WordPress GDPR 2026: compliance + checklist

← Blog GDPR Fundamentals Compliance & Rights
9 min read
Updated: June 16, 2026
WebLegal Team

Free · No signup · Results in 30 seconds

WordPress powers nearly 40% of all websites worldwide, from blogs to WooCommerce stores. But installing WordPress does not make your site GDPR-compliant. On a self-hosted site (WordPress.org), you the publisher are the data controller under the General Data Protection Regulation. WordPress.org only provides the software; your host and each of your plugins act as processors. It is you that your national data protection authority will hold accountable, and fines can reach €20 million or 4% of global annual turnover.

Start by scanning your site for free with our GDPR compliance scanner to identify what needs fixing. This article explains what WordPress does and does not do for your compliance, the obligations you must meet yourself, the most common mistakes, and how to make your site compliant quickly.

What WordPress does (and does not do) for compliance

What WordPress provides

The WordPress core includes a few privacy-related features:

  • A privacy policy template: a generic draft under Settings → Privacy. It is a basic skeleton, not tailored to your activity.
  • Data-subject rights tools: under Tools → Personal Data, you can export or erase a user’s data to handle access and deletion requests (Articles 15 and 17 GDPR).
  • A comment consent checkbox: enabled by default, but it only concerns storing the commenter’s details — it is not a cookie banner.

What WordPress does NOT provide

WordPress is free software: it signs no contract with you and does not write your legal documents. The following are entirely your responsibility:

  • A Data Processing Agreement (DPA) under Article 28 — it comes from your host and from each plugin, not from WordPress.org.
  • A compliant cookie banner (the native comment checkbox is not one).
  • Your tailored privacy policy, cookie policy, terms of use, terms of sale and legal notice / imprint.
  • Handling of Google Consent Mode v2, now essential if you use Google Analytics 4 or Google Ads.

The 5 GDPR obligations for your WordPress site

1. Publish a complete privacy policy

Articles 13 and 14 GDPR require transparent information. Your policy must detail the controller’s identity, the purpose of each processing activity, the legal bases, the recipients (your host and all third-party plugins), retention periods and data-subject rights.

Refusing must be as easy as accepting (equally prominent “Accept” and “Reject” buttons), non-essential trackers must not be set before consent, and users must be able to change their choices at any time. If you use Google Analytics 4 or Google Ads, your banner must also transmit Consent Mode v2. Rather than stacking plugins, you can install our free GDPR cookie banner — no page-view limit, no subscription.

3. Map your plugins (your processors)

Every plugin that accesses your visitors’ data is an additional processor under the GDPR. Your privacy policy must reflect them, and you must ensure each one offers guarantees (DPA, data location). This is the WordPress specificity: the flexibility of plugins is also your main attack surface.

Most jurisdictions require an identifiable publisher (legal notice / imprint): the operator’s identity, address and contact details. A missing legal notice exposes you to complaints and penalties.

5. Keep a record of processing activities

Article 30 GDPR requires you to document your processing: purposes, data categories, recipients and retention periods.

The most common mistakes on WordPress

  • Mistaking the comment checkbox for a cookie banner: two different things. Without a real banner, your analytics and advertising cookies are set without valid consent.
  • Installing Google Analytics without Consent Mode v2: GA4 then drops trackers before any consent — a direct breach.
  • Leaving the default privacy policy: the generic skeleton reflects neither your real processing nor your plugins.
  • Installing plugins and forgetting them: every active plugin storing data increases your risk. Uninstall the ones you no longer use.
  • Not signing your host’s DPA: the processing relationship must be governed under Article 28.
  • Forms without a legal basis: a contact or newsletter form (Contact Form 7, WPForms…) needs a legal basis and a privacy notice.

WordPress plugins and the GDPR

The plugin ecosystem is WordPress’s great strength, but every plugin touching visitor data becomes a processor. Audit these first:

  • Forms: Contact Form 7, WPForms, Gravity Forms — check the legal basis and retention.
  • Analytics: Google Analytics 4, Matomo — couple with consent and Consent Mode v2.
  • Cookie management: dedicated plugins such as Complianz, CookieYes or Real Cookie Banner — verify they block scripts before consent.
  • E-commerce: WooCommerce adds consumer-law duties (right of withdrawal, terms of sale).
  • Newsletter and page builders: Mailchimp, Brevo, Elementor — beware third-party scripts loading before consent.

Many of these plugins are published by US companies: check that non-EU transfers are covered by the Data Privacy Framework or standard contractual clauses (Schrems II).

How to make your WordPress site compliant

Four routes lead to your legal documents:

Hire a lawyer (€500–2,000): bespoke and expert, but costly and slow.

Use free templates (€0, high risk): generic, often outdated and never adapted to your plugins or activity.

Use a generic AI (ChatGPT): plausible drafts that omit mandatory clauses and create inconsistencies between your documents.

Use a specialised legal generator (€19.90–€49.90): the WebLegal legal document generator produces your 4 documents (privacy policy, cookies, terms of use, terms of sale) in under 10 minutes, with guaranteed consistency. The guided form asks about your plugins, analytics tools and activity to produce documents that genuinely fit your WordPress site.

Running an online store? See also our WooCommerce GDPR and PrestaShop GDPR guides.

Conclusion

Using WordPress does not exempt you from your GDPR obligations. As the data controller, you must ensure your privacy policy, cookie banner, terms and legal notice are compliant — and that your plugins do not drop trackers before consent. WordPress provides building blocks, but they are not enough. In 2026, compliance is no longer optional. Don’t wait for a complaint: generate your compliant documents for WordPress in under 10 minutes.

GDPR E-commerce 2026: 7 Audit Red Flags - GDPR Fundamentals

GDPR E-commerce 2026: 7 Audit Red Flags

⏱ 9 min read
GDPR Fundamentals E-commerce & Startups

The 7 GDPR mistakes that flag your online store for a regulator audit in 2026 (cookies, US transfers, sub-processors). Checklist + fixes.

Read article →
Brochure Website GDPR: Are You Compliant? - GDPR Fundamentals

Brochure Website GDPR: Are You Compliant?

⏱ 9 min read
GDPR Fundamentals Multi

83% of brochure websites have GDPR violations. Check your compliance: legal notices, cookies, contact forms.

Read article →
GDPR Compliance for E-commerce: 10-Step Action Plan - GDPR Fundamentals

GDPR Compliance for E-commerce: 10-Step Action Plan

⏱ 10 min read
GDPR Fundamentals E-commerce & Startups Multi

GDPR compliance in 10 steps for your e-commerce: from initial audit to full compliance. Practical guide to protect your online store.

Read article →