GDPR Functions 4.9.6 need improvements

  • When attempting to use the GDPR enhancements such as Export Personal Data & Erase Personal Data in WordPress 4.9.6 they create more issues than that address. It seems to have good intent but seems to have been rushed into implementation.

    1. These tools are only accessible by the supersite admin, good practice should limit the use of this account. These functions should also be available to a lower level authority such as Editor or you may need a new level called Data Administrator.

    2. When as the site admin, you select a user for Export personal data, this generates a default email. There needs to be greater control over this email. For example you need to be able to configure:
    – Specify if you want an email to be generated Y/N
    – Specify the sender address (default is wordpress@site).
    – Customise the email generated.
    – Customise link generated

    3. When the email is received by the baffled user (GDPR requestor), it contains a link to a website and no instructions of what to do. Some of this could be helped by configuration flexibility as identified above.

    4. When clicking on the link the GDPR requestor email, the user is then forced to login to WordPress. Then when loggin in, nothing seems to occur and the requestor state on the admin account stays at Pending state.

    5. There is no way to explicitly delete the request if one was made in error (until the request times out).

    6. There is no way to resend the request if if were lost in transit or it there were other issues (until the request times out).

    7. Also it you use tools like All in One WP Security with brute force login, the admin address for WordPress is exposed in the associated email.

    Beyond these issues – There is no way for a user of the site to request or access this functionality, this would require a user contacting the person responsible for the WordPress site and requesting the data via email. Then the site administrator would have to then act on that email and then generate a request in WordPress, which then send another email to the requestor.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter lifeforceinst

    (@lifeforceinst)

    Additional review and test on other WordPress platform (including those with default theme and no plugins)

    ? After clicking on the send request button sometimes you receive a message link expired.
    ? The email was sent from wordpress@sitename, this should be configurable.
    ? There is no means to change the email body unless you use filters, this should be available through setting options.
    ? The confirmation emails exposes the WordPress admin login URI, which is detrimental for security reasons.
    ? Due to the use of admin URI, the confirmation email links will often fail when used with various security plugins, expecially if those plugins hde the WordPresss admin login. The confirmation emails whoudl not use a wp-admin URI.
    ? When attempting to download the personal data (either as admin or via the customers email), WordPress retuens an error being unable to download the zip file. This occurs even with the default theme active, no plugins operational and all .htaccess files removed.
    * The functionality should provide the ability to send the zip file as an attachment to the customer when the send email button is pressed.

    In addition to the above mentioned issues I would like to request the following features:

    • On the login-page: Like the Data Privacy Link, that was added with 4.9.6., a link to the Impressum should also be available on the login page.
    • The standard contact form has first name and last name as mandatory fields. These must not be mandatory. I would be happy, if this can be customized so WP users outside EU can keep this mandatory.

    Thanks a lot for your help. I really appreciate all that has been done because of this regulation.

    Regards,
    Sven

    Could I also add that the ability to Brand the emails are essential to enable recipients to affirm the authenticity of the sender and not mark it as spam.

    • This reply was modified 6 years, 6 months ago by Renners.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘GDPR Functions 4.9.6 need improvements’ is closed to new replies.