WPEngine and GDPR
WPEngine & GDPR

Why Germans Don’t Like WPEngine

WPEngine's Data Privacy: An Analysis of GDPR Compliance

WPEngine is currently one of the largest WordPress hosts in the world, with more than 70,000 clients across over 130 countries worldwide. The company’s headquarters are in Austin, Texas.

As a host that specializes in WordPress, WPEngine is the preferred choice among WordPress developers and marketing agencies because the framework includes a range of modern development environments and security features. Additionally, the 24-hour support team consists of trained WordPress experts with developer experience, who are known to have the necessary tools and knowledge to quickly resolve even more complex issues for their clients.

To meet the needs of the highly marketing-focused U.S. market, WPEngine is also known as a web host that adapts to new technologies early and offers corresponding server configurations. In particular, the focus on SEA/SEO and online marketing tools is noteworthy.

The success of the company is largely due to the fact that it primarily targets agencies, service providers, and B2B companies worldwide, rather than direct consumers. This target audience generally wants to offer a WordPress framework while leaving the technical responsibility to WPEngine and performing administration through a simple, secure, and easily understandable interface. The one-click procedures offered for securing, restoring, and managing multiple staging systems make WPEngine extremely attractive to developers and software companies. For example, in Germany, staging systems are rather uncommon, as Germany is still considered somewhat conservative in terms of software development. The open-source movement of the late 90s was only accepted in Germany many years later, and concepts such as Agile/Scrum only became widely known much later. It was only 10 years after WordPress’s big breakthrough that it began to be recognized as a professional CMS in Germany.

In recent years, WPEngine has established itself as a unique player in the U.S., competing with large mass-market providers such as GoDaddy and BlueHost. It has also been able to successfully compete with WordPress.org.

WPEngine currently manages 120,000 brands and employs nearly 900 people worldwide. With current investment of almost US$300 million, the company is one of the largest in the market, with an annual growth rate of nearly 50% and $132 million in revenue per year. The company is currently valued at over 1 billion U.S. Dollars.

WPEngine and GDPR

When it comes to helping with and fulfilling GDPR compliance documents related to GDPR, WPEngine is not well-liked especially in the German sector, and is therefore viewed negatively by many Data Privacy Officers and German lawyers.

WPEngine is not alone in this, as Germany in general is known for viewing numerous products and services from the U.S. market with skepticism.

This is because, like many other U.S. companies, WPEngine is known for not meeting the GDPR requirements of German companies, and also not making separate efforts to convince skeptical German data protection experts.

It is not unusual for companies to ignore Germany as a sales market due to strong privacy debates. Although the German market is one of the largest in Europe, U.S. companies with global growth strategies have decided to disregard the German market, if privacy rules seem too cumbersome, impractical, or even harmful to them. Google Street View is a good example of this.

This behavior by WPEngine is not unusual and understandable. For example, U.S. companies are not willing to sign a complex and legally demanding data processing agreement (DPA). When looking more closely at the content of a DPA required by subcontractors in the EU, U.S companies see a number of obligations that they are not willing to take on. For example, DPAs often require U.S companies to provide cryptically sounding GDPR concepts such as deletion concepts, the right to be forgotten, correction, data portability and information at the documented instruction of the controller upon request. Moreover, a DPA requires U.S companies to obligate their employees to confidentiality within the framework of GDPR and to familiarize them with the data protection provisions according to GDPR. It is understandable that a U.S company sees no sense in familiarizing its employees with foreign laws. This would be similar to a Chinese company expecting a German service provider to train its German employees in Chinese laws.

Furthermore, the American company is required not only to establish but also to regularly record GDPR-compliant control and security measures, to disclose them immediately upon request, and also to work together free of charge with German authorities.

From an American perspective, such contracts sound absurd and unrealistic, which is why U.S. companies mostly refuse to cooperate with German companies. In addition, American companies have not built up the resources to meet such culturally foreign demands. Such DPAs and similar requirements are therefore only fulfilled by a few U.S  companies, such as Amazon Web Services (AWS) and Google.

Meanwhile, this is not helpful, especially for companies that want to benefit from modern WordPress infrastructures, if the widespread opinion in Germany is that WPEngine is not GDPR-compliant.

For this reason, many German companies resort to alternative systems, which, however, are not even remotely comparable in terms of functionality, efficiency, simplicity, and above all server speed with the modern infrastructure of WPEngine.

As WPEngine gained more market share, the company therefore found itself under increasing scrutiny from numerous German data protection experts in recent years.

Thus, it is clear that when it comes to WPEngine, German data protection experts are on their own.

Therefore, in this article, we will take a closer look at WPEngine’s data protection provisions and offer assistance to make WPEngine usable for German companies despite GDPR.

Server Location

To avoid the discussion that the WordPress server is located outside the EU, we generally recommend choosing a German server. When creating a WPEngine account, the user has the option to determine the server location. In the German region, for example, WPEngine offers a server in Frankfurt, which can be identified as a Frankfurt server by the IP in the A-record, which is managed by Google Cloud.

Data Processing Agreement (DPA)

For the reasons mentioned above, WPEngine is not willing to enter into a Data Processing Agreement (DPA). In general, hardly any U.S. company will sign a document such as a DPA. WPEngine merely draws attention to the document at https://wpengine.com/legal/dpa/, which cannot be used as a DPA.

Contacting WPEngine’s Executive Team and a request to legal@wpengine.com also did not lead to a positive result, which is hardly surprising due to the multitude of obligations of a DPA, which a U.S. company is more likely to consider very unrealistic.

Therefore, the alternative solution remains to contract an external company for WordPress hosting. This company can then conclude a DPA with the German company and then finally commission WPEngine as a the web host. This would mean that an agreement exists between the German company and an external agency, which would at least fulfill the legal guidelines for a DPA.

It is problematic for Germans that https://wpengine.com/legal/privacy/ states that WPEngine stores web server logs. This means that despite an existing DPA and a server location in Germany, the U.S.-based company WPEngine may still have access to the IP addresses of website visitors.

The only glimmer of hope remains that ultimately, outsiders cannot tell who is storing what or whether anything is being stored at all. Because looking at only a Frankfurt IP address, it is not readily apparent that it belongs to WPEngine.

It is also not possible to determine whether WPEngine actually collects these IP addresses from the Frankfurt server or accesses them from the U.S. Due to WPEngine’s international presence, it is not possible to determine or prove that WPEngine accesses the IP addresses of German website visitors without their clear consent. And WPEngine is also honest in claiming that they might access their data without consent.

Basically, the choice of WPEngine with a Frankfurt server may possibly protect against legal issues from German authorities and data protection agencies that file lawsuits against German companies, as traceability and provability are not given, provided that the server location is selected as Frankfurt. WPEngine’s statement that they generally allow access to IP addresses may not be clearly resolved in court in case of doubt, unless clear and verifiable evidence is presented that the access actually takes place from the U.S.

However, it is also understandable that this is a worrying situation for German Data Privacy Officers. After all, it is not the goal of data protection experts to rely on risks and gray areas or to base their decisions on existing non-provability.

Nevertheless, it remains to be noted that ultimately, the proof of whether and how data is collected from the U.S. is lacking. In case of doubt and in the event that WPEngine should make the headlines, however, this fact does not protect against an unpleasant lawsuit and a possible dispute with the suing party about what is provable and what is not. If Germans were to chose WPEngine as their web host and risk a lawsuit, they probably have to remember the saying: “Well cross that bridge, when we get there.”

Personal Data at WPEngine

For those who run a website using WPEngine under the GDPR jurisdiction, it is essential to consider where personal data is stored within the WordPress install. While the server location at WPEngine might be Europe, especially German data protection experts argue that ultimately it is a U.S. company that has access to this data at any time.

To avoid this issue, it may be helpful to not store any data on the server and instead send contact inquiries and store data directly through a secure email connection. If no personal data is stored on the server, the GDPR essentially might become irrelevant.

However, the only remaining disadvantage is the IP address of website visitors, which can still be stored in WPEngine’s logs. From the perspective of German data privacy authorities, this argument could still make WPEngine problematic from a data privacy standpoint.

Alternative Solutions using WPEngine

Headless WordPress

Another way to use WPEngine while complying with the European data privacy regulations is to operate a headless WordPress. With a headless WordPress, WordPress is hosted on WPEngine, but the website is mirrored on a European server.

Here’s how it works: WordPress is typically hosted on WPEngine, but the domain and URL are hosted on a different framework, such as a European server that complies with data protection regulations. Users then access the European server, where their IPs are stored without WPEngine having access to it. When users access the site, the content is loaded from the WPEngine server via REST URL or REST API. While the content stored on WPEngine is loaded from a European server.

This method is more complex, as it requires managing two servers, and the use of frameworks such as WP Gatsby and other solutions. WPEngine offers its own solution called “Atlas,” which allows WordPress websites to be displayed or mirrored on another server.

Static HTML

In conjunction with the headless methodology, it is possible to create websites as static HTML. Again, the entire website would still be hosted on WPEngine, but with the use of a headless WordPress framework, all data is created as pure HTML on a European server. Users then access the German server, where all data is stored, while WPEngine only delivers the data.

This concept also provides a significant speed advantage, as the entire website would be then loaded via HTML.

In the case mentioned above, however, a separation is necessary: HTML must be created on a European server. This methodology requires a somewhat more complex configuration, where two servers must be used. Again, headless WordPress concepts such as the use of WP Gatsby, Atlas, or other frameworks might be necessary.

Host Alternatives to WPEngine

There is currently no alternative to WPEngine in the European market. The company’s size and functionality are far ahead of its European counterparts. WPEngine offers collaboration between staging, development, and production, one-click backups for all three levels, and an advanced permission management system for developers, as well as a strong support infrastructure and a competitive price, making it a leading global provider.

European companies that want to use WPEngine must therefore use complex workarounds if data privacy is a stumbling block to their business objectives.

However, if you have to avoid WPEngine entirely, it is best to outsource the two main functions of WPEngine: staging and WordPress management. We recommend that European companies use another service provider to cover the staging level, especially if the website is development-driven.

HostEurope as a WordPress host

HostEurope’s Supreme package promises daily backups with a one-click restore, one-click staging, and 24-hour support. However, it is not to be assumed that the support has dedicated WordPress hosting experience, as WordPress is generally just one of many hosting packages offered and not their sole focus.

HostEurope is recommended by many data privacy officers, but it is also a U.S. company (GoDaddy), which makes it contradictory that WPEngine is considered problematic due to potential access to the their European server (as described above) and HostEurope is deemed to be compliant with data privacy regulations. In both cases, U.S. companies have the ability to access IP log files.

In our experience, data privacy officers have different opinions and preferences that do not always align with GDPR. Unfortunately, I have often encountered data privacy officers who act according to the principle of confirmation bias, interpreting things in a way that fulfills their own personal expectations.

Many U.S. service providers therefore are now inclined to cease working with companies that are overly burdened with data privacy tasks.

Ionos (1&1) as a WordPress Host:

Ionos (formerly known as 1&1) offers WordPress hosting packages that include daily backups with 1-click restore, 1-click staging, and 24/7 support. However, it is not certain that their support team has specific experience with WordPress hosting since the company offers a variety of hosting packages beyond WordPress. Nevertheless, many data protection officers recommend Ionos (1&1) as a host. It is worth noting that Ionos (1&1) is a German company and not a U.S. one, and therefore there is no concern about access to IP logs by American companies.

Raidboxes as a WordPress Host (not recommended):

Although the company is known for complying with GDPR regulations, our personal experience with Raidboxes has shown that their dashboard is underdeveloped and has many weaknesses. Additionally, the company is relatively small compared to giants like GoDaddy (HostEurope), and their support team left an unprofessional impression. Data losses and system failures seem to be commonplace.

WP Space as a WordPress Host (not recommended):

Unfortunately, WP Space does not offer 24/7 support, and the company’s size is unclear. It is assumed that WP Space is a small business. The functionality of their advertised staging environment is also unclear.

WP-Projects as a WordPress Host (not recommended):

WP-Projects does not offer 30-day backups, 1-click backup/restore, staging environments, or support. Additionally, their website does not have their location nor headquarters listed, making it difficult to identify the company behind it.


About the Author
ABOUT THE AUTHOR Dr. William Sen CEO and founder of blue media

William Sen has been an SEO since 2001 and is a Software Engineer since 1996, and has been working as an Associate Professor in Germany for the University of Dusseldorf and Cologne. He has been involved in developing custom SEO tools, large website and software projects. William has a PhD in Information Sciences and has worked for brands such as Expedia, Pricewaterhouse Coopers, Bayer, Ford, T-Mobile and many more. He is the founder of blue media.

Your comment will be published after being reviewed by moderators. Thank you

Latest Blog Posts
Why Germans Don’t Like WPEngine

In Europe and Germany, WPEngine is considered non-compliant with GDPR. Is this assessment justified, and which alternatives are available?