Wordfence and GDPR: How The Defiant Team Are Preparing For GDPR

Update: Wordfence is now GDPR compliant. Click here to learn more.

We want to send out an update on the new data protection law, the General Data Protection Regulation (GDPR), going into effect soon and how Defiant is getting ready for it.

This new European law goes into effect on May 25, 2018. It is a new set of rules designed to give European citizens more control over their personal data. Defiant is actively preparing with new website changes and updates to the Wordfence plugin.

Additional changes will include updated privacy policies and terms of use. We are applying for the Privacy Shield certification program for both EU-US and Swiss-US and will soon have available a Data Processing Agreement for our EU customers who need one.

These updates will be made before the deadline. We will send out another notification with a detailed blog post when we have completed preparing for the new privacy regulations. You will begin to see these changes and updates emerge starting next week.

The team at Defiant, makers of Wordfence, care deeply about our customer privacy and data protection. This extends to our European customers and the rest of the globe. To this end, we have been working diligently with our internal team and with outside experts to understand the implications of the GDPR, to perform a comprehensive internal audit and to get our software, systems and processes compliant with the GDPR.

As always I welcome your questions and comments below.


Mark Maunder – Defiant Founder & CEO.


Did you enjoy this post? Share it!


  • As many WordFence users are likely looking to come into compliance with GDPR regulations, are you aware of quality resources (that you can pass long) for compliance issues like choosing a supervisory authority if you don't have a presence in the EU, checklists for preparedness, etc?

    • Hi Mike,

      I am not and we are getting our advice from the source (our legal team). I would love our team to write a guide, but honestly we've been heads down focused on getting compliant ourselves and that has consumed any available energy that might have been around for writing a post like that. Perhaps once we're done we can write a follow-up and share some data.

      What I can tell you is that we have been working closely with our legal team (multiple lawyers at K&L Gates, one of the largest firms in the country) to understand our obligations and to bring the organization, products, team and processes into compliance. It has been a big project and has touched many areas of the organization. So I would be nervous about advising others because, as the saying goes, IANAL (I am not a lawyer).

      One interesting challenge that is emerging as the deadline approaches: We are having to reevaluate some suppliers who appear to not be doing anything about becoming compliant i.e. we may have to stop using them so that we can stay compliant. And of course we are all chasing the same deadline, which makes it a challenge when you expect your suppliers to be compliant before you are.



  • Hi Mike,

    When you mention

    "We are having to reevaluate some suppliers who appear to not be doing anything about becoming compliant i.e. we may have to stop using them so that we can stay compliant."

    What way are they not being compliant?

    I ask as I work with clients who are now firing legal forms at me demanding compliance
    however, as I understand it while I have access to their data as I work on their site/systems I don't process or work with the data so don't need to do anything

    I'm wondering what are you asking your suppliers for?

    I will be seeking legal advice next week from my trade federation - but any insight would be gratefully received


  • If you use wordfence to use Country blocking and block all access except from the US does that eliminate GDPR?

    Most of our sites are local and do not accept traffic outside the USA.

  • I notice you mention "new set of rules designed to give EUROPEAN CITIZENS".....

    Do your lawyers read the rule as only applying to European citizens, and not citizens of other countries who reside in a country that is within the European Union?

    We have data from US citizens who reside in the EU. Do you consider this data not covered by the rule?

    • Hi Eileen,

      Not sure, but I"ll make sure the team gets your question for our update next week.


  • Hey Mike / Mark,

    The ICO ( data commissioner in the UK) has several resources and guides which are fairly approachable to work through,


    Hope that’s useful


  • Hi,

    Thanks for the update. Will the IP addresses also anonymized (last digits) in a newer version. Just like with Google Analytics?



    • Hi Remco,

      Will have more data next week and will make sure the team sees this question.



  • Looking forward to get the Data Processing Agreement

    • Me too. :-)

  • For more information about the GDPR see https://gdpr-info.eu

    • Thanks Joerg.

  • A quick question: I made my privacy policy last week and mentioned that we send only IP information to WF (to improve the algorithms) if a user is blocked by the firewall.

    Is this correct or do you collect more?

    Best regards,

    • Thanks for the question Alex. Will bring this to the team and likely have a update next week.

  • What are some of the ways you are working on updates to the plugin? Is it about retention / sharing features - e.g. enabling website owners to either not share or not store IP addresses via WordFence? :-)

    • Thanks for the question. Will bring this to the team and likely have a update next week.

  • I'd like to see a feature added that enables redirecting similar to country blocking, but specifically for EU countries. We'd then be able to get their "Explicit Consent" and send them to a URL that allows them to access the site.

    • Thanks Joe. Interesting idea.

  • The real question is the wordress software itself GDPR compliant? Secondly, I suspect that with the addition of so many plugins to a wordpress website, any one of these could make it non compliant? Do you have any kind of plan for monitoring this?

    • We will not be providing a service that monitors whether WordPress plugins are GDPR compliant.

  • I love that idea!

    If an EU citizen or resident comes to the website, they will have to give "consent" to access it. This would be a great way to sift visitors from the EU. Mark, if your team can develop something like this, it would be a godsend.

    Please keep us all posted, Mark. You are all working hard, and doing a great job.

    Standing by...

  • Wordpress itself will be "Partially" GDPR compliant from the 4.9.6 release on the 17th May 2018, they as yet will not have anything about cookies built into the core or any form of log, hopefully these will be fixed soon.

    As for Wordfence it's important for site managers to know what personal data (Including IP addresses) that WF stores simply so that we can inform people in the privacy notice that site security (never mention what security by the way) requires that information.

    For Eileen specifically, the GDPR rules apply to all EU citizens AND for all companies operating within the EU so if you have for example a company based in the UK or with office in the UK you are obliged to treat everyone accessing your website as if they were an EU citizen even if you know they are from the USA, if you have only got say a USA office then you can treat EU and USA citizens differently

    • More on this coming this week.


  • I notice you lack a comments edit button. Yep, that is a GDPR violation.

    • The ability for a user to self-edit their comment data is not a requirement AFAIK. Please post your source if you feel otherwise. Thanks.

  • 1.Any news to the compliance for our website privacy statement?
    2.Also one wil need a written and signed data processing contract. Lots of companies have a downloadable pdf that has to be signed and sent back to the specific company, did i miss it?
    Thanks in advance

    • Hi Michael,

      Data processing agreement is in progress and will be published probably this week, so we'll have that available for you.

      We have quite a lot of other changes, so once we roll them out please let us know if you're still missing something. Roll-out for our GDPR changes starts this week.


  • Hi Mark, According to AVG (Dutch version of GDPR) I have to include in my privacy statement how long data like IP-adresses and location are stored. I use the free versions of Wordfence and wonder how long data like this is saved when I block an IP-address. Appreciate the good work you guys do and very happy with this awesomw plugin.

    Thanks in advance.

    • Hi Ria,

      We should have all our changes starting to roll out this week so keep an eye out for that. If you don't see it, please let me know.


  • I liked the idea of blocking UK as some clients are local and don't have UK clients... is this a temporary or permanent option?

    (as asked by Robert - If you use wordfence to use Country blocking and block all access except from the US does that eliminate GDPR? Most of our sites are local and do not accept traffic outside the USA.)

  • Thanks Mark, will do.