Which features collect personal data?

Brute force protection records IP addresses. Events Log records usernames, IPs, and actions. Security Threats Log records attacker IPs. Plugin activation collects your email. All are optional. Most features collect nothing.

How do I use WP Ghost without collecting visitor data?

Disable brute force protection and leave Events Log and cloud storage off. You still get all path security, firewall, security headers, 2FA, hiding, and mapping features. Zero visitor data collected.

What happens to collected data?

Local logs stored in your WordPress database with configurable retention. Cloud data auto-deleted after 30 days. Not shared with third parties. Not used for marketing. Payments handled by Paddle.

Do I need to add WP Ghost to my privacy policy?

Only if brute force or Events Log is enabled. If all data-collecting features are disabled, WP Ghost doesn't collect visitor data and doesn't need to be in your privacy policy.

Is WP Ghost GDPR Compliant?

Q: Is WP Ghost GDPR compliant?

Yes. Core features like path changes, firewall, and security headers collect no personal data. Features that collect data (brute force, Events Log, cloud storage) are optional and configurable with clear retention controls and 30-day auto-deletion.

Q: Does WP Ghost use cookies?

WP Ghost itself doesn't set tracking cookies. Google reCAPTCHA may set its own cookies. Use Math reCAPTCHA instead for zero external cookies.

Q: Does WP Ghost modify WordPress core files?

No. Server rewrite rules and WordPress filters only. No files modified. Deactivating restores all defaults.

Moved

This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.

View on new site

Yes. WP Ghost’s core security features (path changes, firewall, security headers, version hiding) don’t collect or store any personal data. The features that do collect data (brute force protection, Events Log, cloud storage) are all optional and configurable, and WP Ghost provides clear controls over what data is collected, where it’s stored, and when it’s deleted. Here’s the full breakdown.

Which WP Ghost Features Collect Personal Data?

Most of WP Ghost’s features don’t collect or store any personal data at all. Path changes, the 7G/8G firewall, security headers, disable options, Text and URL Mapping, and all hiding features work by modifying server configuration and HTML output. They don’t record visitor information.

The features that do collect data are:

Brute Force Protection records IP addresses of visitors who trigger login limits. This is necessary to block repeated failed login attempts and is a legitimate security interest under GDPR Article 6(1)(f).

User Events Log (Premium) records usernames, IP addresses, and actions of logged-in users on your dashboard. This data is stored locally in your WordPress database with configurable retention. If you enable cloud storage, a copy is sent to the WP Ghost Dashboard and automatically deleted after 30 days.

Security Threats Log records IP addresses, country of origin, and attack details for blocked malicious requests.

Plugin Activation collects your email address when you activate the plugin license. You can skip this step entirely and the plugin works without activation (you just won’t have access to the cloud dashboard, security reports, or cloud storage).

How Do I Use WP Ghost Without Collecting Any Visitor Data?

If you need zero data collection from your site visitors, disable brute force protection and leave the Events Log and cloud storage off. With those features disabled, WP Ghost doesn’t record, store, or transmit any personal data about your visitors. You still get all path security features, the full firewall, security headers, 2FA, all hiding and mapping features, and every disable option. The vast majority of WP Ghost’s 115+ free features work without collecting any data.

What Happens to Data That Is Collected?

When data-collecting features are enabled:

Local storage: Events Log data is stored in a dedicated WordPress database table (_hmwp_logs) on your own server. Retention period is configurable. If you uninstall the plugin, local logs are removed.

Cloud storage: If you enable Enable Cloud Storage for Events Log, a copy of events is sent to the WP Ghost Dashboard. Cloud data is automatically deleted after 30 days. It’s not shared with third parties and not used for marketing. All payments are handled by Paddle.com, and WP Ghost does not store billing or payment details.

A notification is displayed in the WP Ghost sidebar whenever cloud storage is active, ensuring transparency for site administrators.

For the complete privacy policy details, see the WP Ghost GDPR compliance page.

Frequently Asked Questions

Do I need to add WP Ghost to my site’s privacy policy?

If you have brute force protection or the Events Log enabled, yes. Inform your users that IP addresses and login activity are logged for security purposes. If you’ve disabled all data-collecting features, WP Ghost doesn’t collect visitor data and doesn’t need to be mentioned in your privacy policy.

Does WP Ghost use cookies?

WP Ghost itself doesn’t set tracking cookies on visitors. If you use Google reCAPTCHA for brute force protection, Google’s reCAPTCHA service may set its own cookies. If this is a concern for your GDPR compliance, use Math reCAPTCHA instead, which is built into WP Ghost and doesn’t use any external service or cookies.

Can I use WP Ghost on EU-based sites?

Yes. WP Ghost provides the controls needed for GDPR compliance: configurable data retention, opt-in data collection features, 30-day auto-deletion for cloud data, no third-party data sharing, and the ability to run with zero visitor data collection. You decide which features to enable based on your compliance requirements.

Does WP Ghost modify WordPress core files?

No. WP Ghost uses server rewrite rules and WordPress filters to change paths and block threats at runtime. No core files, theme files, or plugin files are modified. Deactivating WP Ghost restores all defaults instantly.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.