How to Harden WordPress for Security and GDPR Compliance
A practical guide to securing your WordPress site and making it GDPR-compliant. Covers server hardening, plugin security, database encryption, cookie consent, and European hosting requirements.
WordPress powers over 40% of the web, which makes it the number one target for automated attacks. If your WordPress site handles European user data — contact forms, e-commerce orders, newsletter signups, or analytics — you also have GDPR obligations that most default WordPress installations fail to meet.
This guide covers both sides: hardening your WordPress installation against real-world threats, and ensuring it meets the requirements of EU data protection law.
The Two Problems with Default WordPress
Out of the box, WordPress has two critical gaps:
Security defaults are weak. Auto-updates only cover minor releases, the login page is publicly accessible at a known URL, file permissions are often too loose, and most hosting stacks skip basic headers like Content-Security-Policy.
GDPR compliance is absent. WordPress core sets cookies, collects IP addresses in comments, and provides no consent mechanism. Plugins make it worse — every analytics snippet, form builder, or social widget can introduce third-party data transfers you are legally responsible for.
Fixing both problems requires changes at the server level, the application level, and the plugin level.
Server-Level Hardening
Before touching WordPress itself, secure the server it runs on.
Use a European-Hosted Server
If your audience is in the EU, your server should be too. Hosting with a European provider in an EU data centre means personal data never leaves European jurisdiction. This is the simplest way to sidestep complex international data transfer mechanisms.
Enforce HTTPS Everywhere
Install an SSL certificate (Let's Encrypt is free) and force all traffic through HTTPS:
# .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Add Security Headers
Add these to your Nginx or Apache configuration:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
Restrict File Permissions
WordPress files should be owned by the web server user but not world-writable:
find /var/www/wordpress -type d -exec chmod 755 {} \;
find /var/www/wordpress -type f -exec chmod 644 {} \;
chmod 600 /var/www/wordpress/wp-config.php
The wp-config.php file contains database credentials — it should never be readable by other users on the system.
WordPress Application Hardening
Move wp-config.php Above the Web Root
WordPress automatically looks one directory up for wp-config.php. Moving it there prevents direct web access:
mv /var/www/wordpress/wp-config.php /var/www/wp-config.php
Disable File Editing in the Dashboard
Prevent attackers who compromise an admin account from editing theme/plugin files:
// wp-config.php
define('DISALLOW_FILE_EDIT', true);
Change the Login URL
The default /wp-admin and /wp-login.php paths are targeted by every bot on the internet. Use a plugin like WPS Hide Login to change the URL to something unique.
Limit Login Attempts
Install a plugin like Limit Login Attempts Reloaded or configure fail2ban at the server level to block brute-force attacks:
# /etc/fail2ban/jail.local
[wordpress]
enabled = true
filter = wordpress-auth
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
Keep Everything Updated
Enable automatic updates for minor releases, plugins, and themes:
// wp-config.php
define('WP_AUTO_UPDATE_CORE', 'minor');
add_filter('auto_update_plugin', '__return_true');
add_filter('auto_update_theme', '__return_true');
For major releases, test on a staging environment first.
Use Strong Database Prefixes
Change the default wp_ table prefix during installation. If the site is already live, this is harder to change but reduces the effectiveness of SQL injection attacks that assume default table names.
GDPR Compliance Checklist
Technical security is only half the picture. Here is what you need for GDPR compliance:
1. Cookie Consent
You must obtain explicit consent before setting non-essential cookies. This includes analytics (Google Analytics, Matomo), marketing pixels (Facebook, LinkedIn), and embedded content (YouTube, Google Maps).
Use a consent management platform (CMP) that:
- Blocks scripts until consent is given (not just a banner that does nothing)
- Allows granular consent per category
- Records proof of consent
- Provides an easy way to withdraw consent
2. Privacy Policy
Your privacy policy must list:
- What personal data you collect and why
- The legal basis for each processing activity
- Who receives the data (hosting provider, email service, analytics)
- How long you retain data
- How users can exercise their rights (access, deletion, portability)
3. Contact Forms and Comments
Every form that collects personal data needs:
- A link to your privacy policy
- A consent checkbox (for marketing communications)
- Data minimisation — only collect what you actually need
For WordPress comments, consider disabling them or using a self-hosted solution instead of Disqus (which transfers data to the US).
4. Analytics Without Third-Party Transfers
Google Analytics transfers data to US servers, which creates GDPR complications after the Schrems II ruling. Alternatives:
- Matomo (self-hosted) — full analytics, data stays on your server
- Plausible (EU-hosted) — lightweight, privacy-friendly
- Fathom — simple analytics with EU data residency option
5. Email and Newsletter Compliance
If you use Mailchimp or similar US-based services, you are transferring subscriber data outside the EU. Consider European alternatives like Brevo (formerly Sendinblue) or self-hosted solutions like Listmonk.
6. Right to Erasure
WordPress 4.9.6+ includes a built-in data export and erasure tool under Tools > Export/Erase Personal Data. Make sure it works and covers all plugins that store user data.
Plugin Security Audit
Plugins are the biggest attack surface in WordPress. Follow these rules:
- Remove unused plugins — even deactivated plugins can be exploited
- Check plugin reputation — look at last update date, active installations, and support forum activity
- Audit plugin data flows — does the plugin send data to external servers? Check the plugin's privacy policy
- Minimise plugins — every plugin is a potential vulnerability. If you can achieve the same result with a few lines in
functions.php, do that instead
Database Backups and Disaster Recovery
Back up your database daily and store backups in a separate EU location:
mysqldump -u wp_user -p wordpress_db | gzip > \
/backups/wp_$(date +%F).sql.gz
Test your restore process regularly. A backup you have never tested is not a backup.
When WordPress Security Becomes Your Full-Time Job
Keeping WordPress secure and GDPR-compliant is not a one-time task. It requires ongoing monitoring, patching, plugin audits, certificate renewals, and backup verification. For many businesses, this operational overhead is unsustainable — especially when a single missed update can lead to a breach or a compliance violation.
Alplink offers fully managed WordPress hosting on sovereign European infrastructure. We handle security hardening, automatic updates, daily backups, GDPR-compliant server configurations, and 24/7 monitoring — all running on NixOS for reproducible, auditable deployments. Your data stays in Europe, your site stays secure, and you stay focused on your business. Learn more at alplink.eu.