Skip to content
checkDPDP

Guide

Apply the DPDP Rules 2025 to a WordPress site — step by step

WordPress runs around a third of Indian SMB websites. Most of them are not DPDP-ready out of the box — the default plugins, themes and form builders all leak cookies and PII. Here is the exact plugin stack and configuration that gets a typical Indian WP site to a defensible posture.

05 Jun 2026 · 9 min read

WordPress sites typically fail four DPDP checks straight out of the box: trackers fire before consent (Jetpack, Yoast, theme analytics), Contact Form 7 / WPForms collect data without an itemised notice, Akismet sends commenter IPs to Automattic without disclosure, and there's no withdraw flow because the site never asked for consent in the first place. The fix is a four-plugin stack you can ship in an afternoon.

**1. Banner — Complianz, CookieYes, or the checkDPDP embed.** Complianz is the most popular India-aware WP banner (free tier covers DPDP). CookieYes is its biggest Indian-built competitor. Or paste the checkDPDP banner-builder script just before </body> in your theme's footer.php and skip the plugin overhead entirely. Whichever you pick, set the Accept and Reject buttons to identical styling, default non-essential to OFF, and add a persistent 'Manage cookies' link to your footer widget area.

**2. WP Consent API.** Install the 'WP Consent API' plugin from the official repo. This gives other plugins a standardised way to read consent state — Complianz, Jetpack, Yoast and Rank Math all respect it. Without it, your banner is decorative and trackers keep firing regardless of user choice.

**3. Privacy notice — Iubenda or self-written.** WordPress's built-in privacy generator (Settings → Privacy → Generate) gives you a starting page, but it's GDPR-flavoured and missing the DPDP itemisation. Run it, then rewrite each section using our consent-notice template, naming a Grievance Officer with a real email.

**4. Form hardening.** For Contact Form 7 / WPForms / Gravity Forms / Fluent Forms: (a) add a tick-box at the bottom of every form linking to the privacy notice with copy that names the specific purposes — required for Section 5; (b) configure honeypot or reCAPTCHA so spam complaints don't trigger an unwanted DPDP entry; (c) audit every plugin's 'send to third-party' integration (Mailchimp, HubSpot, Zapier) and document each in your processor inventory.

**5. Theme cleanup.** Many free WP themes include analytics / font CDNs / live-chat that load on every page. Open your theme's footer.php and header.php and grep for 'google-analytics', 'googletagmanager', 'gstatic', 'connect.facebook.net', 'hotjar', 'crisp', 'tawk'. Move each behind your CMP's `consentReady` callback so they only load after consent.

After this stack: re-run the checkDPDP scanner. Most Indian WordPress SMB sites jump from low-50s to mid-80s on the compliance score, which is the band where the Data Protection Board treats you as a cooperative Data Fiduciary rather than a wilful one.

Note. Guidance, not legal advice. For specific compliance decisions, please consult a qualified data-protection lawyer.

← All posts