Gravatar (Globally Recognized Avatar) is a service by Automattic that provides profile images associated with email addresses. When someone leaves a comment on a WordPress site, their email address is used to fetch their avatar from Gravatar's servers.
How WordPress Uses Gravatar
By default, WordPress sends a hashed version (MD5) of each commenter's email address to gravatar.com to retrieve their profile picture. This happens automatically for:
- Comment author avatars
- User profile images in the admin area
- Author bio sections
GDPR Concerns
Gravatar raises significant privacy concerns under the GDPR (General Data Protection Regulation):
- Data transfer to a third party — Email hashes are sent to Automattic's servers (US-based) without explicit user consent.
- Tracking potential — Gravatar can track users across different websites using the same email hash.
- IP address exposure — Visitors' browsers make requests to gravatar.com, revealing their IP addresses.
- No consent mechanism — WordPress loads Gravatars without asking the visitor for permission.
Alternatives
- Disable Gravatar and use locally generated avatars
- Cache Gravatar images locally on your server
- Use a plugin that replaces Gravatar with privacy-friendly alternatives
What InspectWP Checks
InspectWP detects whether your WordPress site loads images from gravatar.com or secure.gravatar.com. If Gravatar is active, it is flagged as a GDPR concern because personal data is transferred to a third-party service without explicit consent.