WordPress is not GDPR compliant out of the box, but getting there takes seven steps, not a rebuild. The end state: valid consent captured before trackers fire, every cookie documented, and a working process for data requests. Your privacy and cookie policy match what your site actually does. None of it requires a lawyer.
Is WordPress GDPR Compliant Out of the Box?
No. WordPress core added privacy tools in version 4.9.6 (May 2018): a privacy-policy Editing Helper and personal-data export and erase tools. It has no cookie-consent banner and does not block trackers, so the software gives you a head start, not compliance.
WordPress.org states this directly about its own tools:
These tools can help you with parts of that process, but they are not a compliance process in and of itself.
The Editing Helper only pulls text from WordPress core and participating plugins. It misses third-party embeds like YouTube, Google Maps, or your analytics provider. The export and erase tools have the same limit. They gather data from WordPress and participating plugins only, not from every third-party service your site touches.
Compliance is a property of your live site, its plugins, its embeds, and your processes, not of the WordPress software alone. A separate page on whether WordPress is GDPR compliant covers that distinction in full. This guide moves straight to the seven steps that close the gap.
What You Need Before You Start
The prerequisite most site owners skip is a complete inventory of what their site actually collects. Without it, you audit blind and miss the third-party services WordPress core can't see.
You need:
- Site owner or admin access. A developer helps but is not required for most steps.
- A focused afternoon. A simple brochure site takes 2 to 4 hours. A site running WooCommerce, multiple plugins, or several forms takes longer, mostly for the cookie audit in Step 2.
- A list of everything active. Every plugin, every theme, every embed (YouTube, Google Maps, a chat widget), every form, and every analytics or ad tag currently running on the site.
- A sense of where your visitors come from. EU and UK visitors trigger GDPR. If you have none, your obligations differ (see the FAQ).
- A cookie consent tool. Either a WordPress cookie plugin or a hosted consent platform. Either works; the requirements in Step 3 are what matters, not the brand.
- A privacy-policy generator. WordPress core has a basic one; dedicated generators cover more ground (Step 4).
- An SSL certificate. Most hosts include one free; confirm yours is active before you start.
Step 1: Confirm GDPR Applies and Update WordPress Core
GDPR applies if you process personal data from visitors in the EU, the EEA, or the UK. Your business location does not matter. A US-based blog with European readers is in scope.
Confirm two things before touching plugins. First, do you have EU, EEA, or UK visitors whose personal data you collect (via forms, comments, analytics, or cookies)? If yes, GDPR applies to that traffic. Second, is WordPress core, and every theme and plugin, updated? The built-in privacy tools require WordPress 4.9.6 or later; running an older version means those tools don't exist on your site yet.
Update checklist:
- Go to Dashboard > Updates and update WordPress core to the latest version.
- Update every active theme and plugin from the same screen.
- Confirm your WordPress version is 4.9.6 or higher (Dashboard > At a Glance shows the current version).
Skipping this step is common and costly. Ignoring GDPR fines is not a hypothetical risk. If you want the fuller regulatory picture before you continue, what GDPR requires covers the law itself in depth.
Step 2: Audit Every Cookie, Tracker, Plugin, and Embed
A cookie audit means listing every cookie, tracker, script, and third-party embed your site sets. You cannot get consent right for something you haven't found. Skipping this step is the single most common reason WordPress GDPR setups fail later.
The generic method:
- List every active plugin and theme, then check each one's documentation for what data it collects.
- Open your site in a private browser window and inspect cookies via DevTools (Application > Cookies in Chrome or Firefox).
- Note every third-party embed: YouTube videos, Google Maps, Gravatar avatars in comments, social share buttons, chat widgets.
- List every analytics and ad tag: Google Analytics, Meta Pixel, Google Ads conversion tracking.
- Flag WooCommerce checkout, cart, and session cookies separately. These are functionally necessary and should be marked Essential so orders aren't blocked later.
If a manual audit sounds error-prone, a scanner does it for you. Consently crawls your site on install and detects the cookies, trackers, scripts, and iframes it finds. It updates your banner categories automatically, so you are not maintaining the list by hand.
Done: you have a written list of every cookie, tracker, script, and embed on your site, each one categorized (essential, analytics, advertising, or unclassified). For the full audit methodology, see how to run a full cookie audit.
Step 3: Add a Cookie Consent Banner That Blocks Trackers Before Consent
A GDPR-valid cookie banner requires opt-in consent for EU visitors. No pre-ticked boxes, an equally prominent accept and reject option, granular categories, and non-essential cookies blocked until the visitor consents.
A banner that only records "the visitor clicked something" is not enough. The requirements:
- Opt-in by default for EU and UK visitors. No cookies fire until the visitor actively accepts.
- Equal prominence for accept and reject. A banner that makes "Reject" hard to find or a different color than "Accept" is not valid consent.
- Granular categories. Visitors choose analytics, advertising, and functional cookies separately, not an all-or-nothing toggle.
- Blocking before consent, not after. Scripts and iframes must not load until the visitor consents. This is where many free WordPress cookie plugins fail: they display a banner but let Google Analytics or a tracking pixel fire immediately on page load regardless of the visitor's choice.
- A consent record. Timestamp, visitor choice, and what was shown, kept for your own audit trail.
- Withdrawal. A way for visitors to change their mind later, usually a small floating icon.
You can implement this with a WordPress plugin or a hosted script; the requirements above apply either way. Consently is one way to do this without adding another plugin to maintain. Paste a single script into your WordPress header, and it shows a customizable GDPR opt-in banner. It auto-blocks non-essential cookies, scripts, and iframes until the visitor consents. It also passes those choices to Google Consent Mode v2 and IAB TCF 2.3, and logs every consent for your records. Because it runs as a hosted script rather than a plugin, it works on any WordPress theme or host.
Done: your banner shows opt-in choices to EU and UK visitors, blocks non-essential cookies until consent, and logs every choice. For the branded WordPress walkthrough, see set up cookie consent on WordPress. For the blocking mechanism specifically, see how to block cookies before consent. For the generic, tool-agnostic version of this step, see how to add a cookie banner.
Step 4: Publish a Privacy Policy and a Cookie Policy
GDPR requires a clear privacy policy: what data you collect, why, your legal basis, how long you keep it, and who you share it with. It must also explain how visitors exercise their rights. In practice, you also need a cookie policy listing the specific cookies your site uses.
WordPress core has a starting point. Go to Settings > Privacy to build a privacy policy page from the built-in Editing Helper. It pulls default text describing how WordPress core, your theme, and your plugins collect data, and gives you prompts based on GDPR's requirements.
That starting point has a hard limit. WordPress states about its own tool:
This tool ONLY collects policy help texts from WordPress and participating plugins.
It misses third-party embeds, your analytics provider, and any service that isn't a WordPress plugin. Treat the generated text as a draft, not a finished policy.
A policy generator that also scans your site can fill those gaps. Consently generates cookie, privacy, and terms policies from templates and keeps them updated as your cookies change. The policy reflects what your scanner actually found, not what a generic template assumes.
Done: your privacy policy page is published and names every category of data you collect, and a cookie policy lists your actual cookies by category. Go deeper with how to create a privacy policy or use a cookie policy template.
Step 5: Add Consent to Your Forms and Comments
Any form that collects personal data needs an unticked, explicit consent checkbox linked to your privacy policy. This covers contact forms, newsletter signups, registration, and WooCommerce checkout. WordPress comments need the same treatment.
For comments: go to Settings > Discussion, find "Other comment settings," and enable the comment cookies opt-in checkbox. This shows commenters an unticked box asking them to consent before their name, email, and website are saved in a cookie.
For forms: most WordPress form plugins (Contact Form 7, WPForms, Gravity Forms) include a GDPR field type or setting. Add an unticked checkbox with wording such as "I consent to my submitted data being collected and stored," and link it to your privacy policy. Turn off any setting that stores the visitor's IP address by default unless you have a lawful basis for it.
For WooCommerce: go to WooCommerce > Settings > Accounts and Privacy and review the personal-data retention options for orders, accounts, and inactive accounts.
This is one area where a cookie consent banner and a form-consent checkbox do different jobs. A banner covers cookies and trackers; it does not add a consent field inside your contact form. Set up both separately.
Done: every form on your site that collects personal data has an unticked consent checkbox, and the comment opt-in is enabled under Settings > Discussion.
Step 6: Let Visitors Access, Export, and Delete Their Data
GDPR gives visitors the right to access, receive a copy of, and request deletion of their personal data. WordPress core has built-in tools for both requests.
To handle a data access or export request: go to Tools > Export Personal Data, enter the requester's email, and send a confirmation request. Once the visitor confirms by email, you approve the request and WordPress generates a ZIP file of their data for download.
To handle a deletion request: go to Tools > Erase Personal Data, enter the email, and follow the same email-confirmation flow. Once confirmed and approved, WordPress permanently removes that data from the database.
Two limits matter here. First, both tools only gather data from WordPress core and participating plugins. A request may need manual follow-up for data held by your analytics provider, email service, or ad partner. Second, erasing a user's personal data does not automatically delete their registered user account. Do that separately from the Users menu if the request covers full account removal. Deletion is also not absolute. You can retain data you're required to keep for legal or tax reasons, such as invoice records.
Done: you can process an access or deletion request end to end using WordPress core tools. You also know which requests need manual follow-up outside WordPress. For more on the underlying rights, see data subject rights. For the full request-handling procedure, see how to respond to a data subject request.
Step 7: Secure Your Site, Hosting, and Third-Party Transfers
GDPR requires appropriate security for personal data and a lawful basis for transferring it outside the EU. On WordPress, that means HTTPS, a host willing to sign a data processing agreement, self-hosted fonts, and Standard Contractual Clauses for non-EU tools.
- HTTPS everywhere. Encrypt data in transit between visitor browsers and your server. Most hosts issue a free SSL certificate; confirm it's active and that HTTP redirects to HTTPS.
- A host that signs a DPA. Your hosting provider processes data on your behalf, so it needs a Data Processing Agreement in place. Add Standard Contractual Clauses if your host or its infrastructure sits outside the EU.
- Self-host Google Fonts. Loading Google Fonts from Google's servers transmits visitor IP addresses to Google. Download the font files and serve them from your own site instead.
- Review every third-party tool. Email marketing platforms, payment gateways, and analytics providers all need their own DPA if they process personal data on your behalf.
One aside on this step: Consently hosts consent data in the EU (Frankfurt) and provides a DPA on request. That covers the consent layer specifically, not your hosting or other third-party tools.
Done: your site runs on HTTPS, and your host has signed a DPA. Google Fonts, if used, load from your own server, and you've reviewed the DPA status of every third-party service in your stack.
Common WordPress GDPR Mistakes to Avoid
The single most damaging mistake is assuming one plugin, or WordPress core itself, makes a site compliant on its own. Compliance is a process across your plugins, your policies, and your third-party services, not a switch you flip once.
- Assuming a plugin or WordPress core equals compliance. WordPress's own documentation says its built-in privacy tools "are not a compliance process in and of itself". Treat every tool, including a CMP, as one part of a documented process, not the whole answer.
- A banner that loads trackers before consent. Many free WordPress cookie plugins display a banner but let Google Analytics or a pixel fire on page load regardless of the visitor's choice. Test this yourself: open your site in an incognito window with the banner un-accepted, check DevTools Network tab, and confirm no analytics or ad requests fire.
- Pre-ticked consent boxes or accept-only banners. A checkbox that starts ticked, or a banner with no visible reject option, produces invalid consent under GDPR. Boxes stay unticked by default; accept and reject get equal visual weight.
- Loading Google Fonts, Gravatar, or YouTube embeds that leak visitor IPs. Each of these can transmit visitor IP addresses to a third party before consent. Self-host fonts and block embeds until the visitor consents.
- Forgetting form and comment consent. A compliant cookie banner does not add a consent checkbox to your contact form. Add unticked checkboxes to every form separately, and enable the comment opt-in under Settings > Discussion.
FAQs
Is WordPress GDPR compliant by default?
No. WordPress core includes privacy tools since version 4.9.6, but it has no cookie-consent banner and does not block trackers before consent. The software alone does not make a site compliant.
Do I need a plugin to make WordPress GDPR compliant?
For cookie consent, yes. WordPress core has no built-in consent-banner tool. You need either a WordPress cookie plugin or a hosted consent platform to capture and log opt-in consent.
Does GDPR apply to my WordPress site if I am based in the US?
Yes, if you process personal data from visitors in the EU, the EEA, or the UK. GDPR applies based on where your visitors are, not where your business is registered.
How much does it cost to make a WordPress site GDPR compliant?
WordPress's built-in privacy tools, SSL from most hosts, and the export and erase tools are free. The consent tool is usually the only paid line item. It ranges from free WordPress plugins to hosted platforms from roughly 8 to 20 USD per month. Cost scales with the number of sites and monthly pageviews you cover.
Can one plugin make my WordPress site fully GDPR compliant?
No single plugin covers everything. A cookie consent plugin handles banners and blocking. You still need a privacy policy, form and comment consent, data-request handling, and security measures, each addressed separately.
Do I need a cookie banner if I only use Google Analytics?
Yes. Google Analytics sets non-essential cookies that require visitor consent under GDPR, even if it's the only tracking tool on your site.
Is the WordPress privacy policy generator enough for GDPR?
No. WordPress states its Editing Helper "ONLY collects policy help texts from WordPress and participating plugins". It misses third-party services like your analytics or email provider. Use it as a starting draft, then add what it misses.
How do I make a WooCommerce store GDPR compliant?
Follow the same seven steps. Then go to WooCommerce > Settings > Accounts and Privacy to set data-retention rules for orders and accounts. Mark checkout, cart, and session cookies as Essential so orders and product pages aren't blocked by your consent banner. For the equivalent guide on another platform, see how to make Shopify GDPR compliant. For the broader legal landscape across cookie laws, see how to comply with cookie laws.
Steps 2, 3, and 4 are the ones that eat your afternoon: finding every cookie, blocking trackers until consent, and writing the policies. Consently does those three from one paste-in script. It scans your WordPress site and blocks non-essential cookies and scripts until visitors opt in. It also passes consent to Google Consent Mode v2 and generates your cookie, privacy, and terms policies. Try Consently Free and get the banner live before you finish the rest of the checklist.

