How to make your WordPress website GDPR-exempt by eliminating user data collection

Under the EU’s General Data Protection Regulation (GDPR), websites that collect or process personal data (e.g., names, emails, IP addresses, or cookies) must provide a privacy policy and, in many cases, a cookie banner. However, if your WordPress website collects no personal data at all, you may be exempt from these requirements. This guide provides a step-by-step process to configure your WordPress site (running on Apache or Nginx) to avoid collecting any user or visitor data, ensuring GDPR compliance without needing a privacy policy or cookie banner.

• Why eliminate data collection?
• Prerequisites
• Step 1: Disable comments
• Step 2: Remove contact forms and user registration
• Step 3: Disable cookies
• Step 4: Disable analytics and tracking
• Step 5: Configure your server to minimize data collection
• Step 6: Use a static theme and minimize plugins
• Step 7: Test your site
• Step 8: Document your setup
• Additional tips
• Final checklist

Why eliminate data collection?

The GDPR defines personal data as any information relating to an identified or identifiable individual, including IP addresses, cookies, or form submissions. By ensuring your WordPress site collects none of this data, you can avoid GDPR obligations like privacy policies or consent banners. This is ideal for simple, informational sites that don’t require user interaction or tracking.

If a website is hosted in the EU, GDPR applies directly to the site operator as a data controller or processor. Even if hosted outside the EU, GDPR applies if the site targets EU residents (e.g., offering services, or tracking behavior).

Prerequisites

• A WordPress website hosted on a server running Apache or Nginx.
• Administrative access to your WordPress dashboard.
• Access to your server’s configuration files (via SSH or a hosting control panel).
• Basic understanding of WordPress settings and server management.

Step 1: Disable comments

WordPress comments collect personal data like names, email addresses, and IP addresses by default.

1. Log in to your WordPress Admin Dashboard.
2. Navigate to Settings > Discussion.
3. Uncheck Allow people to submit comments on new posts to disable comments site-wide.
4. Uncheck Allow link notifications from other blogs (pingbacks and trackbacks) on new articles to disable Trackbacks and Pingbacks.
5. For existing posts:
   • Go to Posts > All Posts.
   • Select all posts, choose Edit from the bulk actions dropdown, and click Apply.
   • Set Comments to Do not allow and save changes.
6. Delete existing data. To be thorough, go to Comments and delete all existing comments and trackbacks. If you have any user accounts, delete them (except your own administrator account).
7. Verify by visiting a post on your site and ensuring no comment form appears.
8. Optional: Use code to remove comment features entirely:

// In a must-use plugin or theme's functions.php
add_action('admin_init', function () {
// Hide Discussion settings for clarity
remove_menu_page('options-discussion.php');
});

// Disable comments everywhere
add_action('init', function () {
// Post types
foreach (get_post_types() as $pt) {
remove_post_type_support($pt, 'comments');
remove_post_type_support($pt, 'trackbacks');
}
});

// Close comments on front-end
add_filter('comments_open', '__return_false', 20, 2);
add_filter('pings_open', '__return_false', 20, 2);
add_filter('comments_array', '__return_empty_array', 20, 2);

// Remove admin comment pages
add_action('admin_menu', function () {
remove_menu_page('edit-comments.php');
});

// Remove comment-related widgets and dashboard items
add_action('widgets_init', function () {
unregister_widget('WP_Widget_Recent_Comments');
});
add_action('wp_dashboard_setup', function () {
remove_meta_box('dashboard_recent_comments', 'dashboard', 'normal');
});

Why? Comments collect personal data (e.g., IP addresses), which triggers GDPR requirements. Disabling them prevents this.

Step 2: Remove contact forms and user registration

Contact forms and user registration features collect personal data like names and emails.

1. Remove contact forms:
   • Identify plugins like Contact Form 7, WPForms, or others that add forms.
   • Go to Plugins > Installed Plugins, deactivate, and delete these plugins.
   • Check your pages and posts (via Pages > All Pages or Posts > All Posts) for any embedded forms and remove them.
2. Disable user registration:
   • Go to Settings > General.
   • Uncheck Anyone can register to prevent new user sign-ups.
   • If you have existing registered users, go to Users > All Users and delete non-essential accounts (keep your admin account for management).
3. Remove widgets or shortcodes:
   • Check Appearance > Widgets and remove any widgets that collect data (e.g., newsletter sign-up forms).
   • Scan your site for shortcodes (e.g., [contact-form]) and remove them from pages or posts.
4. Disable Gravatar:
   • In Settings → Discussion, set avatars off. If your theme hardcodes avatars, remove those calls.

Why? Forms and user accounts collect personal data, requiring a privacy policy. Eliminating them avoids this.

Step 3: Disable cookies

Cookies, even for basic functionality, are often considered personal data under GDPR, especially if they track users.

1. Check for cookie-setting plugins:
   • Go to Plugins > Installed Plugins.
   • Deactivate and delete plugins that set cookies (e.g., analytics plugins, social media sharing tools, or cookie consent plugins like CookieYes).
2. Disable WordPress cookies:
   • WordPress sets cookies for logged-in users and commenters. Since you’ve disabled comments and user registration, no user cookies should be set.
   • To confirm, use your browser’s developer tools (e.g., Chrome’s DevTools > Application > Cookies) to check for cookies when visiting your site as a guest.
3. Edit theme to remove cookie-setting scripts:
   • Go to Appearance > Theme File Editor (or use an FTP client to access wp-content/themes/your-theme/).
   • Check header.php, footer.php, or other theme files for scripts (e.g., tracking pixels or social media widgets) that set cookies.
   • Remove any such scripts (e.g., <script> tags for third-party services).
4. Optional: Eradicate all cookies
   • We can explicitly tell WordPress not to set any cookies for non-logged-in users.
     • FTP or SSH into your server.
     • Open your wp-config.php file in the root of your WordPress directory.
     • Add the following code snippet before the line /* That's all, stop editing! Happy publishing. */:
       
       /**
Disable all cookies for non-logged-in users.
*/
add_action( 'init', function() {
if ( ! is_user_logged_in() ) {
remove_all_actions( 'wp_head' );
remove_all_actions( 'wp_footer' );
wp_clear_auth_cookie();
}
});

Why? Cookies, especially non-essential ones, require consent under GDPR. A cookie-free site avoids the need for a cookie banner.

Step 4: Disable analytics and tracking

Analytics tools like Google Analytics track visitor data (e.g., IP addresses), triggering GDPR obligations.

1. Remove analytics plugins:
   • Deactivate and delete plugins like Google Analytics, MonsterInsights, or Jetpack (if analytics are enabled).
2. Remove embedded analytics scripts:
   • Check Appearance > Theme File Editor for analytics code in header.php or footer.php (e.g., Google Analytics <script> tags).
   • Remove any such code.
3. Embeds:
   • Avoid YouTube, Vimeo, Maps, social embeds. If essential, self‑host the media and serve it directly without external calls.
4. Optional:
   • Block outbound requests in wp-config.php:
     define('WP_HTTP_BLOCK_EXTERNAL', true);
     define('WP_ACCESSIBLE_HOSTS', ''); // No exceptions

Why? Analytics collect personal data like IP addresses, requiring a privacy policy and often consent. Removing them eliminates this need.

Step 5: Configure your server to minimize data collection

Server logs on Apache or Nginx often capture IP addresses, which are considered personal data under GDPR.

For Apache:

Optional 1: Via SSH

1. Access your server:
   • Log in via SSH or your hosting control panel’s file manager.
2. Modify Apache configuration:
   • Locate your Apache configuration file (e.g., /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf).
   • Find the LogFormat directive in the configuration file.
   • By default, Apache logs IP addresses in access logs (e.g., LogFormat "%h %l %u %t \"%r\" %>s %b" common).
   • To disable IP logging, customize the log format to exclude %h (the client IP). For example:
     LogFormat "%l %u %t \"%r\" %>s %b" noip CustomLog /var/log/apache2/access.log noip
   • Alternatively, disable access logging entirely by commenting out the CustomLog directive (add # before it).
3. Disable error logs:
   • Error logs may also contain IP addresses. Comment out the ErrorLog directive if not needed for debugging.
4. Restart Apache:
   • Run sudo systemctl restart apache2 (or httpd, depending on your system) to apply changes.

Optional 2: Via .htaccess file

1. Edit your .htaccess file (located in your WordPress root directory).
2. Add these lines to disable logging of IP addresses:
   
   SetEnvIf Request_URI ".(css|js|ico|gif|jpg|jpeg|png|woff|ttf|svg|eot)$" dontlog
SetEnvIf Remote_Addr "^127.0.0.1$" dontlog
CustomLog /dev/null common env=dontlog

For Nginx:

1. Access Your Server:
   • Log in via SSH or your hosting control panel.
2. Modify Nginx Configuration:
   • Locate your Nginx configuration file (e.g., /etc/nginx/nginx.conf or /etc/nginx/sites-available/your-site).
   • Find the access_log directive (e.g., access_log /var/log/nginx/access.log;).
   • To disable IP logging, create a custom log format excluding the client IP ($remote_addr). For example:
     log_format noip '$time_local "$request" $status $body_bytes_sent'; access_log /var/log/nginx/access.log noip;
   • Alternatively, disable access logging by setting access_log off;.
3. Disable Error Logs (Optional):
   • Set error_log off; to disable error logging, or ensure it doesn’t capture IPs.
4. Restart Nginx:
   • Run sudo systemctl restart nginx to apply changes.

CDNs:

• If you use a CDN like Cloudflare, it is likely logging IP addresses by default. You must log into your CDN’s dashboard and find the privacy settings to disable all logging or enable IP anonymization.

Why? Server logs capturing IP addresses are considered personal data processing under GDPR. Disabling or anonymizing logs avoids this.

Step 6: Use a static theme and minimize plugins

Dynamic themes or plugins may introduce data collection inadvertently.

1. Choose a static theme:
   • Use a lightweight, static theme (e.g., Twenty Twenty-Three with no customizations) that doesn’t include tracking or dynamic features.
   • Go to Appearance > Themes, install a simple theme, and activate it.
2. Minimize plugins:
   • Go to Plugins > Installed Plugins and deactivate/delete all non-essential plugins.
   • Avoid plugins for SEO, social sharing, or eCommerce, as they often collect data.
   • Disable or configure security plugins like Wordfence or Sucuri to NOT log IP addresses or store user activity logs.
   • If you use Jetpack, go to Jetpack > Settings > Traffic and disable “Site Stats”.
   • Delete plugins like WP GDPR Compliance, Cookie Notice, or Complianz.
   • If you use a caching plugin (e.g., WP Rocket, W3 Total Cache), check its settings for cookie options and disable them.
   • Remove all contact forms: Contact Form 7, WPForms, Gravity Forms. These explicitly collect personal data. The only alternative is to provide a simple mailto: email link on your contact page.
   • Remove social sharing: AddToAny, Monarch, etc. These load third-party scripts that set cookies.
   • Many backup services (like VaultPress) connect to your site and could potentially log data. Consider manual backups if you are truly committed.
3. PHP sessions:
   • Ensure no plugin uses session_start().
4. Verify theme files:
   • Check your theme’s files (wp-content/themes/your-theme/) for any hidden scripts or tracking code and remove them.
5. Localize Google Fonts:
   • If you use Google Fonts, you must stop loading them from the Google servers.
   • Use a plugin like OMGF (Optimize My Google Fonts) or Local Google Fonts to download the font files and serve them from your own web host.
6. Google Maps:
   • Do not use the standard iframe embed. It sets cookies. Only link out to the map on Google’s site.

Why? Many themes and plugins include tracking or data collection features. A minimal setup reduces this risk.

Step 7: Test your site

1. Check for data collection:
   • Visit your site in a private browser window.
   • Use browser developer tools (e.g., Chrome’s DevTools > Application > Cookies) to confirm no cookies are set.
   • Check the Network tab to ensure no third-party requests (e.g., to analytics or ad networks) are made.
2. Use online tools:
   • Use a tool like BuiltWith to scan your site for tracking scripts.
   • Blacklight (scans for trackers)
   • Cookie Checker
3. Verify no forms or interactive elements:
   • Ensure no forms, comment sections, or registration options are available.
4. Test server logs:
   • Check your server’s access logs (e.g., /var/log/apache2/access.log or /var/log/nginx/access.log) to confirm no IP addresses are recorded.

Why? Testing ensures your site is truly free of personal data collection.

Step 8: Document your setup

Even if your site collects no personal data, it’s good practice to document your configuration to prove GDPR compliance if questioned.

1. Create a simple page (e.g., “Privacy”) stating:
   • Your site collects no personal data, uses no cookies, and does not track users.
   • Example: “This website is designed to collect no personal data, including IP addresses, cookies, or user inputs. No privacy policy is required as no personal data is processed.”
2. Keep records of your server and WordPress configurations for reference.

Why? Documentation demonstrates your intent to comply with GDPR, even if no policy is needed.

Additional tips

• Regular audits: Periodically review your site for new plugins, themes, or updates that might introduce data collection.
• Hosting provider: Confirm with your hosting provider that they don’t add tracking or logging beyond your control. If they do, request they disable it or choose a GDPR-friendly host.
• Static site option: For ultimate simplicity, consider converting your WordPress site to a static site (e.g., using a plugin like Simply Static) to eliminate dynamic data collection entirely.

Final checklist