Plugin settings on your site gdpr-wp.com

Hi @flaviowordpress,

We are not blocking GA because we are anonymizing it. My colleague who takes care of the site made the switch to anonymized data but forgot to change the cookies to being required and the text to explain that the data being transmitted is anonymized. Thanks to your topic I alerted him of that and he will proceed with the changes.

However, even before his changes, I could not replicate what you described. When I pressed I agree, it refreshed the page but no duplicates were set.

Anyway, this configuration on our site will change soon.

I follow this topic as I am looking for the same answers.
I did find this:
https://gdpr-wp.com/knowledge-base/enabling-or-disabling-functionality-based-on-consent-and-cookies/

If I understand correctly, this means we have to add all this php functions into our child theme’s functions.php??

That is not very ( non coder friendly )?
I wonder if this can be done easier, like by adding the scripts into the plugins settings itself and let all scripts be blocked until user gives consent?

Annie

It is not non-coder friendly for a good reason. I understand that most folks don’t know how to code, but unfortunately, there is no way to automatically block cookies and having users adding scripts into the plugin and saving to the database is a security risk that I’m not willing to expose users to.

The way I see it, you can follow the documentation (is not much, I know, but I’m doing the best I can) and try to make sense of it or you can hire a developer to implement this for you.

We at Trew Knowledge would be happy to help if you want to purchase a premium support. You can email [email protected] and a TK representative will be in touch with you and give you a quote.

Hello Fernando,

Thanks for answering!
First of all, sorry if my comment came across as critique, that was not my intent.

I could in fact add this to my child theme, but I think lots of users wont, or are not familiar with it. And yet, if their scripts are not blocked by default, the users will still be registered by the first hit on the site and not giving consent will be too late according to the GDPR?

I appreciate your work and am well aware of all the challenges that probably come with it.

The “Cookie Notice” plugin gives the users of their plugin the option to add all the scripts into a blocking field. I tested it and it indeed blocks all scripts from registering until the visitor hits “I agree” button.

Unfortunatelly that plugin does not offer data for the admin to be able to have proof the user gave consent and user can not change settings like in your plugin.

So, you think that would cause a security risk?
Those scripts are already in database ( if I am not mistaken ) they are just blocked until consent is given. I suppose that is what your plugin will do too, only here we need to add code ourselfs to functions.php?

Annie

• This reply was modified 6 years, 10 months ago by LogoLogics.
• This reply was modified 6 years, 10 months ago by LogoLogics.
• This reply was modified 6 years, 10 months ago by LogoLogics.

Hi @logologics,
Don’t worry. I did not take is as critique ??

Yes, having cookies or featured set before consent is explicitly given is not enough.

I can’t say for this plugin, but as far as I know, saving scripts like this are considered a bad practice and a security risk. https://vip.wordpress.com/documentation/code-review-what-we-look-for/#arbitrary-javascript-and-css-stored-in-options-or-meta

Doing that would certainly make all our lives much easier.

Hi Fernando,

Glad to hear that!

Well actually, lets say the Google Analytics script.
Normally we add this using a plugin ( or manually ).

In that plugin is the option to add the script that will trigger the Analytics tracking.
In case of this plugin ( Cookie notice ) it takes the place of that plugin.

That previous plugin like for example: Monstersinside had a similar option to add the script, without having to touch code. It actually always shows when looking at a source code too.
It only reveals the script and its GA code, which is pretty much useless without actual access to that specific Google acount.

When one uses the blocking feature of Cookie Notice, that other plugin is no longer needed. Now the analytics scripts ONLY needs to be placed in Cookie Notice to be blocked by default UNTIL a users gives explicite consent, as it must happen under the GDPR.

I am not a coder, so I might miss something here, but so far I can not see any extra security risk in that? Even when we use your plugin, that analytics script will be added one way or another and will show up in source code and database?

The only difference I see ( as far as I get the whole idea ) is that Cookie notice has this covered and here we need to accomplish the same ( blocking the script until a user hits “ok” ) by adding code into a child theme’s functions.php.

Thanks for your input,
Annie

Hi Annie,

I’m not familiar with those plugins, but if they only ask for your UA code, that is fine. If you input your entire code there and save to the database, that is a potential security risk as stated in the WordPress VIP documentation.

It is a potential risk. I would be opening an opportunity for something bad to happen to your server. I could predict some common services like GA, doubleclick, facebook pixel and so on, but that list would easily grow and become hard to maintain.

The major difference between what I do and what the ones you mention do is that I do not open a way for scripts to be saved to the database. For single site installs, that would not be so bad because it’s your site, but on Multi Sites that could cause a lot of problems since a lot of stuff is shared.

While writing this, I consulted with one of the WordPress lead developers to verify my information and as expected, it was confirmed.

Hi Fernando,

Thanks for explaining!

Annie

You are very welcome.