WordPress websites do not automatically become DSGVO-compliant. Cookie Consent solutions and privacy texts are only part of the truth. This article as first part of a series illuminates the basics and gives practical tips for WordPress.


With the introduction of the basic data protection regulation (DSGVO) on 25.05.2018, the world on the Internet seemed to change. Suddenly, it seemed, had to many new provisions must be observed. In reality, important developments already took place in 2017, i.e. before the DSGVO was launched.

We are talking about judgments of the European Court of Justice (ECJ) and the Federal Court of Justice (BGH). Highest court decisions were issued by the ECJ and the Federal Supreme Court, that IP addresses represent personal data. Because these network addresses are inevitably transmitted each time a website is called up, each time a website is called up is like the exchange of a business card between the website visitor and the website operator.

If a website integrates Google Maps, for example, then things get even worse - at least from a privacy policy perspective. Because then the Visitor's business card of the website to Google at the same time. This cannot be prevented. It is not for nothing that the abbreviation IP in IP address for Internet Protocol.

On 16 July 2020, the ECJ gave a ruling on privacy shield. This informal data protection agreement between Europe and America was - not surprisingly - declared invalid. Any direct transfer of personal data from Europe to America is therefore illegal.

For websites this means: Tools from American providers may not be loaded without the consent of the website visitor! Before you start using a cookie popup: It's better to leave it alone, because these so-called Cookie Consent solutions do not work properly (details can be found in the second part of this article series). First tip: Use alternatives for Google tools or remove Google tools you don't really need wherever possible.

For example, Google Analytics requires the consent of the website visitor before the tool can be loaded. In addition, the Google tool collects so much data that you can't see the forest for the trees. Simply goes differently. Instead, you should use analysis tools like Trackboxxwhich do not require the consent of the user.

WordPress websites are particularly affected by the DSGVO. On the one hand this is due to the fact that WordPress uses mechanisms that Out Of The Box are not DSGVO-compliant.

An example of this is Gravatars. Hardly anyone needs them, but they're there. Furthermore, the well-known updates of the WordPress platform, but also of plugins, ensure constant changes to the website. These changes can potentially cause DSGVO violations again and again.

There are also WordPress themes that do things by their very nature that are not compatible with our data protection laws. This includes, for example, loading fonts from Google servers.

WordPress Tips

Deactivate Gravatars. This is because loading gravatars causes unauthorized tracking, i.e. the tracking of the user. This would require consent, which does not exist in WordPress. In the menu, click on Settings à Discussion and then scroll down in the configuration page that opens. There you make sure that Show avatars is deactivated:

Link for privacy policy must be available everywhere

The next tip: Each page of an Internet presence must contain a Link to the privacy policy ...to show. This also applies to the WordPress login page www.irgendeine-webseite.de/wp-admin. To ensure that the link to the privacy policy appears automatically, proceed as follows:

In the dashboard, select in the menu Settings the submenu Data protection off:

After that you enter the page that contains the privacy policy:

If you do not have such a page yet, you can easily create a new one here. Afterwards the WordPress login page looks like this:

The desired link to the privacy policy is therefore available.

If you want to do it right and also want to insert the link to the imprint, you have to proceed differently. Instead of the above procedure, you add a code to the file functions.php of the theme used:

add_action('login_footer', 'km_addition_to_login_footer');
function km_addition_to_login_footer() {
  echo '';

Instead of the references mentioned in the HREF attribute, the correct file paths for the imprint and privacy statement should be used. The result is then as follows:

This procedure is a little more complicated, but legally compliant. Because in principle also an imprint link on every page must be present. In any case, this applies to any business website. In business terms, a website is already considered to be a website if there is a profit-making intention, for example by using affiliate links. It is irrelevant here whether a profit is actually made!

The following code snippets must be included in functions.php of the current theme can be included. This technically somewhat demanding process is not possible for everyone, but should be possible for every good website maintainer.

Disable Emojis

To stop loading external resources for Emojis this code is helpful:

Remove //Emojis
remove_action('wp_head', 'print_emoji_detection_script', 7);
remove_action('wp_print_styles', 'print_emoji_styles');

These instructions ensure that the following code, only part of which is given here, disappears:

As you can see in the coding, a connection is established to a third party server (s.w.org), which is potentially located in a so-called unsafe third country (often the USA), which is outside of Europe. This is highly problematic since the Privacy Shield has been removed and is best avoided for a peaceful sleep.

DNS prefetch instructions

Who DNS prefetch instructions can erase this code in functions.php ...into the system:

add_filter('wp_resource_hints', function (array $urls, string $relation): array {
    // Disable DNS prefetch for all external URLs
    if ($relation !== 'dns-prefetch') {
        return $urls;
}, 10, 2);

This makes links like the following disappear:

For Google Fonts you have to additionally make sure that these are generally loaded locally or not at all. Often themes (like BeTheme or Avada) external fonts into the system, which represents an illegal data transfer to America. It is worth checking the theme settings and the functions.php of the theme.

If none of this helps, you have to take a closer look at the theme code itself and find the place where Google fonts are loaded. This is often done in CSS files, for example.

Conclusion and outlook

In the next part of this series of articles, we will go deeper and take a closer look at cookies and consenting tools. This much in advance: Cookie banners usually don't work and almost always leave behind illegal websites. IP addresses are at least as critical as cookies in terms of data protection. Those who only talk about cookies and cookie popups do not know the overall problem. The privacy policy is only one (relatively uncritical) component of a DSGVO-compliant website. Data protection generators are great nonsense in themselves.

Look forward to the next part in which these statements are explained and backed up with facts.

About Klaus Meffert

Klaus Meffert is a doctoral engineer and computer scientist. He is managing director of IT Logic GmbH and has been working intensively on data protection for websites since 2017. His main motivation for adhering to data protection rules is to protect the domestic economy. His concern is to point out solutions for this kind of data protection problems in order to constructively provide for DSGVO-compliant websites. For this purpose he has the Privacy Software wwwschutz developed for websites.

3 thoughts on “DSGVO-konforme WordPress Seiten (Teil 1)”

  1. According to the TMG, every page must have a link to the page Imprint, don't you think? So also on the LOGIN page.

    Is there a free alternative to Google Analytics that does not use cookies?

    1. Take a look at trackboxx.com. There is a free 30-day trial, and if you can benefit from it and also meet the requirements of the DSGVO, the different packages are affordable for what they can deliver.

Leave a Comment

Your email address will not be published. Required fields are marked *