New Privacy Features in WordPress 4.9.6 for GDPR Compliance

With the EU’s GDPR deadline looming large in everyone’s mind, WordPress has released Version 4.9.6, which includes several new privacy-related features to help WordPress site owners comply with GDPR regulations. Here’s a rundown of the new features:

Comments

Man on Laptop - GDPR

WordPress has always had the ability for users to leave comments (assuming that the site allows for it), and the ability for them to leave their information (name and email address) behind so that the site owners can contact them.

Previously, WordPress stored this value in a cookie in the commenter’s browser automatically, but now they’ve added a checkbox where a user must opt in to this functionality so that cookies are not stored unless the user consents to it.

Privacy Policy

WordPress now includes the ability to designate a page on your site as your Privacy Policy, which it will then include on your login and registration pages. However, it will not include it anywhere on the other pages of your site, so you’ll want to add a link to it somewhere, most likely in the footer of your website.

More importantly, it includes the ability to generate a template Privacy Policy that includes information about how WordPress uses cookies and stores information natively, and includes some empty sections that you can fill in yourself, as a starter template. We’ve created a version of this so you can see what this looks like here.

WordPress has also created a section of their plugin developer handbook that deals with privacy. They’ve added methods for plugin developers to add content to the Privacy Policy page to inform users of how their specific plugins collect and use information.

Data Handling Tools

In addition to the tools WordPress has added to inform users about privacy concerns, they’ve added tools for site owners to manage user data to comply with GDPR regulations. This includes two separate tools: Data Export and Data Erasure.

The Data Export tool allows site owners to export all of the data about a specific user by entering their email address into the admin interface in WordPress. When the site owner or manager does this, it will send the user an email confirming their request. Once they’ve confirmed the request, administrators can go back to this interface to send the user their data. You can also see past requests, and remove them if you’d like to do so. In the WordPress interface, you can find this tool in the left navigation menu as Tools » Export Personal Data.

The Data Erasure tool works in a similar fashion to the Data Export tool, where an administrator inputs an email address and an email is sent to the user. Once it’s confirmed, the administrator can then use the interface to erase all data about the user. You can find this tool in the left navigation as Tools » Erase Personal Data.

It’s very important to note that these tools will only affect core WordPress data unless plugins are updated to use the WordPress tools that export or erase personal data. Typically plugins update quickly, but as the owner of the website and data controller, it is your responsibility to make sure the plugins aren’t retaining data that isn’t being handled by this tool.

Summary

Overall, WordPress has included some very useful tools for both site owners and developers to help with the management of their GDPR burden. However, like anything GDPR-related, it’s going to take some extra effort to make sure you’re utilizing them to fully comply with new regulations.

Maria Lima

Manager of Special Projects

Phishing: How They Almost Got Me This Time

Cybercriminals are getting better…and a lot more sneaky.

Face it, I’m totally paranoid. I keep all my logins in a password manager. I use two-factor authentication wherever it’s available. And yet…

I totally almost fell for a phishing attempt a few days ago. At first, second and third views of this email, it seemed totally legit that it came from Apple support.

screenshot of phishing email

My first reaction was wracking my brain to remember when the last time I did any telephone support at Apple. The fact that I could not remember anything more recent than a year or so ago raised red flags.

So instead of taking the “survey,” I Googled and discovered that this was probably phishing. I forwarded the email to Apple’s reportphishing account.

Why this was such a good attempt:

  • Apple branding was on point
  • All the links at the bottom of the email seemed to be right

The sneaky thing that I should’ve checked right away: Hovering over the Survey Link showed that the URL went to c.apple.com. When I checked that domain name against WhoIs I found that it’s registered to a company called capple.com. So, yeah, not Apple.

Moral of the story: It might actually look real – no misspellings, no weird graphics. Be aware and be careful!

Maria Lima

Manager of Special Projects

Doing the Two-Step…Verification, that is

Have you seen those commercials about identity theft – you know, the ones where a petite woman is shopping, but in reality, it’s some bruiser of a guy who’s stolen her identity. Funny, right? Only, not really.

In today’s online world, keeping yourself safe isn’t as easy as having passwords to your accounts. Sure, you can use a password management software (LastPass, 1Password, etc) and have unique, complicated password for each website, but is that enough?

Not anymore.

Passwords are only the first step in keeping that gate closed. They are a single point of failure. If someone can guess (or get access to) your password, then Burly Guy is now pretending to be you and going on a shopping spree at Best Buy.

What do you do? hand holding smartphone

As with guarding your car against thieves, you want to have double protection. You lock your car and have an anti-theft system, right? To achieve this online, you should adopt two-step verification (sometimes called two-factor authentication or 2FA.) It’s a much more secure solution than just passwords.

A good example of this is your ATM card – you have the card (1 step) and you have a PIN (2nd step). If you lose your card, unless you wrote the PIN on the card itself, it’s highly unlikely that someone can use the card to withdraw cash.

That’s the point of 2FA – make it harder for potential online thieves to access your accounts.

Using Two-Step Verification

Setting up 2FA is done individually for each account and many online services offer it as a matter of course. Google, Twitter, Facebook and more are prime examples. These are all high-level targets of cyber thieves.

To set up the two-step verification, simply follow the directions provided by your online service. Usually, it’s as simple as providing a mobile phone number. The service then uses your phone to text you when you log in. They’ll send a text message with a unique code (usually a string of numbers), which you then enter after log in. Simple, right?

So, what are you waiting for? Go on, log in to your accounts and set it up. It’s an easy way to throw up another barrier to cyber criminals.

For more information:

Two-factor authentication: What you need to know (FAQ)
Here’s Everywhere You Should Enable Two-Factor Authentication Right Now

Rich Frangiamore

Systems Admin

Pro Tip: Security is great, but make sure you’re not locked out

Recently, I changed my mobile number to try and alleviate phone spam. Luckily, since I use Google Voice, I have the freedom to do this. Unfortunately, I completely forgot about one thing… my Twitter “Login Verification” was set to text to the old number. (This was the case because they have trouble sending SMS to GV numbers.) rock

D’oh.

So, once my number changed, I came to the sick realization that I’d lost the ability to log in to my Twitter account. It took 3+ weeks to get @support to reply to my ticket. For a while, I thought my account was lost forever. Luckily, I still had a couple of clients which were pre-authorized (Plume on my Nexus 4 and MetroTwit on my W8 desktop). This was enough to verify the ownership of my account, and I’m almost back in business.

Lesson here:
Always, always, keep a key under the rock. The key in this case is what they call “backup codes”. I *thought* I saved this in LastPass, but could not find it when I needed it.

Google 2-factor authentication will generate a set of backup codes, numbered 1 to 10. If you lose access to your Google Authenticator, when prompted, you are required to type in the correct code. Other services like Facebook have a similar method which require the mobile app.

The secret? Store your emergency backup codes in an account that does NOT depend on any other services to get in. Get an Outlook.com or other account which has a simple login, and use it for nothing but storing your rock-keys. You’ll thank yourself when you need it.

What are your favorite tricks for keeping track of backup codes and other important login info?

Sarah Jedrey

Marketing Coordinator / Video Editor

Prove you’re a human! With games!

One of my jobs is to track down interesting, pertinent articles and reduce them – and their URLs – to Twitter-friendly lengths. To get those links short, I use Ow.ly.

Full disclosure: I chose it because it was easy to remember and, at the time, had the fewest number of steps and sign-ins to go through. Lazy? Yes. I’m human.Screenshot of test

But I recently went through my URL-shortening routine and discovered that the normal CAPTCHA – those little boxes of text that look like someone scanned a photocopy of a water-damaged book printed in the 1630s – wasn’t there!  Instead, you just have to click “Shrink it!”

What pops up then is an interesting intersection of gamification, tech security, and a possible accessibility nightmare. A randomized, simple game shows up in which you drag the appropriate animated image to a predetermined spot. “Make lemonade”, the game requests, and if you drag the lemon and the ice – but not the basketball – to the pitcher, you have proven you’re a human. Your reward is the shortened URL.

Now, I’m not a big CAPTCHA hater. I’m quite good at deciphering the blurry letters and the s that looks like an f – again, text from the 1600s – and it never is unduly time-consuming for me to use the traditional CAPTCHA. However, if I remember correctly, computers are getting better at making the same distinctions I find so simple, and security folks have been scrambling for a good way for humans to prove their humanity without enraging every one of them. So I see why they upgraded their methods and made sure those upgrades were in a game form.

Matrix staffers tried it out, and most were conservatively positive about it. Oh, one person didn’t mind, and another loathed it, but most saw that this new method could be effective with a few tweaks. I’m mainly concerned about accessibility; there is an accessibility icon a user may click to get a different task, but since I’m able-bodied, I don’t think I’m in a position to judge.

You should go try it out.

Tell us what you think about Ow.ly’s replacing CAPTCHA with its new game.