WordPress 4.9.6 Released With User Data Export and Removal Tools

WordPress 4.9.6 has been released and is considered a privacy and maintenance release. Traditionally, minor versions contain security and bug fixes. This release is different as it includes a number of privacy related features such as:

  • Privacy Policy page template/creation
  • User Data Request Handling
  • User Data Export and Removal tools
  • Cookie Opt-in for Comments
  • Other features related to GDPR Compliance

Earlier this month, I reviewed the privacy features in 4.9.6 and since that post was published, the team has made a number of adjustments. For example, site admins will receive an email when a user confirms a personal data export or removal request and the text on the privacy policy template page has been simplified. 

The privacy features in WordPress 4.9.6 are largely the result of a new team of volunteers that was formed earlier this year. The team is already hard at work on improving these features for future versions of WordPress.

In addition to privacy enhancements, more than 50 bugs have been fixed. ‘Mine’ has been added as a filter in the WordPress Media Library and when viewing a plugin in the backend, it will display the minimum PHP version that’s required.

The WordPress Development team has published an update guide that provides links to technical information related to features in 4.9.6. In addition, there’s a guide available for Theme Authors as styling adjustments may be necessary.

As this is a minor release, sites are in the process of updating automatically. If you encounter an issue with 4.9.6, please report it on the Support Forums.


36 Comments


  1. oh yeah, very nice, when you delete the personal data, the name is replaced to “Anonymous”, and a link is placed on it that points to http://site.invalid, causing the site to have a bunch of broken links. I’m sure Google will applaud you for all the broken links !

    I’m reporting this for a few days now, and nobody cares…

    Report


    1. Well, that’s not surprising unfortunately.

      Core has proven time and time again that they know absolutely nothing about SEO.

      Report


    2. Hi Nick.

      You’re correct that replacing the comment author link URL with “site.invalid” is not ideal. I’ve opened a ticket on the WordPress issue tracker to address this: https://core.trac.wordpress.org/ticket/44141.

      That said, the only place that you have reported this is in a review of the third party “Disable Privacy Tools” plugin 48 hours ago. It hardly warrants stating that “nobody cares” if nobody sees your report in the first place :-). The WordPress project would love your feedback via the proper channels: https://make.wordpress.org/core/handbook/testing/reporting-bugs/

      Thanks!

      Report


      1. Well said! Nobody should berate volunteers anyway!

        Thanks for doing this work for us – for free. Much appreciated.

        People need to lighten the $%#^ up!

        Report


      2. also

        User Data Request Handling
        User Data Export and Removal tools

        make use of wp-login.php, so it’s wont work if you use a custom login page.

        Report


    3. Why the url field is simply not made empty?

      Report


  2. I believe this GDPR addition should have absolutely been a plugin. I then would have the option of whether to activate it or not.

    Report


    1. No kidding! Thanks Core for deciding that the EU wags our dog for the whole planet Earth. I’m an American. I’m not posting a privacy policy on my blog just because some technocrat in Europe tells me to. Who cares about GDPR? I live in Las Vegas. Just more Corporate buggery.

      Wow, I just noticed this piece of art gives legal advice to the admin.

      “As a website owner, you may need to follow national or international privacy laws. For example, ….”

      Awesome. What does the Foundation do again?

      Report


      1. There are a few states that do require privacy policies and the FTC has been engaged in privacy enforcement under its Section 5 authority for some time. There are also three bills in Congress to create privacy requirements in the US. It’s probably not something you can avoid for long.

        Report


      2. make use of wp-login.php, so it’s wont work if you use a custom login page.

        This is a false conclusion. All properly coded custom login scripts use wp-login.php

        Report


      3. I’m not posting a privacy policy on my blog just because some technocrat in Europe tells me to. Who cares about GDPR?

        Oh yeah? With such attitude soon you’ll be out of business:

        “(…) Even if you’re not being slapped with heavy fines, there will be reputational damage for not complying. And with all eyes on the commercial use of personal data right now, staying compliant with the current laws will only help you as new rules and regulations are developed.(…)”
        https://www.digitalmarketer.com/gdpr-summary/

        I wouldn’t like to be your customer and I’m pretty sure many people would think the same. Respect our privacy dude.

        Report


  3. Many congrats to WordPress – these tools, especially the “Privacy Policy” pro forma, is a great help for those rushing to comply with GDPR :)

    Report


  4. Thanks John,

    Actually I had also posted this in the WP Taverns’s other post from the beta days, nevertheless…

    I don’t think the core would ever want to her from me as I lost my temper several months ago and called them out on their lies, propaganda, their attitudes, and basically called them communists, or at least practicing “software communism”, in a Gutenberg review.

    I’m since then placed on their “terrorist – shoot on site” list, and all my postings are moderated. It takes me 3 days to thank someone, or give a 5 star review for a plugin. Typical, they don’t like your speech, they shut you down. It’s laughable actually more than surprising !

    Thanks again John…

    Report


  5. two things:

    1) site.invalid

    Can’t you just edit the .php file and put whatever you want?

    I don’t like it when people put their URL, in fact, I have been thinking of removing that option (haven’t implemented it yet). It tends to lead to spam.

    2) Privacy – all my own sites have had a privacy, disclosure, cookies and comments page starting 2007. Any new sites got those pages automatically.

    Can’t people just use the contact page on any of my sites to ask me to delete all the data?

    Report


  6. I would be surprised if Google bothered following those links, since the .invalid TLD is reserved and specified as such in RFC-2606:

    “.invalid” is intended for use in online construction of domain names that are sure to be invalid and which it is obvious at a glance are invalid.

    So the whole point is that a person can look at it and go, “well, duh, that’s not a real link, why would I click on that?” If Google hasn’t taught their search bots to be clever enough to avoid those, I’m sure they will soon.

    At any rate, I haven’t had a chance to try the new tools, but they looked very promising, and the privacy policy template was a very nice touch.

    Report


    1. Interesting, learned something new. In that case I actually like the idea of setting it to that as it indicates there once was something, but it is now invalid.

      Report


  7. A little late but we’re glad that WordPress core is EU GDPR-compliant.

    Cheers!

    Report


    1. It is not EU GDPR-compliant, not at all, sorry. Core-content in backend available to all user roles including subscriber is hosted on third party servers without information and/or consent. User IPs are stored in database without notice, just look for session_token. User IPs are stored for comments. User email is used in filename for GDPR data export. Exported meta fields from user profile are hardcoded, export will be incomplete in most cases. And there are a lot of of bugs like privacy policy page can not be edited by editors, your clients need full admin access to edit that page now, good luck with that.

      Report


      1. And to be fully 100% GDPR compliant it all has to be opt-in by default. Those cookie banners that say ‘we use cookies’ are supposed to say ‘do you give us permission to set cookies?’

        I have been saying this^ for at least a year, 6-9 months publicly, and few are yet ready to realise or accept the full implications of GDPR. It is impossible to have a web presence and be 100% GDPR compliant without also being 100% in control of the data flow and data storage. Very few website owners/managers have that level of control. For this reason one can only advise people to be as compliant as they can be. The Internet will catch up eventually.

        GDPR can be interpreted in 2 ways, at least. It will be left to the courts to decide how GDPR holds up and is applied.

        Report


  8. The email sent to our customers has “Howdy,” as its salutation. And I don’t see any template to change that. We would NEVER ever address our beloved customers with “Howdy”. So disrespectful.

    Report


    1. There are filters in the user.php file that you can use to change the text.

      Report


  9. My site has been updated to the latest version but I haven’t had a chance to play with the new “feature”. So if someone left a comment on my site with URL entered by themselves, and later on they could request to have the URL removed? I am not very up to the speed about the GDRP stuff.

    Report


    1. No, you can’t. And you have to be admin to be able to edit the policy page once it is set as such. Which is a total fail, as every sane person will only provide (maybe slightly enhanced) editor role accounts to clients, so they can’t break stuff by accident.

      Report


  10. It’s by no means a huge deal, but I’m just curious. Is anyone else experiencing no auto-update to 4.9.6 and wondering what’s going on?

    I got this on all my sites and others on different hosts.

    Cheers

    Report


    1. I noticed this on a WordPress site I help maintain. I was wondering why it had not updated to 4.9.6 and I had to trigger it manually. Thinking it had something to do with the webhost.

      Report


      1. So far, none of the sites that I manage have auto-updated yet… Not sure why that is happening… But, I wasn’t quite ready to update yet anyway…

        Report


      2. None of the sites I manage auto-updated. Multiple unrelated hosts used.

        Report


      3. I’ve discovered why sites didn’t update and will publish an article later today with an explanation.

        Report


  11. I’m confused about WordPress comments. A user has to input their email address and name, but doesn’t GDPR require people to let them know how that data will be used? Honestly I couldn’t even tell you how it’s used! I don’t even know why WP comments need an email address because by default there’s no way to receive emails for follow up comments unless you’re using a plugin. Even right here on this blog I would say this very form I’m filling out isn’t compliant with GDPR.

    Any thoughts?

    Report


    1. The email address is used to pull the gravatar images associated with the address.

      Report


    2. That is why you should have a privacy policy so that users can read about the data you require, how you use the data and so on. WP has added checkbox that allows saving personal data in cookie.

      It would be nice to have the Privacy Policy linked automatically in the comment form above the submit button.

      Report


  12. Like most things related to the WordPress team- The REST API, Gutenberg, now GDPR- Something that is functional and works for most people is held up by agencies and so-called developers.

    Despite excellent documentation in Github and what a basic understanding of React would give you we are forestalling WordPress for the masses (Gutenberg).

    Despite the reality of doing business in the EU we are saying businesses don’t have to comply with GDPR.

    There is always going to be a use case where a workflow or technology does not work on version Zero.

    At some point you have to push the update or people are going to keep using bad technology.

    Small businesses and NGOs are going to use and need blocks.

    I got a $3000 order today from a German company that appreciated we are compliant with GDPR.

    We’re compliant thanks to the core team.

    Like I say to most people who can’t figure out how to connect the printer to their computer – Disconnect your head from your ass, it works better.

    Report


    1. Like I say to most people who can’t figure out how to connect the printer to their computer

      Who needs a printer?

      Report

Comments are closed.