Beyond Web Cookies: WordPress, Plugins, and Privacy

Welcome to this week’s Tip of the Hat!

Previous posts in our series about web cookies, tracking, and privacy discussed ways that tracking applications such as Google Analytics can track website users across sites. We covered how using other Google-related products can put site user privacy at risk through third party data collection. This week we explore another area in which online user privacy might be compromised, and this area is one that libraries and library vendors are familiar with – WordPress.

WordPress is one of the most used content management systems – over 35% of the sites you visit on the Web use WordPress. Sometimes libraries need a website that works “out of the box”: install on a local server, pick a theme, edit some pages, and publish. Sometimes libraries choose to host a site on the commercial hosting service. Other times libraries use WordPress when they need a customized site to fit their libraries’ needs. Library vendors also work with WordPress by working with libraries to create customized WordPress sites and plugins.

WordPress is popular for a reason. It’s flexible enough to provide a good basic site with as little or as many customizations as the site owner sees fit. One of the ways WordPress achieves this flexibility is plugins. Because WordPress is Open Source, anyone can write a plugin and share the plugin with others. On the WordPress Plugin Directory site, there are almost 55,000 plugins to choose from, ranging from site statistics and analytics and form creators to social media integrations and email newsletter systems (for example, LDH uses MailPoet). The possibilities plugins bring to a library website are endless.

The same could be said about the ways that plugins can put your patrons’ privacy at risk. WordPress plugins have the potential to collect, retain, and even share your site users’ data to the creators of the plugin and other third parties. For example, some libraries might forego Google Analytics to use Jetpack or other WordPress statistics and site management plugins. What they might not be aware of is that site management plugins like Jetpack also use cookies, along with other tracking methods, to collect user data from your site.

These plugins can carry a security risk as well. WordPress plugins are used to compromise WordPress sites. One such hack happened with the GDPR compliance plugin in 2018 (the irony of this hack is not lost on LDH). What can you do to protect the privacy of your library and site users when using WordPress plugins?

  • Research the developer – some plugins are created by one person, while others are created by companies. Evaluating the developer can help with determining the trustworthiness of the plugin as well as uncover any potential privacy red flags.
  • Read the privacy policy – unfortunately, the Plugin Directory doesn’t have a standard spot for developers to publish their plugin privacy policy, which means that you will need to research the developer’s site. Jetpack has a general site regarding data collection and tracking which some might have skipped over if they didn’t search the support site.
  • Download plugins from trusted sources – the Plugin Directory is a good place to search for plugins, though this doesn’t relieve you from doing some homework before downloading the plugin.
  • Once you download the plugin:
    • Check and change any settings that might be collecting or sharing user data
    • Update the plugin regularly
    • If you no longer use the plugin, delete it from your site

This is only a small part of how you can use WordPress and still protect the privacy of your patrons. In a future installment of the series, we will talk about how you can be proactive in communicating privacy practices and options to your site visitors through WordPress.

Thanks to subscriber Carol Bean for the topic suggestion!