Last updated on 31 January 2022
I like to consider myself a pretty privacy-aware guy. I have tape over my webcam, I never share my real birthday unless it’s absolutely necessary, and I use tracker-blockers in my browsers.
That’s how I noticed my website was sending people’s data to third-parties through tracking scripts and cookies. From the default Jetpack share buttons to the Yoast SEO Google Analytics plugin, my favorite website features were spying on my visitors!
Sorry about all these trackers! I apologize, and it ends now.
How can we make WordPress respect people’s privacy?
This is the story of how I made it work. All it really took was a little time and creativity.
And if I can do it, you can too. Here’s how.
- Remove Trackers
- Remove Cookies
- Encrypt Your Connections
Success = 0 Trackers + 0 Cookies
Through trial, error, and a ton of internet searching, I’ve managed to fix my websites such that they don’t use any trackers don’t place any cookies. I’m far from being an expert, so if you have any other criteria for a privacy-respecting website, please let me know!
What are Trackers and Cookies?
If you’re not sure what trackers and cookies are, or why you should care about them, please have a look at this post.
How Do You See Them?
Depending on your browser, you can install add-ons that will show you what trackers are on any website you visit and block them for you.
👉🏼 I use uBlock Origin, Privacy Badger, and Ghostery.
So that’s how we can see what’s collecting people’s data – how do we get it off our website?
Step 1: Remove Trackers
Disable Jetpack Stats
Once activated, Jetpack tracks your visitors by default. You can disable this by either going directly to
or by opening your Jetpack Debug settings. There, you’ll be able to disable the Site Stats module.
Disable Jetpack sharing buttons
I know – sharing is caring, and sharing buttons are nice. The problem is that each is connected to its respective social network, so everyone who reads your blog post is getting spied on by Facebook, Twitter, LinkedIn, and the rest.
Go into your Jetpack Settings, open the Sharing tab, and turn off the switch next to Add sharing buttons to your posts.
Install WP DoNotTrack
A WordPress installation is a complex system of plugins, a theme, content, and custom code. This complexity makes it difficult to keep track of every part of the system.
Thankfully, Frank Goosens (futtta) created the WP DoNotTrack plugin to prevent other plugins from installing 3rd-party tracking code into your site.
I recommend the Disable tracking for all my visitors and SuperClean settings.
Remove Google Fonts
Google Fonts makes it easy to use nice fonts on any website. But while it doesn’t cost money, it costs privacy: any website that uses the service automatically shares their visitors’ IP addresses with Google.
Recently, a court in Munich, Germany fined a website operator for using Google Fonts without visitors’ consent, as it violates their right to privacy under the GDPR. Thankfully, there are better ways to use pretty fonts in WordPress!
Check for Google Fonts: First, let’s check if your site is even using Google Fonts in the first place. If you installed one of the add-ons I mention above, check for things like “fonts.gstatic.com.” If you don’t find anything, feel free to skip to Step 2!
Remove Google Fonts: If your site is using Google Fonts, let’s disable them. If you have any plugins that specifically add Google Fonts to your site, delete them and check again. If you’re still seeing Google Fonts trackers, try installing the aptly named Disable and Remove Google Fonts plugin.
Ok, so we’ve banished Google Fonts from our WordPress site. Let’s add custom fonts without the G-word.
The Easy Way: OMGF plugin. If you’re not comfortable with CSS, the OMGF plugin is for you. It caches Google Fonts locally without having to work with code.
The Lean Way: Custom Fonts plugin. This plugin’s still pretty easy. But if you’re not using a page builder, you’ll need to add some code to your CSS. This plugin allows you to upload font files to your site, so they’re hosted locally. But remember: font designers need to eat too, so make sure you’ve got a license for whatever fonts you’re using.
Step 2: Remove Cookies
Cookies can be tricky, because not all of them are bad, and different areas have different laws on how they may be used. In the EU, it’s illegal to allow your site to save cookies without asking for the visitor’s consent.
Remove Embedded Content
This was, psychologically and aesthetically, the hardest thing for me to do. One of my favorite parts of the web is being able to embed content from one website to stream on another. Unfortunately, just one embedded YouTube video saves 8 cookies without consent.
So I now make thumbnails and link out to the content source, usually with a short bit of text indicating where the link leads to (e.g. see the video on YouTube or Follow me on Twitter).
This one is a shame, because I like my blog posts to start a conversation. However, WordPress sets five cookies when someone posts a comment, and they persist for longer than a week.
Go into your WordPress Settings > Discussion. There, uncheck the option Allow people to post comments on new articles.
If you’ve already written posts though, this setting will have to be changed retroactively. Go to All Posts and select all posts at once. Then, under Bulk Actions, select Edit and press Apply.
Then next to Comments, select Do not allow and press the Update button.
Check for plugins that leave cookies
Even with care and attention to cleaning up your site’s cookies, there may still be a plugin or two that saves cookies. There’s no easy way to diagnose this but to either disable all plugins and re-activate them one-by-one, or deactivate each plugin one-by-one.
There’s a painful amount of cache clearing and refreshing involved with this, but your site visitors will appreciate it.
Step 3: Encrypt Your Connection
And finally, encryption! If you look at your browser’s address bar now, you should see https://brianpagan.net.
The s means the connection between your computer and the one where my website lives in encrypted. So if someone would try to eavesdrop, they would hear only noise.
This usually costs money, but organizations like Let’s Encrypt provide this service for free. They provide instructions on how to install it on your site, but some web hosting companies, like Vimexx (the one I use) come with Let’s Encrypt already installed.
So Let’s Respect People’s Privacy
Platforms like WordPress, and their various plugins, make it easy for us to set up full-featured, beautiful websites and online communities. And since we’re empowered to build these things for other people, it’s our responsibility to make sure we’re not peddling people’s privacy for a nice Twitter feed or a set of pretty share buttons.
Let’s be responsible and respect our website visitors’ privacy.
If you’d like to share any thoughts or insight on this, please message me on Twitter or get in touch with me right here.
BONUS: Privacy-Friendly Alternatives
I understand that it’s not easy to give up nice features and functionality for the sake of other people’s privacy!
Oh, and all of them are free.
Google Analytics Alternative: Statify
The Statify WordPress plugin tracks page views and referrers for your website.
MailChimp Alternative: Email Subscribers & Newsletters
The plugin Email Subscribers allows your to maintain subscriber lists and send, or schedule, HTML newsletters.
Typeform Alternative: Ninja Forms
The Ninja Forms plugin lets you create forms and keeps a record of all submissions. Not only does it provide an insane amount of features, the UI is also sublime to use.
Combine Ninja Forms with Popup Maker, and you’ll never think about Typeform again.
Browsers & Add-Ons for Safer Surfing
If you’re a bit more paranoid (like I am), you can surf the web with:
- Epic Privacy Browser
- Brave (also for mobile)
- Tor Browser
- DuckDuckGo Browser for iOS or Android
And if you use Safari, try
Better by Indie or Ad Guard.
🙏🏼 Thanks, and I hope this works for you!
Cover image by Kylie_Jaxxon