Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Wordfence and GDPR: How The Defiant Team Are Preparing For GDPR

This entry was posted in Wordfence on May 9, 2018 by Mark Maunder   33 Replies

Update: Wordfence is now GDPR compliant. Click here to learn more.

We want to send out an update on the new data protection law, the General Data Protection Regulation (GDPR), going into effect soon and how Defiant is getting ready for it.

This new European law goes into effect on May 25, 2018. It is a new set of rules designed to give European citizens more control over their personal data. Defiant is actively preparing with new website changes and updates to the Wordfence plugin.

Additional changes will include updated privacy policies and terms of use. We are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one.

These updates will be made before the deadline. We will send out another notification with a detailed blog post when we have completed preparing for the new privacy regulations. You will begin to see these changes and updates emerge starting next week.

The team at Defiant, makers of Wordfence, care deeply about our customer privacy and data protection. This extends to our European customers and the rest of the globe. To this end, we have been working diligently with our internal team and with outside experts to understand the implications of the GDPR, to perform a comprehensive internal audit and to get our software, systems and processes compliant with the GDPR.

As always I welcome your questions and comments below.


Mark Maunder – Defiant Founder & CEO.


Did you enjoy this post? Share it!

33 Comments on "Wordfence and GDPR: How The Defiant Team Are Preparing For GDPR"

Mike Polek May 9, 2018 at 5:17 pm

As many WordFence users are likely looking to come into compliance with GDPR regulations, are you aware of quality resources (that you can pass long) for compliance issues like choosing a supervisory authority if you don't have a presence in the EU, checklists for preparedness, etc?

Mark Maunder May 9, 2018 at 5:31 pm

Hi Mike,

I am not and we are getting our advice from the source (our legal team). I would love our team to write a guide, but honestly we've been heads down focused on getting compliant ourselves and that has consumed any available energy that might have been around for writing a post like that. Perhaps once we're done we can write a follow-up and share some data.

What I can tell you is that we have been working closely with our legal team (multiple lawyers at K&L Gates, one of the largest firms in the country) to understand our obligations and to bring the organization, products, team and processes into compliance. It has been a big project and has touched many areas of the organization. So I would be nervous about advising others because, as the saying goes, IANAL (I am not a lawyer).

One interesting challenge that is emerging as the deadline approaches: We are having to reevaluate some suppliers who appear to not be doing anything about becoming compliant i.e. we may have to stop using them so that we can stay compliant. And of course we are all chasing the same deadline, which makes it a challenge when you expect your suppliers to be compliant before you are.



Paul May 9, 2018 at 5:50 pm

Hi Mike,

When you mention

"We are having to reevaluate some suppliers who appear to not be doing anything about becoming compliant i.e. we may have to stop using them so that we can stay compliant."

What way are they not being compliant?

I ask as I work with clients who are now firing legal forms at me demanding compliance
however, as I understand it while I have access to their data as I work on their site/systems I don't process or work with the data so don't need to do anything

I'm wondering what are you asking your suppliers for?

I will be seeking legal advice next week from my trade federation - but any insight would be gratefully received


Mark Maunder May 9, 2018 at 5:57 pm

They simply haven't provided guidance on how they are (or will be) GDPR compliant. So if that doesn't happen before the deadline, we'll just terminate using that service.

Hint: Here's one industry that is affected.



Robert May 9, 2018 at 8:41 pm

If you use wordfence to use Country blocking and block all access except from the US does that eliminate GDPR?

Most of our sites are local and do not accept traffic outside the USA.

Eileen May 9, 2018 at 10:45 pm

I notice you mention "new set of rules designed to give EUROPEAN CITIZENS".....

Do your lawyers read the rule as only applying to European citizens, and not citizens of other countries who reside in a country that is within the European Union?

We have data from US citizens who reside in the EU. Do you consider this data not covered by the rule?

Mark Maunder May 10, 2018 at 9:06 am

Hi Eileen,

Not sure, but I"ll make sure the team gets your question for our update next week.


Ian May 10, 2018 at 2:45 am

Hey Mike / Mark,

The ICO ( data commissioner in the UK) has several resources and guides which are fairly approachable to work through,


Hope that’s useful


Remco May 10, 2018 at 2:58 am


Thanks for the update. Will the IP addresses also anonymized (last digits) in a newer version. Just like with Google Analytics?



Mark Maunder May 10, 2018 at 9:05 am

Hi Remco,

Will have more data next week and will make sure the team sees this question.



Joerg K. May 10, 2018 at 5:08 am

Looking forward to get the Data Processing Agreement

Mark Maunder May 10, 2018 at 9:05 am

Me too. :-)

Joerg K. May 10, 2018 at 5:12 am

For more information about the GDPR see https://gdpr-info.eu

Mark Maunder May 10, 2018 at 9:05 am

Thanks Joerg.

Alex May 10, 2018 at 5:46 am

A quick question: I made my privacy policy last week and mentioned that we send only IP information to WF (to improve the algorithms) if a user is blocked by the firewall.

Is this correct or do you collect more?

Best regards,

Mark Maunder May 10, 2018 at 9:05 am

Thanks for the question Alex. Will bring this to the team and likely have a update next week.

Adam May 10, 2018 at 8:58 am

What are some of the ways you are working on updates to the plugin? Is it about retention / sharing features - e.g. enabling website owners to either not share or not store IP addresses via WordFence? :-)

Mark Maunder May 10, 2018 at 9:04 am

Thanks for the question. Will bring this to the team and likely have a update next week.

Joe May 10, 2018 at 10:37 am

I'd like to see a feature added that enables redirecting similar to country blocking, but specifically for EU countries. We'd then be able to get their "Explicit Consent" and send them to a URL that allows them to access the site.

Mark Maunder May 10, 2018 at 12:30 pm

Thanks Joe. Interesting idea.

Colin May 10, 2018 at 1:22 pm

The real question is the wordress software itself GDPR compliant? Secondly, I suspect that with the addition of so many plugins to a wordpress website, any one of these could make it non compliant? Do you have any kind of plan for monitoring this?

Mark Maunder May 10, 2018 at 3:20 pm

We will not be providing a service that monitors whether WordPress plugins are GDPR compliant.

Erin May 13, 2018 at 3:46 am

I love that idea!

If an EU citizen or resident comes to the website, they will have to give "consent" to access it. This would be a great way to sift visitors from the EU. Mark, if your team can develop something like this, it would be a godsend.

Please keep us all posted, Mark. You are all working hard, and doing a great job.

Standing by...

David May 13, 2018 at 5:42 am

Wordpress itself will be "Partially" GDPR compliant from the 4.9.6 release on the 17th May 2018, they as yet will not have anything about cookies built into the core or any form of log, hopefully these will be fixed soon.

As for Wordfence it's important for site managers to know what personal data (Including IP addresses) that WF stores simply so that we can inform people in the privacy notice that site security (never mention what security by the way) requires that information.

For Eileen specifically, the GDPR rules apply to all EU citizens AND for all companies operating within the EU so if you have for example a company based in the UK or with office in the UK you are obliged to treat everyone accessing your website as if they were an EU citizen even if you know they are from the USA, if you have only got say a USA office then you can treat EU and USA citizens differently

Mark Maunder May 14, 2018 at 9:30 am

More on this coming this week.


Lee May 13, 2018 at 9:42 am

I notice you lack a comments edit button. Yep, that is a GDPR violation.

Mark Maunder May 14, 2018 at 11:57 am

The ability for a user to self-edit their comment data is not a requirement AFAIK. Please post your source if you feel otherwise. Thanks.

Michael May 14, 2018 at 2:31 am

1.Any news to the compliance for our website privacy statement?
2.Also one wil need a written and signed data processing contract. Lots of companies have a downloadable pdf that has to be signed and sent back to the specific company, did i miss it?
Thanks in advance

Mark Maunder May 14, 2018 at 9:27 am

Hi Michael,

Data processing agreement is in progress and will be published probably this week, so we'll have that available for you.

We have quite a lot of other changes, so once we roll them out please let us know if you're still missing something. Roll-out for our GDPR changes starts this week.


Ria Schopman May 14, 2018 at 8:48 am

Hi Mark, According to AVG (Dutch version of GDPR) I have to include in my privacy statement how long data like IP-adresses and location are stored. I use the free versions of Wordfence and wonder how long data like this is saved when I block an IP-address. Appreciate the good work you guys do and very happy with this awesomw plugin.

Thanks in advance.

Mark Maunder May 14, 2018 at 9:26 am

Hi Ria,

We should have all our changes starting to roll out this week so keep an eye out for that. If you don't see it, please let me know.


Kristen Day May 15, 2018 at 9:33 am

I liked the idea of blocking UK as some clients are local and don't have UK clients... is this a temporary or permanent option?

(as asked by Robert - If you use wordfence to use Country blocking and block all access except from the US does that eliminate GDPR? Most of our sites are local and do not accept traffic outside the USA.)

Ria Schopman May 16, 2018 at 6:36 am

Thanks Mark, will do.

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates