What is Gravatar?

Gravatar, short for Globally Recognized Avatar, is a free service operated by Automattic (the company behind WordPress.com) that associates profile images with email addresses. The concept is simple: you upload an avatar once to gravatar.com, and it follows you around the web. Any site that supports Gravatar can display your profile picture next to your name, without you having to upload it again.

WordPress has included Gravatar support since version 2.5 (2008), and it is enabled by default on every WordPress installation. This means that unless you actively disable it, your WordPress site is sending data to Gravatar's servers every time a page with avatars loads. For many site owners, especially those in the European Union, this creates a significant privacy problem.

How Gravatar Works Under the Hood

The technical process behind Gravatar is straightforward but has important privacy implications. When WordPress needs to display an avatar for a user or commenter, it takes their email address, converts it to lowercase, trims whitespace, and generates an MD5 hash. For example, the email user@example.com becomes something like b58996c504c5638798eb6b511e6f49af.

WordPress then constructs an image URL like this:

https://secure.gravatar.com/avatar/b58996c504c5638798eb6b511e6f49af?s=96&d=mm

The s parameter sets the image size (96 pixels in this case), and the d parameter specifies a default image to show if no Gravatar exists for that hash. When a visitor's browser loads the page, it makes an HTTP request to secure.gravatar.com to fetch each avatar image. This request includes the visitor's IP address (as any HTTP request does), and the URL itself contains the MD5 hash of the commenter's email.

MD5 hashes are theoretically one-way, but in practice, they are easily reversible for common email addresses. Rainbow tables and hash lookup services can often convert an MD5 hash back to the original email. This means Gravatar URLs are not truly anonymized.

Where WordPress Uses Gravatar by Default

Gravatar images appear in several places throughout a WordPress site, not all of them obvious:

• Comment sections: every comment displays the commenter's Gravatar next to their name. On a post with 50 comments, that is 50 separate requests to Gravatar's servers.
• Admin dashboard: the WordPress admin area shows Gravatars for the logged-in user, in user lists, and on the "At a Glance" widget.
• Author bio boxes: many themes display the author's Gravatar in the author bio section below posts.
• User profile pages: in the WordPress admin, user profiles use Gravatar as the default avatar source.
• BuddyPress and bbPress: if you use these community plugins, Gravatars appear in forums, member directories, and activity streams.
• WooCommerce reviews: product reviews show reviewer Gravatars just like blog comments do.

The GDPR and DSGVO Problem in Detail

The General Data Protection Regulation (GDPR, or DSGVO in German) requires that personal data is only processed with a legal basis, typically informed consent. Gravatar's default behavior in WordPress creates several GDPR compliance issues:

IP address transmission: When a visitor's browser fetches a Gravatar image, their IP address is sent to Automattic's servers (located in the United States). IP addresses are considered personal data under the GDPR. This data transfer happens without the visitor's knowledge or consent, and there is no mechanism in WordPress to ask for permission before loading Gravatars.

Email hash exposure: The MD5 hash of each commenter's email address is embedded in the Gravatar URL, which is visible in the page's HTML source. While this is a hash rather than the plain email, it is still considered personal data because it can be reversed or used to track the same person across multiple websites. Automattic receives these hashes as part of every image request.

Cross-site tracking potential: Because Gravatar uses the same email hash across all websites, Automattic can theoretically build a profile of which sites a person comments on. Even if they do not actively do this, the technical capability exists, and that is what GDPR compliance focuses on.

Data transfer to a third country: Automattic is a US-based company. Following the Schrems II ruling by the European Court of Justice in 2020, transferring personal data to the US requires additional safeguards. Many legal experts consider default Gravatar usage on European websites to be non-compliant because there is no Data Processing Agreement in place and no way to obtain proper consent before the data transfer occurs.

German data protection authorities have been particularly strict on this issue. Several court rulings and regulatory opinions have found that loading Gravatar images without consent violates the GDPR. The legal situation is very similar to the well-known Google Fonts ruling, where a Munich court ordered damages for loading Google Fonts from external servers without consent.

Performance Impact on Your WordPress Site

Beyond privacy, Gravatar also affects your site's loading performance. Each Gravatar image requires a separate HTTP request to an external server. On a blog post with many comments, this can add up quickly:

• Each avatar requires a DNS lookup for secure.gravatar.com (at least on the first request).
• Each image is a separate HTTP request with its own latency overhead.
• If Gravatar's servers are slow or unreachable, your page rendering stalls while the browser waits for the images.
• Gravatar images cannot be optimized by your local caching or image optimization plugins.
• Browser connection limits mean that many simultaneous Gravatar requests can block the loading of your own resources.

On a page with 30 comments, you could be adding 30 external HTTP requests that your visitors' browsers need to make before the page is fully loaded. For visitors on slow mobile connections, this is a noticeable delay.

Alternatives to Gravatar for WordPress

There are several approaches to replace Gravatar while still displaying avatars on your WordPress site:

• Disable avatars entirely: in Settings > Discussion, uncheck "Show Avatars." This is the simplest solution but removes visual identity from comments.
• Use locally generated avatars: plugins like "Simple Local Avatars" or "WP User Avatar" let users upload profile pictures that are stored on your own server. No external requests, no privacy concerns.
• Generated default avatars: WordPress can generate simple geometric avatars (like identicons or retro patterns) based on the email hash, without contacting Gravatar's servers. Some plugins implement this locally.
• Local Gravatar caching: plugins like "Avatar Privacy" or "Cache Gravatar" download Gravatar images once and serve them from your local server. This preserves the Gravatar experience while eliminating external requests on every page load. However, the initial download still sends data to Gravatar, so it only partially solves the GDPR issue.
• Consent-based loading: some GDPR cookie consent plugins can block Gravatar loading until the visitor gives consent. This is the most compliant approach if you want to keep using Gravatar, but it means avatars are invisible until consent is given.

What InspectWP Checks

InspectWP scans your WordPress site's HTML source and network requests for connections to gravatar.com or secure.gravatar.com. If any Gravatar images are detected, the report flags this as a GDPR concern in the privacy section. This flag indicates that your site is transferring personal data (visitor IP addresses and email hashes) to Automattic's US-based servers without an explicit consent mechanism. The report recommends either disabling Gravatar entirely, switching to locally hosted avatars, or implementing a consent-based loading solution.