takes place
  • Reference to the right of objection

✅ Opt-in consent required for Wordfence cookies?

As soon as the setting of non-essential cookies or processing of personal data plays a role, you need the opt-in consent of your visitors. Sounds simple in theory, but is not easy to implement in practice, which is why website operators often fall into expensive data protection traps. Even many supposedly GDPR-compliant opt-in cookie banners usually do not cover the required criteria.

With Real Cookie Banner, we’ve tackled just that. We take the hassle out of researching and setting up your privacy-compliant cookie notice, so you can protect your website not only against hackers, but also costly fines.

With its integrated scanner function and beginner-friendly usability, you can automatically detect many services that you use in your WordPress.

You will also find a service template for Wordfence in Real Cookie Banner because Wordfence sets cookies. You must inform website visitors of this, but in our legal opinion you do not need consent. You are allowed to set technically essential cookies according to the ePrivacy Directive (Directive 2009/136/EC) Art. 66 without consent. However, for the transmission of personal data such as the IP address to the USA, you need consent (+ We recommend that you deactivate the corresponding function in the plugin itself). The security of your website should be essential not only for you, but especially for your website visitors, as they want to browse your website safely.

If you want to learn more about making a WordPress website compliant with the GDPR, it’s worth taking a look at our article on GDPR plugins for a legally compliant WordPress website.

Menu