No, WordPress is not GDPR compliant out of the box. The core CMS ships useful privacy tools since version 4.9.6: a privacy-policy generator, data export and erasure tools, and a comment consent checkbox. But it ships no cookie consent banner and blocks no third-party scripts. WordPress.org states plainly that these tools "are not a compliance process in and of itself." Compliance is the site owner's responsibility.
Below: what WordPress core actually provides, why that falls short, how to close the gaps, and whether GDPR applies to your WordPress site.
Is WordPress GDPR Compliant? The Short Answer
WordPress is not GDPR compliant by default. It is a platform you can make compliant, but the work belongs to you, the site owner, not to WordPress.
WordPress 4.9.6, released in May 2018, added built-in privacy tools: a privacy-policy generator, data export and erasure request handling, and a comment consent checkbox. These are meaningful starting points. But the platform ships no cookie consent banner. It does not block third-party tracking scripts before a visitor consents. WordPress.org is explicit on this point. The tools "are not a compliance process in and of itself", its documentation says.
On most real WordPress sites, plugins, themes, analytics, embedded fonts, and contact forms all collect personal data or set tracking cookies. WordPress core cannot find them, cannot block them, and does not know they exist. Making the site compliant requires additional steps the owner must take.
WordPress is one tool in a broader stack; the rest of your tech stack needs the same compliance review.
What WordPress Core Already Gives You (Since Version 4.9.6)
WordPress 4.9.6 added a small set of privacy tools. They cover WordPress core and plugins that opt into the system, but they do not cover third-party services. They do not add a consent banner of any kind.
The table below shows what each built-in tool does and where it stops.
| WordPress core tool | What it does | What it does NOT do |
|---|---|---|
| Privacy Policy generator | Drafts a starter policy page, pulls disclosures from core, theme, and participating plugins | Detect third-party data flows; finish the policy for you |
| Export Personal Data | Exports data WordPress and participating plugins hold, on a verified request | Cover analytics, email, or ad-partner data held outside WordPress |
| Erase Personal Data | Deletes data WordPress and participating plugins hold | Cover data held by external services |
| Comment consent checkbox | Lets a commenter opt in to a cookie that saves their details | Manage cookie consent or block any tracking script |
The Privacy Policy Generator
Under Settings > Privacy, WordPress creates a draft privacy-policy page and pre-populates it with suggested content. The "Editing Helper" tab pulls disclosure text from WordPress core, your active theme, and any plugins that register with the system.
The limitation is significant. The helper "ONLY collects policy help texts from WordPress and participating plugins", WordPress.org states. Many sites also embed third-party tools, such as email subscription services. Those "collect data in ways the Editing Helper tool cannot detect", per the same documentation.
The generator produces a starting template, not a finished policy. WordPress also says outright: "It is your responsibility to write a comprehensive privacy policy." A template is not a policy.
Data Export and Erasure Tools
Under Tools > Export Personal Data and Tools > Erase Personal Data, WordPress handles data-subject access and deletion requests. A visitor submits a request by email. An administrator confirms it. WordPress then collects available data from core and participating plugins and exports or erases it.
These tools fulfill the GDPR's subject-rights obligations (the "right of access" and "right to erasure") for data WordPress itself holds. They do not cover data held by Google Analytics, your email marketing platform, or any third-party service that receives visitor data separately from WordPress.
The Comment Consent Checkbox
WordPress adds an opt-in checkbox to the default comment form. When a visitor ticks it, WordPress saves their name, email, and website in a browser cookie for future comments.
This is the only consent control core ships. WordPress.org is direct about the gap: the platform "does not yet have consent tools built" for cookies more broadly. For that, it points owners to the "various plugins available to help in collecting consent", its words.
Why WordPress Is Not GDPR Compliant Out of the Box
The built-in tools cover only a fraction of what GDPR (and the ePrivacy Directive) requires for a typical WordPress site.
A real WordPress site runs themes, plugins, analytics, advertising pixels, embedded fonts, contact forms, and social embeds. Every one of these can set cookies or send visitor data to third-party servers before the visitor has agreed to anything. WordPress core has no mechanism to find these, let alone block them.
The gaps are concrete:
- No cookie consent banner. WordPress core ships nothing to inform visitors about non-essential cookies or to request their consent.
- No pre-consent script blocking. Third-party tracking scripts fire on page load. A banner that shows up while tracking is already running is not compliant. Scripts must be blocked until consent is given.
- The privacy-policy generator is a template, not a finished policy. It cannot detect or disclose data flows from third-party tools.
- No Data Processing Agreements. Every external service that processes EU visitor data (your host, analytics provider, email platform) requires a signed DPA. WordPress does not arrange these for you.
- No consent records for third-party tools. Consent logs for tools outside WordPress core are not captured.
Pantheon's WordPress compliance learning center states it plainly: "No WordPress plugin makes your site fully GDPR compliant. Every credible plugin author says so in their own documentation."
It is also worth distinguishing two laws here. The ePrivacy Directive (sometimes called the "cookie law") is what specifically requires a cookie consent banner for non-essential cookies. GDPR sets the standard for what valid consent means. Both apply simultaneously. You cannot blame the absence of a banner on GDPR alone; the ePrivacy Directive is the direct source of that obligation.
Is the WordPress Software Compliant, or Is Your Site Compliant?
The confusion here is genuine, and it has two correct answers.
The WordPress software (the CMS codebase itself) is built to be privacy-aware. It does not collect visitor analytics, does not run advertising by default, and does not sell user data. In isolation, the software's own data processing can satisfy GDPR. That is what people mean when they say "WordPress is GDPR compliant."
Your specific WordPress site is a different question. Install plugins, activate a theme with Google Fonts, or connect Google Analytics, and your site starts sharing personal data WordPress core never introduced. Those integrations are your choices. Their compliance is your responsibility.
WordPress.com adds one useful distinction. As a hosted platform, it handles more of the infrastructure layer: server security, data residency, and platform-level commitments. But it still puts configuration on the owner. Its support guide says that "as a site owner, you are responsible" for the plugins you install. Each plugin must handle "data in a way that is in line with the GDPR", the guide adds.
The software being compliant does not make your configured site compliant. The gap is always in what you add to it.
How to Make a WordPress Site GDPR Compliant: The Checklist
You can close the compliance gaps with a focused checklist. None of these steps require legal expertise, but no single plugin completes all of them.
Add a Cookie Consent Banner That Blocks Scripts Before Consent
This is the most common gap and the most important one to address first.
A consent banner must do two things: inform visitors about non-essential cookies and block the scripts that set those cookies until the visitor consents. A banner that displays a notice while tracking scripts are already running is not compliant. Under the ePrivacy Directive, non-essential cookies (analytics, advertising, and preference cookies) require prior consent. They cannot fire first and ask permission second.
I know site owners resent cookie banners. Even practitioners who install them for a living describe them as "a useless annoyance." But for any site reaching EU visitors, they are not optional. An articles-and-ads site still needs one, because Google Analytics and ad cookies are non-essential and require consent before they load.
The "how to choose and set up a banner" question is a separate topic. For a WordPress-specific breakdown, see cookie consent for WordPress.
Audit Your Plugins, Themes, and Embeds for Hidden Data Collection
Every plugin and theme can introduce cookies or send data externally. Run a full audit:
- Analytics: Configure analytics to minimize data collection. Anonymize IP addresses where possible. Switch to cookieless analytics where the measurement gap is acceptable.
- Advertising pixels: Ad trackers like the Meta Pixel set cookies the moment they load. They require pre-consent blocking.
- Embedded fonts: Google Fonts loaded from Google's servers send the visitor's IP address to Google. Self-host fonts or load them after consent.
- Contact and subscription forms: Forms collect personal data directly. They need a clear statement of purpose and, where applicable, explicit consent.
- Social embeds: YouTube, Twitter, and Facebook embeds set third-party cookies before the video plays. Use facade loaders or block them before consent.
- E-commerce plugins: WooCommerce and similar tools set session, cart, and purchase-tracking cookies. Categorize and disclose each one.
The same questions apply to other platforms like Shopify, not just WordPress. Each platform's plugin ecosystem creates its own data-flow surface.
Publish a Privacy Policy and a Cookie Policy
Use the WordPress privacy-policy generator as a starting point under Settings > Privacy. Then extend it to cover every data flow on your site: analytics, advertising, email marketing, third-party CDNs, and any other service that receives visitor data.
Add a separate cookie policy that lists each cookie by name, category, purpose, and expiry. The WordPress generator does not produce this automatically. Your consent banner should link to it.
Handle Form and Comment Consent
Contact forms, newsletter subscription forms, and registration forms collect personal data. Each needs a clear statement of what the data is used for. Where consent is the lawful basis, add an explicit opt-in checkbox. WordPress core adds the comment consent checkbox automatically for the default comment form. Forms added by plugins need their own consent fields, which most form plugins support through dedicated settings.
Secure Your Data and Sign DPAs With Your Host and Vendors
GDPR classifies your hosting provider as a data processor. Choose a host with GDPR-compliant data processing practices and a data center in the EU or a country with an adequacy decision. Enable HTTPS on your site. Sign a Data Processing Agreement with your host. Every external service that receives EU visitor data (analytics platform, email provider, CDN) also requires a signed DPA.
Keep a documented process for honoring access and deletion requests. The WordPress export and erasure tools handle requests for data WordPress holds; you need a separate process for data held by external services.
Does GDPR Even Apply to My WordPress Site?
GDPR applies based on whose data you process, not where you are located.
If your WordPress site reaches EU or EEA visitors and you collect their personal data, GDPR likely applies. That includes IP addresses captured by analytics, and it includes US-based site owners. GDPR Article 3(2) extends the regulation to any organization offering goods or services to EU residents. It also covers organizations monitoring EU residents' behavior, regardless of location.
TrustArc, a privacy-law resource, states: "GDPR's extraterritorial reach means that U.S. businesses are not exempt from its requirements."
The practical rule is simple. Assume GDPR applies to your WordPress site unless you actively block all EU visitors, which almost no one does. If your site uses Google Analytics, runs ads, or has a contact form EU visitors can reach, you are almost certainly in scope.
How Consently Makes WordPress GDPR Compliance Simple
Consently adds the consent layer that WordPress core leaves out. It scans the site for cookies and trackers, blocks non-essential ones until visitors consent, logs that consent, and generates the policies the compliance workflow requires.
Installing Consently on WordPress takes a single step. It is available as an official WordPress plugin or a one-line script you paste into your theme's header. On install, automatic cookie scanning crawls the site and detects the cookies, scripts, and iframes that themes, plugins, and third-party embeds set. As Consently's homepage states: "We find every cookie, so you don't have to!"
The compliance mechanics work in two directions. A GDPR opt-in banner blocks all non-essential cookies, scripts, and iframes before a visitor makes a choice. For US visitors, an automatic geotargeting rule switches to a CCPA opt-out banner instead. After a visitor consents, consent is logged with timestamps and category details for regulatory audit. Choices pass to Google via Consent Mode v2 with IAB TCF v2.3 signaling, so analytics and ad measurement continue within the bounds the visitor set.
Three policy generators (cookie policy, privacy policy, and terms and conditions) produce the legal pages the workflow needs and embed them directly on your site.
Consently handles the consent and policy layer. It is not a legal advisor, a DPA negotiator, or a host security tool. Hosting choices, vendor DPAs, and legal review remain the site owner's work. But the banner, the blocking, the consent records, and the policies: those are covered from the first scan.
Start your 14-day free trial at Consently and see what your WordPress site is actually setting before anyone has agreed to anything.
FAQs
Is WordPress GDPR compliant by default?
No. WordPress core ships privacy tools (a policy generator and data export/erase tools) since version 4.9.6, but no cookie consent banner and no pre-consent script blocking. Making a WordPress site GDPR compliant is the site owner's responsibility, not WordPress's default state.
Do I need a plugin to make WordPress GDPR compliant?
Yes, in practice. WordPress.org states that WordPress "does not yet have consent tools built" and directs site owners to plugins for consent collection. You need a consent management solution to show a banner, block non-essential scripts before consent, and log consent records.
Is the WordPress privacy policy generator enough for GDPR?
No. The generator creates a starter template and pulls some disclosure text from participating plugins, but WordPress states it is your responsibility to complete the policy. The tool cannot detect data flows from third-party services like analytics platforms, email tools, or ad networks.
Does GDPR apply to my WordPress site if I am based in the US?
Usually yes, if EU or EEA visitors can reach your site and you process their personal data. GDPR's extraterritorial scope (Article 3(2)) means US-based site owners are not automatically exempt. If your site collects analytics or runs any form EU visitors can access, assume GDPR applies.
Can a single plugin make my WordPress site fully GDPR compliant?
No single plugin does it all. A consent plugin handles the banner, pre-consent blocking, and consent logs. Full compliance also needs a complete privacy policy, a plugin audit, and data security practices. You also sign Data Processing Agreements with your host and external processors.
Do I need a cookie consent banner on WordPress?
Yes, if your site sets non-essential cookies and reaches EU visitors. Analytics cookies, advertising cookies, and social-embed cookies are non-essential. Even a site that only publishes articles and displays ads needs a banner. Ad and analytics scripts require prior consent under the ePrivacy Directive before they load.
What happens if my WordPress site is not GDPR compliant?
You risk regulatory complaints and investigations, which can result in fines. Under GDPR Article 83, serious violations can reach up to 4 percent of annual global turnover or 20 million euros, whichever is higher. The more common practical risk is complaints from visitors or data-protection authorities. Addressing the core gaps (a consent banner with pre-consent blocking, a complete privacy policy, and plugin audits) removes the most common exposure points.

