Building WordPress Websites That Better Respect User Privacy

In recent years, privacy has become one of the most important topics in our society. With the rise of services that use and sell user data, serious discussions have been taking place regarding best practices and the rights of users.

In some cases, they’ve led to government-based regulations such as the EU’s GDPR. However, worldwide there still seems to be quite a lot of confusion, which tends to result in inaction. Unfortunately, web designers seem to be caught in the middle.

What makes things even more difficult is how much we rely on third-party providers that enable all manner of different functionality. Each provider is another link in a privacy chain that may or may not be collecting/using data in an undesirable way.

Nowhere is this more of a challenge than when it comes to building sites with WordPress. That’s not because the CMS doesn’t take privacy seriously – it does. Rather, it’s a combination of being the web’s most-used platform and its ability to tie in with an untold number of services via plugins and themes.

That begs the question: How do we build WordPress websites with privacy in mind?

First, Have Realistic Expectations

Perhaps the obvious answer is to disable anything and everything related to tracking users. That means disabling cookies, not utilizing any third-party plugin or theme, and forget about showing ads. But that’s not going to meet the needs of most websites – especially if you’re building them for clients.

Therefore, we have to keep our expectations based in reality. And it’s also important to understand that, if a site is expected to comply with some sort of legal standard, lawyers or some other party who is able to verify adherence should be involved.

Regardless, in almost all circumstances, some sort of user data will be collected – either directly by your own site (form submissions, cookies, etc.) or through the outside services you connect with. This is life as we know it and may be impossible to avoid.

That doesn’t mean, however, that we are completely powerless. Together with clients, there are some decisions we can make that do keep the well-being of users in mind.

Choose Your Company Carefully

The one area where we have a significant amount of say is in what types of functionality we add to our website. This covers everything from the theme we use, the plugins we install, along with the outside APIs and code libraries we integrate.


There are some themes that do send data back to its developers, although it may not be user-specific. Usually, you can turn such functionality off via a setting. However, it’s best to check any data collection policies they have before making a commitment.

One of the best ways to ensure that a theme won’t collect user data is to build your own. There are plenty of great barebones starter themes and frameworks that help get projects up-and-running relatively quickly. It may not make sense for everybody, but can be a great option if you want to exercise further control.


When it comes to plugins, more and more we are seeing them ask to collect data. It may be that they’re only interested in anonymous data that shows what other plugins you’re using, your hosting environment and so on. Again, you’ll want to review exactly what it is they are looking to harvest from your site.

Reputable plugins should have these functions turned off by default and allow you to opt-in. If not, the beauty of the WordPress community is that there are usually plenty of alternative options. Look for a plugin that either doesn’t collect data or allows you to turn it off.

It’s also worthwhile to look for plugins that are compatible with the WordPress personal data export and erase tools, launched in version 4.9.6. This allows users to take ownership of their data and provides a means to have it removed from your site if they so wish.

It also makes for easier management when it comes to plugins that store user-related content in the site’s database. The last thing you want to is have to poke around a huge database, looking for extra bits of information to remove.

Third-Party Services

Many of us want to integrate Google Fonts or social media tools into our websites. Beyond that, there are a ton of additional services that provide maps, analytics, video, script libraries or APIs that we might want to tap into.

Odds are, the majority of these services are going to want to track users in one way or another. But there are some possible solutions:

  • In the case of Google Fonts, you can always download the fonts you need and host them directly on your web server. The same goes for other remotely-hosted scripts.
  • Some services will allow you to opt-out of certain tracking behaviors. For instance, when embedding media from YouTube, it’s possible to turn on Privacy-Enhanced Mode, which lets users watch without the service tracking their viewing habits.

Also note that it is possible that some functionality may simply not work as expected without cookies or other tracking methods enabled. Be sure to read up on polices and documentation for details. Depending on your needs, this may or may not be worth the compromise.

Dealing with What Is, While Striving for Better Solutions

Certainly, all of this puts a lot of weight on the shoulders of web designers. It’s hard enough balancing the desires of our clients with the concerns of users. When you throw in all of the various privacy-related policies of governments and service providers, it all seems like mission impossible. In short: It’s a mess.

We can’t be expected to know exactly what Facebook does with user data, while also keeping up with Twitter, Google and advertising networks. It’s doubtful that even the people who work for these providers can keep up with their own jargon.

Yet, we’re still obligated to try. That means assessing the situation and attempting to know more about what it is we’re building. We need to encourage clients to adopt privacy policies of their own, while making it clear that legal professionals are required to keep things on the up and up.

The modern website demands a lot of advanced functionality – much more than even a decade ago. And since so many of us use WordPress to build those sites, we must be aware of the various parts we’re piecing together.

Will it ever be completely cohesive? Maybe not. But it’s our job to try and put it all into as neat of a package as possible. It’s the best we can do until a better solution comes along.