Disclaimer: We are not lawyers. Nothing on this website should be considered legal advice.

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.

You’ve likely gotten dozens of emails from companies like Google and others regarding GDPR, their new privacy policy, and bunch of other legal stuff. That’s because the EU has put in hefty penalties for those who are not in compliance.

Fines

Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.

This brings us to the big question that you might be thinking about:

Does GDPR apply to my WordPress site?

The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).

If your website has visitors from European Union countries, then this law applies to you.

But don’t panic, this isn’t the end of the world.

While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.

The EU isn’t some evil government that is out to get you. Their goal is to protect consumers, average people like you and me from reckless handling of data / breaches because it’s getting out of control.

The maximum fine part in our opinion is largely to get the attention of large companies like Facebook and Google, so this regulation is NOT ignored. Furthermore, this encourage companies to actually put more emphasis on protecting the rights of people.

Once you understand what is required by GDPR and the spirit of the law, then you will realize that none of this is too crazy. We will also share tools / tips to make your WordPress site GDPR compliant.

What is required under GDPR?

The goal of GDPR is to protect user’s personally identifying information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data.

The personal data includes: name, emails, physical address, IP address, health information, income, etc.

While the GDPR regulation is 200 pages long, here are the most important pillars that you need to know:

Explicit Consent – if you’re collecting personal data from an EU resident, then you must obtain explicit consent that’s specific and unambiguous. In other words, you can’t just send unsolicited emails to people who gave you their business card or filled out your website contact form because they DID NOT opt-in for your marketing newsletter (that’s called SPAM by the way, and you shouldn’t be doing that anyways).

For it to be considered explicit consent, you must require a positive opt-in (i.e no pre-ticked checkbox), contain clear wording (no legalese), and be separate from other terms & conditions.

Rights to Data – you must inform individuals where, why, and how their data is processed / stored. An individual has the right to download their personal data and an individual also has the right to be forgotten meaning they can ask for their data to be deleted.

This will make sure that when you hit Unsubscribe or ask companies to delete your profile, then they actually do that (hmm, go figure). I’m looking at you Zenefits, still waiting for my account to be deleted for 2 years and hoping that you stop sending me spam emails just because I made the mistake of trying out your service.

Breach Notification – organizations must report certain types of data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data. However if a breach is high-risk, then the company MUST also inform individuals who’re impacted right away.

This will hopefully prevent cover-ups like Yahoo that was not revealed until the acquisition.

Data Protection Officers – if you are a public company or process large amounts of personal information, then you must appoint a data protection officer. Again this is not required for small businesses. Consult an attorney if you’re in doubt.

To put it in plain English, GDPR makes sure that businesses can’t go around spamming people by sending emails they didn’t ask for. Businesses can’t sell people’s data without their explicit consent (good luck getting this consent). Businesses have to delete user’s account and unsubscribe them from email lists if the user ask you to do that. Businesses have to report data breaches and overall be better about data protection.

Sounds pretty good, in theory at least.

Ok so now you are probably wondering what do you need to do to make sure that your WordPress site is GDPR compliant.

Well, that really depends on your specific website (more on this later).

Let us start by answering the biggest question that we’ve gotten from users:

Is WordPress GDPR Compliant?

Yes, as of WordPress 4.9.6, the WordPress core software is GDPR compliant. WordPress core team has added several GDPR enhancements to make sure that WordPress is GDPR compliant. It’s important to note that when we talk about WordPress, we’re talking about self-hosted WordPress.org (see the difference: WordPress.com vs WordPress.org).

Having said that, due to the dynamic nature of websites, no single platform, plugin or solution can offer 100% GDPR compliance. The GDPR compliance process will vary based on the type of website you have, what data you store, and how you process data on your site.

Ok so you might be thinking what does this mean in plain english?

Well, by default WordPress 4.9.6 now comes with the following GDPR enhancement tools:

Comments Consent

By default, WordPress used to store the commenters name, email and website as a cookie on the user’s browser. This made it easier for users to leave comments on their favorite blogs because those fields were pre-populated.

Due to GDPR’s consent requirement, WordPress has added the comment consent checkbox. The user can leave a comment without checking this box. All it would mean is that they would have to manually enter their name, email, and website every time they leave a comment.

Data Export and Erase Feature

WordPress offers site owners the ability to comply with GDPR’s data handling requirements and honor user’s request for exporting personal data as well as removal of user’s personal data.

The data handling features can be found under the Tools menu inside WordPress admin.

Privacy Policy Generator

WordPress now comes with a built-in privacy policy generator. It offers a pre-made privacy policy template and offer you guidance in terms of what else to add, so you can be more transparent with users in terms of what data you store and how you handle their data.

These three things are enough to make a default WordPress blog GDPR compliant. However it is very likely that your website has additional features that will also need to be in compliance.

Areas on Your Website that are Impacted by GDPR

As a website owner, you might be using various WordPress plugins that store or process data like contact forms, analytics, email marketing, online store, membership sites, etc.

Depending on which which WordPress plugins you are using on your website, you would need to act accordingly to make sure that your website is GDPR compliant.

A lot of the best WordPress plugins have already gone ahead and added GDPR enhancement features. Let’s take a look at some of the common areas that you would need to address:

Google Analytics

Like most website owners, you’re likely using Google Analytics to get website stats. This means that it is possible that you’re collecting or tracking personal data like IP addresses, user IDs, cookies and other data for behavior profiling. To be GDPR compliant, you need to do one of the following:

1. Anonymize the data before storage and processing begins
2. Add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking

Both of these are fairly difficult to do if you’re just pasting Google Analytics code manually on your site. However, if you’re using MonsterInsights, the most popular Google Analytics plugin for WordPress, then you’re in luck.

They have released an EU compliance addon that helps automate the above process. MonsterInsights also has a very good blog post about all you need to know about GDPR and Google Analytics (this is a must read, if you’re using Google Analytics on your site).

Contact Forms

If you are using a contact form in WordPress, then you may have to add extra transparency measures specially if you’re storing the form entries or using the data for marketing purposes.

Below are the things you might want to consider for making your WordPress forms GDPR compliant:

• Get explicit consent from users to store their information.
• Get explicit consent from users if you are planning to use their data for marketing purposes (i.e adding them to your email list).
• Disable cookies, user-agent, and IP tracking for forms.
• Make sure you have a data-processing agreement with your form providers if you are using a SaaS form solution.
• Comply with data-deletion requests.
• Disable storing all form entries (a bit extreme and not required by GDPR). You probably shouldn’t do this unless you know exactly what you’re doing.

The good part is that if you’re using WordPress plugins like WPForms, Gravity Forms, Ninja Forms, Contact Form 7, etc, then you don’t need a Data Processing Agreement because these plugins DO NOT store your form entries on their site. Your form entries are stored in your WordPress database.

Simply adding a required consent checkbox with clear explanation should be good enough for you to make your WordPress forms GDPR compliant.

Email Marketing Opt-in Forms

Similar to contact forms, if you have any email marketing opt-in forms like popups, floating bars, inline-forms, and others, then you need to make sure that you’re collecting explicit consent from users before adding them to your list.

This can be done with either:

1. Adding a checkbox that user has to click before opt-in
2. Simply requiring double-optin to your email list

Top lead-generation solutions like OptinMonster has added GDPR consent checkboxes and other necessary features to help you make your email opt-in forms compliant. You can read more about the GDPR strategies for marketerson the OptinMonster blog.

WooCommerce / Ecommerce

If you’re using WooCommerce, the most popular eCommerce plugin for WordPress, then you need to make sure your website is in compliance with GDPR.

The WooCommerce team has prepared a comprehensive guide for store owners to help them be GDPR compliant.

Retargeting Ads

If your website is running retargeting pixels or retargeting ads, then you will need to get user’s consent. You can do this by using a plugin like Cookie Notice.

Best WordPress Plugins for GDPR Compliance

There are several WordPress plugins that can help automate some aspects of GDPR compliance for you. However, no plugin can offer 100% compliance due to the dynamic nature of websites.

Beware of any WordPress plugin that claims to offer 100% GDPR compliance. They likely don’t know what they’re talking about, and it’s best for you to avoid them completely.

Below is our list of recommended plugins for facilitating GDPR compliance:

• MonsterInsights – if you’re using Google Analytics, then you should use their EU compliance addon.
• WPForms – by far the most user-friendly WordPress contact form plugin. They offer GDPR fields and other features.
• Cookies Notice – popular free plugin to add an EU cookie notice. Integrates well with top plugins like MonsterInsights and others.
• Delete Me – free plugin that allow users to automatically delete their profile on your site.
• OptinMonster – advanced lead generation software that offers clever targeting features to boost conversions while being GDPR compliant.
• Shared Counts – instead of loading the default share buttons which add tracking cookies, this plugin load static share buttons while displaying share counts.

We will continue to monitor the plugin ecosystem to see if any other WordPress plugin stands out and offer substantial GDPR compliance features.

Final Thoughts

Whether you’re ready or not, GDPR will go in effect on May 25, 2018. If your website is not compliant before then, don’t panic. Just continue to work towards compliance and get it done asap.

The likelihood of you getting a fine the day after this rule goes in effect are pretty close to zero because the European Union’s website states that first you’ll get a warning, then a reprimand, and fines are the last step if you fail to comply and knowingly ignore the law.

The EU is not out to get you. They’re doing this to protect user’s data and restore people’s trust in online businesses. As the world goes digital, we need these standards. With the recent data breaches of large companies, it’s important that these standards are adapted globally.

It will be good for all involved. These new rules will help boost consumer confidence and in turn help grow your business.

We hope this article helped you learn about WordPress and GDPR compliance. We will do our best to keep it updated as more information or tools get released.

Additional Resources

• GDPR Hysteria Part I and Part II by Jacques Mattheij
• Data protection infographic by European Commission
• Principles of the GDPR by European Commission
• GDPR and MonsterInsights – everything you need to know
• GDPR Enhancement Features for Your WordPress Forms
• GDPR Compliance for WooCommerce Stores
• GDPR and OptinMonster – Good read if you have email marketing opt-in forms

Legal Disclaimer / Disclosure

We are not lawyers. Nothing on this website should be considered legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney to determine if you are in compliance with all applicable laws for your jurisdictions and your use cases.

Written by WP Beginner

The post The Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know appeared first on Morningtide Design.

Keeping Core Up to Date

For WordPress to be secure, you must keep the core application up to date. The good news is that WordPress actually does much of this job automatically. If you have the default configuration, then when the core team releases a minor version of WordPress, it will upgrade to that new minor version automatically. Security fixes are released as minor versions.

So when a security fix is released, unless you’ve specifically configured your site to not update automatically, your site will update to the newest security fix and you will be protected from an emerging vulnerability.

To be clear, WordPress versions come with three numbers separated by dots.  The current version is 4.9.4. The number to the far right is the minor version. So when that changes, your site will be automatically updated. When 4.9.5 is released, your site will automatically update. When 5.0.0 is released, it will not.

Keeping Plugins and Themes Up to Date

You will also need to keep your plugins up to date. This does not happen automatically, except in rare cases where the plugin author provides that functionality. Our security plugin updates automatically when we release a new version. Most plugins don’t. But again, we have some great news. In cases where there is a severe plugin vulnerability, the WordPress security team have the ability to force plugin security updates, and have done so in the past. They have never automatically updated a theme, but they have the ability to do that, too.

In general, though, minor vulnerabilities that a plugin author fixes are not updated on your site automatically. That is why keeping your plugins up to date is one of the most important things you need to do to keep your site secure.

Protecting Yourself During the Window of Vulnerability With a Firewall

When a vulnerability does occur in a plugin or theme, there is a lag time between the vulnerability discovery and when a fix is released. We refer to this as the “window of vulnerability”. To protect yourself during this time, you need a firewall that is being actively maintained by a security team and that includes real-time updates.

Reducing Your Attack Surface

You will also need to work to reduce the number of things that can be attacked on your website. Think of your website as a giant dartboard and a hacker is trying to throw darts that simply have to hit the board. The more plugins you run, the more themes you have installed and the more web applications you run, the bigger the surface area that the attacker can hit. Reduce your attack surface by removing unused or unnecessary applications, and you make yourself a much smaller target and your website will be much less work to maintain. You should also remove any unused accounts, especially administrator accounts, on your WordPress website.

Practicing Good Security Hygiene

Finally, you and the users of your website will need to practice good security hygiene. That means you should:

• Use strong passwords that are not easily guessable. We recommend using a password manager like 1Password.
• Enable two-factor authentication. (Wordfence Premium provides this.)
• Make sure you have reliable backups of your website.

The Basics Are Actually Not That Much Work

If you have these basic ingredients for security in place, you will be starting from a excellent base security posture. To summarize, the items I have mentioned so far are:

1. Keep WordPress core updated. This happens automatically most of the time.
2. Keep your plugins, themes and other web applications up to date.
3. Use a firewall that is updated in real time.
4. Reduce your attack surface by removing unneccesary plugins, themes, web applications and user accounts.
5. Practice good security hygiene by using strong passwords, enabling two-factor authentication and ensuring your backups are reliable.

This may sound like a lot, but it really is not. Once you have configured your WordPress site with a firewall, enabled two-factor authentication, removed any applications and plugins you don’t need, and set up strong passwords, the only thing you need to do regularly is update your website plugins when needed and occasionally verify your backups. In addition to this, I would suggest keeping abreast of WordPress security trends and any ‘big’ security news. This blog consistently covers big news and important threats in the WordPress security space, so subscribe to our mailing list and you’re all set.

What About the XYZ Alternative CMS? Isn’t That More Secure?

This question comes up a lot. I think the best way to illustrate my thinking on this is with a bell curve. Imagine a curve where the X axis is how evolved a software product is and the Y axis is the number of security incidents. I’ll provide names for each evolutionary stage.

Invention

On the far left, you have a brand new CMS or other software web application that is used by the one guy that wrote the software. Hackers aren’t interested in finding vulnerabilities in this software, because it will only enable them to hack a single site. Researchers aren’t looking at the code because securing a single website won’t bring them much recognition. Vulnerabilities aren’t going to get found by hackers or researchers, and won’t get exploited. The likelihood of this very early stage software getting hacked is low.

Discovery

As the new application gains popularity, it becomes a more interesting target, because a vulnerability enables an attacker to exploit more websites. The software is early stage, so there are no security processes, teams and vendors supporting the new CMS. You can’t buy a firewall for the product. Security researchers are focused on more popular products. Hackers are beginning to discover it is a target. At this point, the number of security incidents reported in this software is rising on a steep curve.

Growth

Once the new application hits a steep growth curve, hackers begin to take a major interest. There are now enough installations out there to make it very much worth their time. The new application is still not close to the most popular CMS in terms of usage and is still not receiving much attention from researchers, volunteer teams or vendors.

During this time, the new application is extremely vulnerable. Major incidents will occur in the evolution of the software. WordPress was in this phase from about 2007 to 2013, when we saw the Timthumb hack, auto-update was not yet available and security vendors were just beginning to emerge, including Wordfence which launched in 2012. The number of security incidents during this period puts the application on the map as a target and a product worth protecting.

Maturity

As a security community develops around the application, the frequency and severity of security incidents begin to drop. A community of passionate security researchers evolves around the product. Methodologies emerge for reporting and fixing vulnerabilities securely and confidentially so that hackers never have the opportunity to exploit them.

In the WordPress universe, we still see the occasional security issue like the large scale defacement campaigns that occurred early last year when a vulnerability appeared in WordPress core. But in the Mature phase, these incidents are short and sharp because the vulnerabilities are rapidly fixed by the competent security team that has evolved around the product and with the assistance of outside researchers and vendors.

Third party security products like Wordfence are able to mitigate the impact by preventing attacks. Where incidents do occur, incident response is available in the form of site cleaning services, to ensure rapid recovery.

Where WordPress Stands

WordPress is very much in the mature phase of its security evolution, and as it continues to evolve, the number of security incidents will continue to decline and stabilize. When choosing whether you want to use a newer or alternative CMS, consider which phase of the evolution the product is and where it will be headed in the coming years.

Someone Suggested a Static Website. Isn’t That Unhackable?

An alternative approach that some are taking is to build a website that is completely static HTML and CSS with no PHP or other application components. This does not have an application that an attacker can exploit, and the website can be configured so that it doesn’t even have the ability to execute PHP, so that hackers can’t run their code.

In theory, this website is far more secure than a PHP application like WordPress. The problem is that, other than serving pictures and text, it won’t actually be able to doanything. No comments, forms, content management, e-commerce or any other application functionality. That makes this option unfeasible for most site owners.

It’s also worth pointing out that the web server itself is an application, and there have been many vulnerabilities in web servers like Apache and Nginx reported. Eliminating the application server does not make a website immune from exploitation.

Is a Cloud CMS More Secure?

For many users, a cloud CMS may never be an option because they need 100% ownership and control of their website, intellectual property and data. But if you are considering partially or fully outsourcing your website to a cloud CMS, you should keep in mind that cloud services are not immune from security breaches either.

In October 2017 we saw the cloud comment service Disqus report a major security breach which exposed the data of 17.5 million users. In February of last year we saw cloud firewall provider Cloudflare experience a breach when their systems leaked sensitive user data.

Cloud services are attractive targets for attackers because they have everyone’s eggs in their one basket. Their developers are also human and are prone to err like the rest of us. Self-hosted WordPress as a CMS platform gives you the benefit of complete control of your own security, and a community of researchers, vendors and volunteers to help you secure your site.

Are WordPress Hosting Providers Secure?

Most WordPress hosting providers do a reasonably good job of securing their customers, but occasionally we encounter a host that has what we refer to as a ‘service vulnerability’. In these cases, no matter what the site owner does to secure their own site, their site remains vulnerable due to a flaw in the hosting provider’s security posture.

Our team has developed a service vulnerability disclosure policy. When we discover a service vulnerability, our team works confidentially with the hosting provider to fix the problem. Once the issue is fixed, we publish the details. So far we have worked with four hosting companies and have successfully helped them fix their underlying security issues in all cases. We wrote about three hosting providers with service vulnerabilities in February and published details on a fourth this week.

When selecting a WordPress hosting provider, choose a provider that is reputable, responsive to fixing security issues and provides you with clear answers to any questions you may have about security.

Whether you choose WordPress as your CMS or an alternative platform, you will need to host your website somewhere. Because WordPress represents a very large and attractive market for hosting providers, the best hosts in the world have focused on providing hosting for WordPress. This gives site owners plenty of options to choose from among the largest hosting companies in the world.

A Security Researcher Said WordPress Is a ‘Security Disaster’. Is This True?

Security researchers make a living by selling security products or consulting services. They also have egos. Our industry has had a contentious relationship with vendors who make software for as long as hackers and security researchers have been around. As an industry we are working to change that. For a view into someone leading this change, check out Facebook CSO, Alex Stamos’s keynote address at BlackHat 2017.

Often vulnerability reports about WordPress core or plugin vulnerabilities are associated with hyperbole about the platform itself. WordPress is like any other application in that it occasionally has vulnerabilities. But as I discussed above, WordPress has entered a mature stage of its security evolution, and while vulnerabilities still occur, they are dealt with rapidly and in an organized and effective way.

Is WordPress Secure? That Depends on You.

WordPress can be a very secure, highly functional and well-supported platform that can serve you or your organization and scale for decades. But this requires that you follow the basic security steps I outlined above and that you stay abreast with the latest security developments.

Written by Wordfence Security

The post Is WordPress Secure? appeared first on Morningtide Design.

Their logic goes like this:

1. You’re not selling anything online
2. Therefore you don’t need to protect anything
3. Don’t waste money on an SSL certificate

We’ve now reached a tipping point where more than half the traffic being served across the internet is now using HTTPS.

So let’s say you’re not selling anything online. Fine. Let’s talk about the second point for a second …

If you’re a freelancer, creative, agency or blogger, you may not make money online. But you may be making money offline based on the trust and authority you develop online. (For example, you may be collecting leads via forms.) And that’s what matters.

Because later this year, a new version of Google Chrome is coming (68, due out in July 2018) that will mark every HTTP site as “Not Secure.”

Think about the consequence of having “NOT SECURE” on the top of your browser when a visitor considers filling out a lead gen form. I’m pretty sure you won’t see that page convert like it used to.

Also, some of you have been waiting for wildcard SSL certificates. With a wildcard certificate, you could have one single cert that would work for subdomains, like:

• store.example.com
• blog.example.com
• members.example.com

We suggest that you make getting your site secured with an SSL certificate an item on your to-do list.

Written by iThemes Media LLC

The post Even if Your Website is Just a Blog, or Lead Generator, You Still Need an SSL appeared first on Morningtide Design.

Here are 4 compelling reasons to move your WordPress website to HTTPS:

1. SECURITY — SSL protects your site’s data and your website visitors. It encrypts data transferred over the web, like form submissions and credit card transactions.
2. SEO — Google says it’s time to move your sites over to HTTPS. They are now giving a search ranking boost to secure sites. Simply put, you’ll rank better with an HTTPS website.
3. E-COMMERCE —If you’re taking any payments on your website, SSL is non-negotiable. SSL is an absolute must for e-commerce and membership websites.
4. AFFORDABILITY — In the past, SSL certificates could get expensive, but the rapidly transforming web landscape has made switching to SSL practical and affordable.

But here’s the deal … most of us (me included) don’t know where to start and how to move to HTTPS without messing things up. You could potentially break your website, experience downtime or lose important analytics data if you do it incorrectly. 

The post If you haven’t moved to HTTPS by now, you’re going to get left behind appeared first on Morningtide Design.