Skip to content

Self-Hosted WordPress and GDPR compliance

So I started this blog after being a long time “Google+ only” publisher, and now GDPR is coming.

I have looked into making this wordpress instance GDPR compliance, but it’s no fun. The webfonts are easy, but “no more Youtube embeds without a consent orgy” is no fun, and losing the Google/Facebook/Twitter SSO integration will basically lose all mobile users (80% or so of all readers).

The easiest way to get GDPR compliance is to move back to Google+ only, or to move this blog to or to

What migration target do you prefer (running a self-hosted instance is not an option for me after May, 25)?

Migration to Medium instructions

Migration to instructions

Jürgen Geuter nails it (german article on Facebook): Self-Hosted anything after GDPR is only for people with a really good legal expenses insurance.

Published inBlog


  1. Sorry for writing this reply in german, my english is humble.

    Ist das eine Lösung? WordPress wird sicher keine Datenschutzerklärung für ihre Nutzer verfassen.

    Und so wie ich es verstanden habe gelten nicht die Gesetze des Landes, in dem der Server/Cloud/wasauchimmer steht, sondern die Gesetze Deines Wohnsitzes.

    • kris kris

      Yes, at the moment a completely silo’ed solution such as or Google plus looks most attractive. That way I can publish stuff without offering a site, I am just a stream on a larger site. I wouldn’t have to deal with any of this stuff that way, and could focus on content.

  2. Christian Buggedei

    I wouldn’t count on that, remember all the Facebook/Linkedin/Xing impress rules …

  3. Walter

    Some people say that for private pages you do not have to follow GDPR. Some people have another opinion.

    Why do you need Google/Facebook/Twitter SSO ? For the comments?

    Disabling comment function would be the easiest way but your blog without comments is only 75% :)

    • Shred

      The big question is: what is a “private page”? IANAL, but I tend to the opinion that a private site is only accessible to family and friends. This is, it is password protected.

      On my blog, I have removed the comments, disabled all cookies, turned off the access log, made sure nothing (like webfonts) is loaded from CDNs. Still I need to think about GDPR because I can receive e-mails (I have to because of German laws), which is again processing of personal data.

      I’m still indecisive. Are those GDPR alarmists just scaremongers, and my blog is okay now and everything is going to be fine? Or should I better shut down my webserver before May 25th and wait for some months until the dust has settled?

      • Armin Grewe

        The GDPR doesn’t differentiate between private and public. It differentiates between businesses/organisations and personal activities. See recital 18:

        “This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.”

        There is no mention that the activity has to be private.

        • -thh

          That’s true, but publishing on the web for others is neither “personal” nor “household”.

          • Armin Grewe

            So you’re saying as soon as you publish something on the web it becomes a professional or commercial activity?

        • Shred

          It still leaves so much room for interpretation.

          What is a “purely personal” activity? Is it a personal blog, or is it just (for example) an own NextCloud instance that I only use for myself?

          What is “no connection to a professional activity”? If I blog about my profession, is it still personal, or already professional?

          I prefer to assume that my blog is commercial, even if I don’t earn a single cent with it. I think it is only “personal or household” if it is not reachable for the public.

  4. Jason

    I would suggest to wait for the 15th. WordPress will release a new version and if I understand it correctly, it will contain something for GDPR.

    I would be very sad to see you go back to G+ or to medium. The former does not offer RSS and the latter one wants an automatic license to your content AFAIK.

  5. rajo

    WordPress / blogs are one thing. What if you run your own root/virtual server which handles some nextcloud or email – even if you’re the only person using it. If you send or receive mail, it will for sure contain personal data. What now? I’m not running any business, so is this “household use”? But running a mailserver is certainly not “common household use” in terms of the average user.

  6. BTW, WordPress announced that WP 4.9.6 will bring a GDPR-ready solution:
    “The primary focus of 4.9.6 is delivering a set of tools for controlling and managing private information in a GDPR compliant manner. With GDPR going into effect on May 25th, 2018, this will be the last minor release before the new laws go into effect.”

    I hope the best.

  7. Niclas

    I would vote for Medium. Am planning to do it for my site, too.

  8. Michael

    I still don’t get it. I have a blog. It loads no third party assets from anywhere. I don’t store cookies anywhere (because what even for). I don’t have comments (because they only make you sad or angry). The access logs don’t store full ip addresses. So where, pray tell, is the problem supposed to be? What do you need any of that third party shit for anyway?

  9. As Far as I know the SSO should not be a problem, as at least the big ones are them self GDPR compliant.

    Regarding the moving, Medium brings some additional reach with it, but you have only very limited tracking (if you are interested in this)

  10. Erwann

    Hi Kristian,
    on my side, I do not consider a private blog without any commercial interest as being in the main scope of GDPR.
    GDPR applicability / main focus:
    1/ Commercial organisations as well as non commercial organisations computing large collection of private data.
    2/ GDPR applies – based on the above scope – as soon as private data of EU citizen are computed; private data = data making possible to identify the “human behind the data”.

    As I know, a WordPress “GDPR plugin” is available. In all cases, the best approach would be to avoid the use Google Fonts and Google Analytics (as well as equivalent commercial services).

    In your specific case, I would not consider to avoid self hosting or to disable comments. There are some good tutorials for GDPR implementation (including released by BSI) and it is valuable to take a look on them.
    Schöne Grüsse und viel Erfolg !

Leave a Reply

Your email address will not be published. Required fields are marked *