Gravatar (Globally Recognized Avatar) is a service owned by Automattic that provides user profile images based on email addresses. WordPress uses Gravatar by default to display avatars in comments, author bios, and user profiles. While convenient, this integration creates significant privacy concerns that every site owner should understand.
Why Gravatar Is a GDPR Problem
When a visitor leaves a comment on your WordPress site, their email address is hashed using MD5 and sent to Gravatar's servers at gravatar.com to retrieve their avatar image. This process creates several GDPR issues:
- IP address transmission: every Gravatar request sends the visitor's IP address to Automattic's servers, which are located in the United States. Under GDPR, IP addresses are considered personal data, and transferring them to a third country without proper safeguards requires explicit consent.
- Email hash exposure: the MD5 hash of the email address is included in the Gravatar URL (e.g.,
gravatar.com/avatar/ab12cd34...). MD5 is not a secure hashing algorithm. Rainbow tables and brute-force attacks can reverse common email hashes, potentially exposing your visitors' email addresses. - Tracking potential: because the same hash is used across all sites with Gravatar enabled, Automattic could theoretically track a user's browsing activity across every WordPress site they visit or comment on.
- No consent mechanism: WordPress loads Gravatar images automatically without asking for visitor consent. Under GDPR, loading external resources that transmit personal data requires prior informed consent.
Several European data protection authorities have flagged Gravatar as problematic, and sites that load Gravatar without consent are technically in violation of GDPR requirements.
Disable Avatars Through WordPress Settings
The simplest way to stop Gravatar requests is through the WordPress admin panel:
- Navigate to Settings then Discussion in your WordPress admin.
- Scroll down to the Avatars section.
- Uncheck the option "Show Avatars".
- Click Save Changes.
This completely disables avatar display across your site. No more requests will be made to gravatar.com. The downside is that you lose all avatar functionality, which can make comment sections and author profiles feel less personal.
Replace Gravatar with Local Avatars Using Code
If you want to keep showing avatars but without any external requests, you can override the Gravatar URL to point to a local default image. Add this to your theme's functions.php or a custom plugin:
// Replace Gravatar with a local default avatar
add_filter('get_avatar_url', function($url, $id_or_email, $args) {
// Return a local default avatar image
return get_template_directory_uri() . '/images/default-avatar.png';
}, 10, 3);
// Prevent DNS prefetch to gravatar.com
remove_action('wp_head', 'wp_resource_hints', 2);Make sure to create a default avatar image and place it at the path specified in the code. A simple generic silhouette or your site's logo works well. The wp_resource_hints removal prevents WordPress from adding a DNS prefetch hint for gravatar.com in the HTML head, which would otherwise still create a connection to Gravatar's servers even without loading actual images.
Use a Plugin for Local Avatar Management
Several plugins make it easy to replace Gravatar with locally hosted avatars, giving users the ability to upload their own profile pictures without any external service:
- One User Avatar (WP User Avatar): allows each user to upload a custom profile picture that is stored on your server. Includes a default avatar option for users who have not uploaded one. Simple to set up and works with most themes.
- Simple Local Avatars: a lightweight plugin that adds an avatar upload field to user profiles. All images are stored locally, and it completely bypasses Gravatar. It also supports importing existing Gravatar images to local storage for a one-time migration.
- Avatar Privacy: the most comprehensive option. It blocks Gravatar by default, lets users opt-in to Gravatar if they choose, generates unique default avatars (like GitHub-style identicons), and handles consent management for avatar display.
Generated Avatars as a Privacy-Friendly Alternative
If you want each commenter to have a unique avatar without relying on any external service, generated avatars are an excellent solution. WordPress includes a few built-in options (Identicons, Wavatars, MonsterID), but these are generated by Gravatar's servers by default. To generate them locally, the Avatar Privacy plugin can create identicons and other generated avatars entirely on your server, with no external requests at all.
Another approach is to use CSS-based avatars that display the first letter of the commenter's name in a colored circle. This requires no images, no external requests, and provides a clean, modern look. Several lightweight plugins and code snippets are available for this approach.
Performance Benefits of Disabling Gravatar
Beyond privacy, removing Gravatar also improves your site's performance. Each Gravatar image is an external HTTP request to gravatar.com. On a blog post with 20 comments, that means 20 additional DNS lookups and image downloads from an external server. By serving avatars locally (or not at all), you eliminate these external requests, reduce page load time, and improve your Core Web Vitals scores. This is especially noticeable on mobile connections where latency to external servers adds up quickly.
Cookie Consent Considerations
If you decide to keep Gravatar enabled (for example, behind a cookie consent banner), be aware that you need to properly integrate it with your consent management platform. Gravatar images should only load after the visitor has given explicit consent to external media or third-party services. Most cookie consent plugins like Complianz, GDPR Cookie Compliance, or Borlabs Cookie can be configured to block Gravatar until consent is given, but this requires manual setup and testing.
Verify with InspectWP
After disabling Gravatar, run a new InspectWP scan on your site. The GDPR section of your report will show whether Gravatar is still being loaded as an external service. If you have successfully removed it, the Gravatar check should no longer appear as an issue. Make sure to also check the report's external resources section to confirm that no requests to gravatar.com or secure.gravatar.com remain.