10+ must-have WordPress plugins for a GDPR-compliant website

WordPress GDPR Plugins

You are the proud owner of a WordPress website? Then you will most likely have already been confronted with the unpleasant topic of data protection. A legally compliant WordPress website is the dream of every website operator with a target group based in the EU. Because at the latest with the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, website operators should no longer take the data protection compliance of their website lightly. In the event of data protection violations, warnings and – in the worst case – costly fines may result.

Therefore, it makes perfect sense to ask yourself the following question: How can I make my WordPress website compliant with the GDPR?

Within a very short time, supposedly GDPR-compliant WordPress plugins sprouted from the ground. But if you have a choice, you’re spoilt for choice. To spare you the latter, we have taken a closer look at popular WordPress data protection plugins.

Attention: This article is not legal advice! We as developers of WordPress plugins and contractors of website projects have dealt intensively with this topic, as it is essential in our daily work. However, we are neither lawyers, nor can we guarantee the completeness, timeliness and accuracy of the following information. In case of doubt, always consult a lawyer.

GDPR – what is it?

Website operators fear it, for data protectionists it is more or less a blessing. But what exactly is the General Data Protection Regulation? If you type the term “GDPR” into the search engine of your choice, you will be shown a large number of articles that deal with this topic in great detail. Roughly summarized, the GDPR was introduced to protect personal data and strengthen consumer rights. According to the General Data Protection Regulation, the processing and collection of such data is only possible under strict conditions.

The requirements of the General Data Protection Regulation for a website are very complex, and implementation is therefore not exactly easy at all.

What must be considered when using a GDPR plugin in WordPress?

You probably already know the answer: the plugin must be compliant with the applicable data protection regulations.

Basically, your website must be designed in such a way that it complies with the protection of personal data according to the GDPR.

Sounds feasible in theory. In practice, however, this is usually very tricky to implement and presents website operators with enormous challenges. Legal and technical requirements have to be in harmony with each other. With the flood of plug-ins, it is very easy to lose the overview.

Real Cookie Banner

Costs: free of charge (basic version)
Real Cookie Banner

Real Cookie Banner is probably the most tasty solution regarding WordPress cookie consent. The core of the plugin is the collection of consent, which you can do in compliance with the GDPR and ePrivacy Directive.

Since the ruling of the European Court of Justice regarding legally compliant cookie consent, only consent via the opt-in procedure is legally compliant. There is no obligation to use a cookie banner. However, the best and easiest way to implement the opt-in regulation is with the help of a cookie banner.

But not all cookie banners are the same. Many supposedly perfect cookie banner solutions are not fully data protection compliant – the same applies to WordPress GDPR plugins and cookie banner generators. Because the legal requirements are simply too complex and multi-faceted.

This is exactly the problem we have addressed. Real Cookie Banner is a comprehensive opt-in cookie plugin for WordPress that helps website owners to really pimp their website in terms of data protection compliance. Consent from visitors to set cookies and transfer personal data can be obtained and managed easily and quickly.

To achieve this, a variety of features designed in detail and with love (❀) help you, such as content blockers, 100+ service templates for popular services like Google Analytics and Facebook, numerous design options, detailed explanatory texts, a guided setup, a service scanner, geo-restrictions, documentation of consents, age information and much more.

We also take great care to always adapt the cookie plugin to the latest legal status. So we don’t need you to read through novel-like legalese texts.

💡 Tip: We have already covered the topic of the best WordPress cookie plugins in depth in our article Top 3 Cookie Plugins for WordPress. Therefore, we will not explicitly address this important topic of data protection compliance in this article. If you are interested in the topic of cookie plugins, we recommend that you jump over to the other article 😉

Shariff Wrapper

Costs: free of charge
Shariff Wrapper

Howdy, friends! There’s a new sheriff – uhmm, shariff – in town to keep law and order in the wild WordPress West – yee-haw đŸ€  With more than 70,000 active installations, Shariff Wrapper is definitely one of the favourites when it comes to WordPress privacy plugins.

The German computer magazine c’t developed the plugin in order to be able to integrate social media buttons such as the Facebook Like button into their online magazine in a data protection compliant manner.

Conventional share buttons are embedded in websites by means of iframes. When a website is called up, such social media share buttons from Facebook, Pinterest & Co. already send the visitor’s personal data such as the IP address to the respective social network before the visitor gives his or her consent – however, this is not permitted according to data protection requirements.

Roughly speaking, the Shariff Wrapper plugin presents itself as the optimal solution here, because it is oriented towards the requirements of the GDPR regulation (EU 2016/679). Shariff Wrapper displays similar-looking share buttons that do not transmit any of your website visitors’ data. A connection between the website visitor and the social network is only established when the visitor actively clicks on the button (in a new tab on the social network’s website).

The social media plugin is a further development of the 2-click solution. You can imagine the 2-click solution in such a way that in addition to a replicated social media button, a switch is displayed that you can flip manually. By activating the switch, you give your consent to the reloading of the real social media button, e.g. from Facebook. As a result, (personal) data about you and your behaviour on the website will be collected by the provider of the social media button. In addition, it is now possible for you to share the respective content.

However, there are some issues with this:

  1. Visually, the whole thing doesn’t look so fancy.
  2. The greyed-out buttons are not eye-catchers and can therefore be easily overlooked or ignored.
  3. Convenience can mean that content is not shared very often – the extra click is often seen as annoying.

How exactly does the Shariff Wrapper plugin work if it is not a 2-click solution?

A social sharing button from Shariff Wrapper provides a solution for this. The buttons are simple HTML links. Unlike original social media buttons, embedding via iframes is not necessary. This saves the user the second click, because there is no need to activate the sharing button.

Furthermore, website operators can show how often a content has been shared without committing a data protection violation. A script already retrieves on the website server (and not in the client of the website visitor) how often a page or similar has been shared. An interface (API) of the respective service is used to contact it and the corresponding numbers can be retrieved. Instead of the IP address of the website visitor, the IP address of the server is forwarded to the social network.

Shariff Wrapper Settings

After installation, the plugin is ready to go. You will find it in the list of your plugins (who would have thought it 😉 ) or under Settings > Shariff. You will be shown the various tabs (e.g. Basic, Design and Statistics) with which you can optimise your settings.

The most important settings are the basic settings. In the field Enable the following services in the provided order you can specify which social media accounts, special functions and payment services you use or for which you want posts to be shared. You copy them from the selection below and paste them into the corresponding field. Directly below you can specify where the buttons are to be displayed. Alternatively, you can also place the buttons on your website yourself using a shortcode.

In short, as you can see, the plugin is not difficult to use.

Advantages of the plugin

  • Supports 32 services in 25 languages (including Bitcoin, Pinterest, LinkedIn, PayPal, WhatsApp, Tumblr, Twitter, Xing, Telegram)
  • Many settings (base, design, statistics, status etc.)
  • Simple implementation by means of shortcodes

Disadvantages of the plugin

  • Compared to other GDPR plugins, Shariff Wrapper is somewhat more technical. There is no guided configuration and comparatively little explanatory text.
  • No fully comprehensive GDPR plug-in solution.

Antispam Bee

Costs: free of charge
Antispam Bee

In an unknown land
From not so long ago
There was a bee that was very well known
Everyone spoke of her far and wide

And the bee I am referring to is not called Maya but Antispam bee🐝

The busy little bee of the developer team pluginkollektiv is an important add-on when it comes to keeping spam comments away from a WordPress website or blog. The anti-spam plugin also blocks trackbacks – and does so without transmitting captchas or personal data to third parties. In addition, the developers state that the little bee is 100% GDPR-compliant.

Antispan Bee Settings

After successful installation, you will find the anti-spam plugin on the left in your menu under Settings.

💡 Tip: You will have noticed that the plugin Akismet is installed by default when you install your WordPress interface. Like Antispam Bee, Akismet is a plugin for fighting spam comments. However, we recommend that you deactivate and delete Akismet, as it can transfer data to the USA – which is not so nice from a data protection point of view.

The plug-in has already taken care of most of the settings for you. You can change individual settings if necessary – but this is generally not recommended.

What the nimble bee can do:

  • Optimal, comprehensive spam checking of comments without forwarding them to third-party servers (e.g. in the USA)
  • No processing of the IP address (e.g. no origin determination) → Recognition by a locally executed library for language recognition and restriction of comments in a specific language
  • Display spam statistics on the dashboard, including daily updates of the spam detection rate and the total number of blocked spam comments
  • In contrast to Akismet, the plugin does not transfer any data to the USA.
  • Available in 27 languages

Disadvantages of the plugin

  • Antispam Bee does not perfectly work with the Jetpack plugin

Statify

Costs: free of charge
Statify

Statify offers a straightforward and compact overview of the number of page views. It is compliant with German data protection law as it does not use cookies or a third-party provider.

The WordPress statistics plugin has been a popular alternative to Google Analytics at least since the introduction of the GDPR. Probably the biggest advantage of the plugin is that Statify, unlike other statistics services such as Google Analytics or Matomo (Piwik), does not store or process personal data such as the IP address because Statify does not count visitors but calls to a page. If a person visits a website three times, for example, then the three calls are counted.

In addition, Statify is not as overwhelming as Google Analytics and can be installed directly in WordPress.

Disadvantages of Statify

  • The plugin collects comparatively little data
  • No allocation of collected data about individual website visitors possible

WooCommerce Germanized

Costs: free of charge (basic version)
WooCommerce Germanized

The WooCommerce plugin should be familiar to webshop operators in particular. The problem with the plugin is that it does not cover the country-specific individual case, ergo it does not fulfil the legal and technical requirements for the German market. Therefore, WooCommerce Germanized offers the possibility to adapt WooCommerce to the German market and to be GDPR-compliant at the same time.

To achieve this, the plugin includes important aspects relevant to the GDPR, such as:

  • Sample text generators for the cancellation policy, GTC and privacy policy
  • Double opt-in procedure for customers (keyword: registration)
  • GDPR Export/Deletion

OMGF | Host Google Fonts Locally

Costs: free of charge (basic version)
OMGF

Sure, who doesn’t like to use an aesthetically pleasing font to spruce up their website? The problem here was summed up perfectly in the following quote:

How could the use of fonts via the Google service violate the General Data Protection Regulation? The fact is that when a font is requested by the user’s browser, their IP address is logged by Google and used for analysis purposes.
– Lifehacker

OMGF ensures that Google Fonts can be hosted locally in WordPress. This is permitted under licensing law, as all fonts in Google Fonts are under licences that allow them to be copied.

The optimisation plugin uses the Google Fonts Helper API to automatically cache the fonts used by themes and plugins in your WordPress. This means that no more requests are sent by the website visitor to Google Fonts servers to download the fonts.

Disable Emojis (GDPR friendly)

Costs: free of charge
Disable Emojis

Emojis are simply fantastic: they can lighten up bland texts and are also visually real eye-catchers. And yes, we also like to use them from time to time – guilty 🙃

The problem from a data protection perspective is that WordPress does not store emojis on your web space by default, but always downloads them from wordpress.org on demand in the browser of your website visitors. As a result, the IP address of the website visitors is passed on to the wordpress.org servers. Whether the visitors want this or not!

Disable Emojis deactivates the emojis embedded in WordPress by default. An ingeniously simple GDPR plugin for WordPress!

Moreover, the plugin removes the additional JavaScript file that would reload the emojis. Emoticons and emojis continue to work in browsers that support them (pretty much all of them these days).

In addition, this plugin is a big hit in terms of search engine optimization because it frees a website from unnecessary JavaScript files, which cause a slow page loading time when loading.

Autoptimize

Costs: Free of charge (with paid extensions)
Autoptimize

💡Tip: You don’t feel like downloading the previous two plugins individually? Then you can simply get Autoptimize as an alternative – as a “combination plugin”.

What exactly makes the plugin GDPR-compliant?

Autoptimize not only optimises your website in terms of SEO, but also removes Google Fonts and WordPress.org emojis. Thus, there is no data transfer for website visitors to Google Fonts and WordPress.org.

GDPR advantages of Autoptimize

  • Removal of Google Fonts
  • Removal of Emojis
  • No transmission of visitor data to Google Fonts and WordPress.org (where the WP Emojis are hosted)

And what else does the plugin offer?

Did you know that the time spent on your website can drop rapidly after more than 3 seconds of loading time? No? Then you should definitely prick up your ears now 👂 Autoptimize was developed as a plugin to improve WordPress website performance and comply with data protection. The whole thing is done by minification.

In summary, minification is a process that removes all unnecessary characters from a code (e.g. spaces). The minimised file serves the same purpose as the original one, but it takes up less space, which can optimize the loading time of a website.

SEO advantages of Autoptimize

  • Compression of Javascript and CSS files
  • HTML-Minifizierung
  • Improving the loading time

Disadvantages of the plugin

  • Maybe not easy to understand at first go for WordPress newbies, as many technical terms are used.

Really Simple SSL

Costs: Free of charge (basic version)
Really Simple SSL

According to Article 5 and Article 32 of the General Data Protection Regulation, personal data must be processed in a way that ensures appropriate security of the data. For a website, this practically means: SSL encryption is mandatory!

Really Simple SSL is a plugin that enforces an SSL connection for your WordPress website (instead of an unencrypted connection) – and it’s super easy. You could also make the switch yourself, but then the whole thing is no longer so easy, because you would have to fight your way through the hoster settings, for example. Encryption is important in terms of compliance with data protection, but it also favours your site in Google’s ranking.

Advantages of the plugin:

  • Enforce an SSL connection without manually adjusting the .htaccess file or web server settings

Sendinblue

Costs: Free of charge (basic version)
Sendinblue

The GDPR has also taken the topic of email marketing under its wings. Stricter double opt-in rules apply to sometimes ensure the recipient’s explicit consent to receive the newsletter. Therefore, Sendinblue is widely regarded as a GDPR-compliant WordPress newsletter plugin.

Sendinblue is an all-round talent in the field of email marketing plugins, developed in the heart of Germany, right in the start-up metropolis of Berlin.

What the WordPress newsletter plugin offers among other things

  • Create custom registration forms
  • Manage contact lists
  • Create marketing campaigns
  • Statistics
  • Marketing automation
  • Easy set up
  • Drag-and-drop design Email builder with live previews
  • Compliance with GDPR requirements: Double opt-in procedure when signing up for the newsletter, right to rectification, right to be forgotten, right to portability, right to object, right of access and sample text for a privacy policy.

Delete Me

Costs: free of charge
Delete Me

I can register, yes? Why not let me unregister?

The WordPress plugin Delete Me allows users of your WordPress website to delete their account on their own via a link. All you have to do is use the shortcode [plugin_delete_me /].

Advantages of the plugin

  • Deletion of users incl. posts, comments and links
  • No manual deletion requests required, e.g. by e-mail or post letter

Is there THE best all-in-one GDPR plugin for WordPress?

Phew, quite a lot of plug-ins, you’re probably thinking. And the crazy thing is: the list could be even longer. Why is that? Well, every website is built individually, uses different media, services, cookies, etc., so measures for data protection compliance vary. Therefore, measures with regard to data protection compliance also vary.

But is there the ultimate all-in-one-ultimate-GDPR-WordPress-plugin?

Basically, it’s all in the mix. The perfect WordPress privacy plugin does not exist – at least not yet. Even though many developers have made this their task. However, the right mix of plugins can help you to make your WordPress website as compliant as possible with the GDPR.

Especially when it comes to processing personal data and setting cookies, it’s not easy to get along with the legislators and data protectors.

Since some people find it difficult to understand the sometimes very complex GDPR requirements in this regard and to implement them in practice, we have tackled precisely this with Real Cookie Banner.