You likely heard from it: GDPR is just around the corner. In this context, it is a good idea (it would have been a good idea before too, but one (at least me) did not think about it so much before…) to limit requests for external resources – and with that the sending of the user’s IP address to the other server – to the absolutely essential.
The emoji fallback for older browsers and Gravatar images are two often-active WordPress features that make requests to external servers. Now one could say, okay, then I disable them, but there are other ways. Here I present two plugins, which should be at least more harmless from a data protection point of view than the built-in solutions of WordPress (but, of course, I am not a lawyer).
Loading emoji fallback images from the local server
If you use a modern browser, you directly see the emoji symbols (👋). If you are using an older browser without emoji support, WordPress replaces the emojis with SVGs or – if your browser does not support SVGs – PNG images. Those files are loaded from the
https://s.w.org domain by default.
A blog (like the one you are currently reading) that uses the Gravatar feature shows a Gravatar image for each comment. A default one if the email address of the commenter is not registered with Gravatar or the Gravatar of the email address. They are loaded from Gravatar’s servers.
The plugin Avatar Privacy comes with various features:
- caching the Gravatar images locally, so they can be loaded from the web server instead of Gravatar.
- a checkbox for the comment form the user needs to check if he wants that his Gravatar is displayed.
- the email adresses for identifying the Gravatar image are hashed with a salted SHA256, so the email address cannot be guessed like it is the case with Gravatar URLs.
- also the default Gravatar images are loaded from the local server.
Two plugins that make two – for me nice-to-have – WordPress features (hopefully) harmless 🎉
I cannot say if that is really legally needed, or if you can say that, for example, Gravatar usage is a Legitimate Interest. But even if is not necessary – for me it is a good feeling to reduce the external requests for a user who is visiting my website 🙂