User privacy has become an increasing concern for WordPress website owners and their visitors. Users want to ensure their private information is safe. In addition, many laws have recently come into effect that require the disclosure of the data collected on websites as well as what happens with it. Among other things, visitors are now required to “opt-in” to your use of cookies thanks to GDPR.
Though it is extra work for site owners, prioritizing user privacy is possible and necessary. By limiting the data your site collects, using HTTPS, IP masking, and other tactics, you can protect your visitor’s personal information and still run an optimized site.
There’s a lot to get to, so let’s jump right in.
Configure SSL, TLS, and HTTPS
SSL stands for Secure Sockets Layer and refers to a type of technology for maintaining the security of an Internet connection. Data is encrypted before being sent, then decrypted on the other side, preventing tampering while it is in transit. A typical use case on a website is protecting customer payment information in an online shop.
TLS is the newer version of SSL and stands for Transport Layer Security. You’ll often find SSL and TLS being used interchangeably, but in reality, TLS is the newest and most up-to-date version of SSL. However, since people are so used to saying SSL, the term simply stuck around.
Lastly, there’s HTTPS, which stands for Hyper Text Transfer Protocol Secure. This is what you see at the start of a URL of a website encrypted with an SSL certificate.
The key to ensure your site is secure on a fundamental level is to get a hosting plan that provides these features from the outset. It’s much easier to launch a new site that has SSL than it is to have to add it later. Preferably, look for a hosting provider that offers SSL for free, for example, via Let’s Encrypt.
How to Switch to HTTPS
If you already have a hosting plan and a live website and want to switch to HTTPs, you can do so. And it’s more important than ever, since browsers now indicate a site as “Not Secure,” if it doesn’t have an SSL certificate.
To add HTTPS, you need to buy an SSL certificate and activate it. Though this is something you can do completely manually, an easy solution is to use a service like Cloudflare for this task.
To use Cloudflare to add HTTPS, all you need to do is:
- Sign up for an account.
- Scan your domain for DNS records.
- Select the subdomains you want to add Cloudflare to and set up a free plan.
- Change the nameservers listed with your domain registrar to point to those that Cloudflare provides.
- Wait about 24 hours. Your DNS records will be updated and your domain will now have SSL.
Adjust WordPress Privacy Settings
Once you’ve taken care of user privacy at the domain level, you can zoom in a bit and focus on WordPress-specific issues. The Privacy Settings Tool is a good place to start. To access it go to Settings > Privacy in the WordPress dashboard.
On this screen, you should click the blue button that says Create New Page. This opens a template page called Privacy Policy, which also has some template content.
For the most part, the suggestions here should be good “as is”. However, if you have a large site and you collect a lot of information, you may wish to read the guide provided by WordPress on the subject. You can access it through a link at the top of the page as shown above.
Once you’re done making changes, click Publish.
This new Privacy Policy page will be accessible via a link that appears on your login screen as well as any signup or registration pages that appear on your site.
You may need to manually add a link to your site’s Privacy Policy from every other page and post on your site. A typical location is the site footer. Or, you can use a theme that does this automatically.
Maintain Site Security
Your next task in building a more secure WordPress site that prioritizes user privacy is to run standard maintenance operations. After all, a secure site is one that won’t have its data breached. And that means your visitors can trust their personal information will be in good hands. Here are a few things you need to do to keep your site’s security in tip-top shape.
1. Update WordPress
One of the simplest ways you can protect user privacy is by keeping your WordPress site up-to-date. This means installing major releases of the main software when they come out, of course. But it also means updating your plugins and themes.
Staying up to date ensures that you are using the latest bug fixes and fortifies your site against potential malware injection or brute force attacks. A good way to do so is to take advantage of WordPress auto updates.
2. Update Passwords
Another fairly simple thing you can do to improve user privacy is to update passwords periodically. Again, this helps prevent your site being breached. If you have multiple users on your site, send out password change requests every so often as well.
3. Enable Two-Factor Authentication
Speaking of passwords, enabling two-factor authentication is just a good idea. It helps keep your site secure, protects user privacy, and helps protect the privacy of your site contributors as well. Some popular two-factor authentication tools include Google, Authy, and Duo. There are also WordPress plugins like Two Factor Authentication and Google Authenticator.
Reconsider Your Analytics Plugin
Though Google Analytics is the oft-cited analytics solution of choice, not just in WordPress, it doesn’t exactly prioritize user privacy and collects an awful lot of personal data. It certainly does work as a way to monitor your site’s analytics but there are other options out there to better respect your site visitor’s privacy.
If you simply must use Google Analytics, make use of IP masking. This makes a user’s IP address anonymous so any data collected about them won’t be attached to their actual IP address. While it offers some level of privacy, it’s kind of a backwards approach. Google Analytics collects too much data and then you as the developer have to protect your site user’s privacy.
If you’re looking for a tool that better prioritizes user privacy straight out of the gate, here are some options.
GoSquared
GoSquared is a valuable tool for learning about visitor and customer behavior. After installing it via a WordPress plugin, this analytics tool offers an in-depth look at user behavior, including real-time analytics, usage trends, and e-commerce support. It offers full GDPR compliance and you can access a customer data hub and live chat for an added fee.
Open Web Analytics
Another option is Open Web Analytics, which makes it easy to track customer visits and behavior on your site. It’s also convenient to implement thanks to its WordPress integration. This tool is open-source, free, and provides super helpful features like cursor activity heatmaps, eCommerce and conversion tracking, site referral tracking, clicks, pageviews, and more.
Matomo
Still another option is Matomo, which offers detailed analytics for user activity, events, clicks, and more. It also has its own WordPress plugin. What makes this service stand out is its reliance on visual tracking data while still upholding user privacy. Track keywords, campaign performance, and make use of heat maps and A/B testing, too.
Adjust How You Collect (and Keep) Data
Another way to protect user privacy on your WordPress site is to rethink how you manage data on your site. Think of it this way: Any information your site collects from visitors could be a point of entry or a vulnerability in time. With this in mind, it’s a good idea to streamline your data management. Here are a few ways to improve in this area:
- Delete old form responses after a given period of time — Keeping form responses around can be good up to a point. However, if it’s been several months and you don’t need them anymore, it’s a good idea to purge these responses. Why hold onto visitor’s personal information like their names and email addresses if you don’t have to?
- Limit what info you require on form fields — Similarly, when having visitors fill out forms, only ask for the information you need. Nothing more.
- Use encrypted fields — If you need to collect some sensitive information from your visitors (like names and email addresses) making use of encrypted fields is a good idea. This adds an extra layer of security to your form submissions. The Gravity Forms Encrypted Fields plugins is one way of facilitating this.
Write, Implement and/or Update Your Privacy Policy
We already talked about how to add a Privacy Policy to your WordPress site but barely scratched the surface on how to write one. All sites now need a privacy policy because of GDPR. GDPR stands for General Data Protection Regulation and it’s a data privacy law that was passed in the EU in 2018. If you’re found to be in violation of this law, you could be responsible for paying some heavy fines.
Which makes it even more important to abide by GDPR. One of the key ways to do this is to have a privacy policy on your site. It needs to spell out specifically what data your site collects, how it’s stored, how long you intend to keep it, and what you do with it.
Another factor to consider is cookie consent. Before, implied consent was enough to use cookies on your site. However, direct consent is now required under GDPR. That means you must prompt and obtain consent from the visitor to use cookies and they must have the option to opt-out of their use as well.
Use a Privacy Policy and Cookie Consent Plugin
If you want to have more control over your site’s privacy policy and cookie consent prompts than what comes in WordPress Core, you should consider using a dedicated plugin for the job. There are several out there, but these stand out in terms of features and functionality.
WP Legal Pages
This plugin makes it easier to create a custom privacy policy page in WordPress. It also adds the ability to create a terms and conditions page, a refunds policy, affiliate disclaimers, as well as a variety of other custom pages. You can make selections based on where your site is based as well to create tailored content to your region.
Delete Me
Delete Me is another plugin that gives people who have registered on your site the ability to unregister and delete themselves. This is great if your site accepts front-end submissions or you accept user contributions regularly. A major part of user privacy is giving people greater control over their data. So, by using this plugin, you give users the ability to remove themselves and their content from your site.
WP GDPR Compliance
Or you might just want a straightforward option with something like the WP GDPR Compliance plugin. This tool walks you through complying with GDPR, step-by-step. It adds checkboxes to your existing plugins to obtain visitor consent, adds consent request prompts to your site, and enables the “right to access” with encrypted audit logs as well as the “right to be forgotten” by keeping user data anonymous.
Now’s the Time to Treat User Privacy Seriously, in WordPress and Beyond
Site visitors have come to expect that you handle their data with care — as they should! So, it’s up to you to protect their personal information by implementing a top-down user privacy plan.
By ensuring your site has SSL and HTTPs protection and performing standard security procedures alongside taking stock of what data your site collects (and adjusting accordingly), you can be sure to keep your visitor’s data safe and secure. Add in getting the proper consent for data collection and you’ll be well on your way toward creating a site that keeps its visitors’ information safe while still accomplishing broader goals.
How will you prioritize user privacy on your website? Any additional tips, tools or plugins to share? Let us know in the comments section below!
