According to the European privacy regulation (GDPR), personal data is any information relating to an identified or identifiable natural person.
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal data is also called Personal Identifiable Information or PII. It comes in more ways than most people intuitively think, because you can derive a natural person via many paths. So when it comes to anonymization, you need to include all data that may be considered PII.
WordPress stores personal data by default. Many plugins add PII to the database as well, using different formats.
Default personal data in WordPress:
- Username
john.doe - Person name
John Doe - Nickname
Sporty John - Email address
john.doe@internetmanagers.nl - Personal website
https://johndoe.internetmanagers.nl - IP address of comment posters
45.82.191.174 - User Agent of comment posters, which is an identification of the browser of the user.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Plugins add all types of personal data to this. Sometimes a plugin stores this by default, sometimes it is up to the website owner what will be processed and stored.
Form plugins
Plugins to create and publish forms on a web site are very common. These plugins usually handle form submissions by forwarding the form entry to an email address. Next to that, the submissions are usually stored in the WordPress database. Form entries are likely to contain personal data.
The following table lists the most common form plugins.
| Form plugin | How data is stored | Tables used |
| Fluent Forms | Stores form submissions in a dedicated table and a metadata table | fluentform_submissions, fluentform_ entry_details |
| Gravity Forms | Stores form submissions in a dedicated table and a metadata table | gf_entry, gf_entry_meta |
| Forminator | Stores form submissions in a dedicated table and a metadata table | wp_frmt_form_entry, wp_frmt_form_entry_meta |
| CF7 with Flamingo | Stores submissions as posts combined with serialized arrays | posts, post_meta |
| Ninja Forms | Stores submissions as posts | posts, post_meta |
| Formidable | Stores form submissions in a dedicated table and a metadata table combined with serialized arrays | wp_frm_items, wp_frm_item_metas |
Other plugins
Other plugins also store personal data. Two common ones are WooCommerce and ProfilePress.
| Plugin | How data is stored | Tables used |
| WooCommerce | Stores customer data in the standard WordPress tables users and usermeta | users, usermeta |
| ProfilePress | Stores additional user data in the standard WordPress table usermeta | usermeta |
Summary
Personal data (PII) is defined by law. Any WordPress database contains contains at least some personal data. If you use a form, profile or ecommerce plugin it is likely that additional Personal Identifiable Information is stored. To anonymize a WordPress database, you need to handle all these data.