GDPR, Privacy and WordPress

Over the last few weeks and months if you’ve been on any kind of email subscription list you have undoubtedly had at least one email (likely with a pleading tone!) asking you to re-confirm your permission to receive emails. These emails have all been prompted by the new General Data Protection Regulations, or more commonly by the acronym GDPR which is in force under EU Law as of May 25th 2018.

These impending regulations coupled with the fallout from the high profile Facebook / Cambridge Analytica data mis-use has brought the whole issue of data protection, privacy and handling of user data to the forefront of people’s minds. The consequences of mis-use of personal data provided to websites have been shown to be potentially far reaching.

Personal Data and Privacy

In the light of both GDPR and Facebook’s privacy issues the development community around WordPress has been quick to respond with enhancements to increase its compliance with the requirements of GDPR. WordPress 4.9.6 was released 17th May was a minor update in version numbering but added a few new settings and controls in the WordPress backend to help with compliance, the following is quick overview of what has been added and what the intentions are behind them.

After updating to 4.9.6 you will see a popup highlighting the new “Personal Data Export and Erasure” features that have been added to the Tools menu, along with a new Privacy feature in the Settings menu.

Privacy Policy

Accessing the new Privacy feature in the Settings menu will show a general overview of why you may need to add a Privacy Policy page to your website. Whilst GDPR is currently the most prominent regulation which may affect the legal need for a privacy policy page there are also other regulations in place around the world.

You can then select an existing Privacy Policy page if you have one or you can click the “Create New Page” option which will add a new page to your site with suggested privacy policy content, which you can then edit. Some of this content is more broad generic privacy information but some such as the “Comments” section details information that may be held when users comment on your WordPress site. So even if you do not have users logging in to your website it is important to note that the process of simply leaving a comment on your website involves the person doing so to provide some personal information in this process and the saving of cookies in the user’s browser. Subsequently there is a new permission checkbox on comment forms to allow users to explicitly consent to this.

Export Personal Data

In the Tools menu there are two new features added to provide a way to manage the personal data of specific users’ data on your website. Regulations like GDPR require that users are able to request to see all of the data that your website may hold about that user, the new “Export Personal Data” function allows you to enter the email address of a user which will then email a link to a zip file of all of the data held relating to that email address.

Erase Personal Data

The second new addition to the Tools menu is the “Erase Personal Data” function. This provides a way for any identifying information related to a user to be erased from the site. It’s worth noting that this doesn’t delete actual comments from the site but it does remove any way for these to be identified either on the front-end or back-end of the website.

You enter the email address of the user requesting erasure of their personal data into the field and then this will send out an email to the user asking them to confirm the erasure of their data, so it puts the ultimate control of this data in the user’s hands.

Are you a plugin developer?

If you are a WordPress plugin developer then hopefully you haven’t been oblivious to these changes that have been happening in WordPress core, but if not then it’s worth taking a look at the update guide for WordPress 4.9.6 as there is some impact on plugin developers. Particularly if your plugin handles any personal user data then this may be extremely important for you to get up to speed on:

You should also have a good read through the Privacy section of the Plugin handbook:

What next?

These tools in WordPress core are just the start of an increased focus on user privacy and data security within WordPress and the many plugins in the WordPress ecosystem. You can expect some further additions in future releases and in particular new features added to third-party plugins in the interest of data protection and privacy.

Intel chips do not a virus-magnet make!

Browsing around the BBC website the other day (enjoying their new updated customisable homepage!) when I came across a Blog post titled: "Mac virus alarm is sounded – again". The author, Derren Waters, begins warily:

I hesitate to write this, mainly because I fear the response, but does anyone who owns a Mac actually use any anti-virus software?

It’s an interesting question and one which a friend asked me at work recently as he had just purchased his first Mac – a nice shiny MacBook. Derren’s blog post received a lot of comments ranging from "Macs are not real technology", "Mac users are so smug", "I use anti-virus just to be safe" and the perennial favourite "Macs don’t get viruses because they have a much smaller market share so virus writers don’t see them as much of a target"!

I don’t think these comments are surprising, no harm in running antivirus software if you want to (although much antivirus software on both Windows and Mac is renowned for causing performance issues, cough, mcafee…).

Amongst the many comments one stood out to me in particular as it suggested that as Macs now use Intel chips they are somehow more vulnerable than when they were running on PPC chips:

Yes, I use Macs and I do use antivirus software. It is only a matter of time before we users get hit with viruses; even more so now with the Intel processors being used in more and more Macs

There’s not really any logic to this suggestion, it’s the operating system and not the chip that presents the vulnerabilities, Windows wouldn’t be any more or less secure whether it was on PPC or Intel. I do appreciate there are perhaps specific functions in processors that could in theory be a gateway for malware of viruses but it would still have to get past a piece of software in the form of an operating system or at least firmware.

Personally I don’t run antivirus on my Macs as I don’t see it as necessary. Running a Firewall is a good idea and going online via a router with a firewall is also a great way to remove your computer from port scanning script kiddies too. Obviously it’s important not to be naive (or smug!) but OSX’s UNIX heritage provides a very secure base to the operating system, the biggest risk a Mac user faces is themselves as the closest thing out there to any kind of malware or trojan for OSX involves the user being duped into running something because they didn’t expect.

If you’re a Mac user and you’re concerned about security then I’d suggest the following simple steps:

  • Disable the ‘Open "safe" files after downloading’ preference in Safari – this stops images, movies, sounds, text from opening and disk images from mounting automatically after downloading. This alone is a simple way to stay in control of files being opened.
  • Make sure your firewall is enabled
  • Enable software update to automatically download updates, and make it check at least weekly if not daily for any available updates. Apple release software updates fairly frequently including a fairly regular Security update.

I tried to post a comment on the aforementioned blog post but the blog tool behind seems to be faulty, so I thought I’d just write a post instead :) As I write, this comic on comes to mind: