WordPress stores the IP address of every comment author in the wp_comments table. Under GDPR and similar privacy regulations, IP addresses are considered personal data, they can be used to identify an individual, particularly when combined with a timestamp and other identifying information like a name and email. Retaining comment IP addresses indefinitely is a data minimisation issue: you may need the IP for spam moderation shortly after a comment is submitted, but there’s rarely a justification for keeping it for years.
This snippet schedules a weekly cleanup that anonymizes IPs from comments older than a configurable threshold by replacing them with an empty string, preserving the comment content while removing the personal identifier.
The Code
Add this to your functions.php or a site-specific plugin. The cleanup runs automatically via WP-Cron without any manual intervention after setup.
The Anonymization Query
The direct database query updates all rows in wp_comments where the comment date is before the cutoff and the IP address field is not already empty (to avoid unnecessary updates on already-anonymized records). It uses a prepared statement with $wpdb->prepare() for safety, and the query is deliberately simple and index-friendly, comment_date_gmt is an indexed column in WordPress’s default schema.
The function returns the number of updated rows, which is useful for logging or confirmation if you run it manually.
Choosing the Retention Period
The default of 90 days gives you three months to use the IP for spam analysis, which is more than enough for any practical moderation workflow. Under GDPR, data should be kept only as long as there’s a legitimate purpose, for comment IPs, that purpose (spam moderation and abuse prevention) typically expires within 30–60 days. Adjust the $days_old default in the function signature to match your site’s data retention policy.
Running It Manually
To anonymize existing old IPs immediately without waiting for the cron schedule, call nsl_anonymize_old_comment_ips() directly, from a temporary script, from WP-CLI (wp eval 'nsl_anonymize_old_comment_ips();'), or from a one-time admin page. After the initial run, the weekly cron handles ongoing cleanup automatically.
Privacy Policy
If your site’s privacy policy documents comment data retention, update it to reflect the anonymization schedule. Stating that IP addresses associated with comments are anonymized after 90 days is a concrete, documentable data minimisation practice that demonstrates compliance intent.
/**
* Anonymizes comment IP addresses older than $days_old days.
* Run via WP-Cron weekly, set up below.
*/
function nsl_anonymize_old_comment_ips( int $days_old = 90 ): int {
global $wpdb;
$cutoff = date( 'Y-m-d H:i:s', strtotime( "-{$days_old} days" ) );
$updated = $wpdb->query(
$wpdb->prepare(
"UPDATE {$wpdb->comments}
SET comment_author_IP = ''
WHERE comment_date_gmt < %s
AND comment_author_IP != ''",
$cutoff
)
);
return (int) $updated;
}
// Schedule weekly anonymization via WP-Cron
add_action( 'nsl_weekly_ip_anonymize', 'nsl_anonymize_old_comment_ips' );
if ( ! wp_next_scheduled( 'nsl_weekly_ip_anonymize' ) ) {
wp_schedule_event( time(), 'weekly', 'nsl_weekly_ip_anonymize' );
}
// Clean up the schedule on plugin/theme deactivation
// register_deactivation_hook( __FILE__, function() {
// wp_clear_scheduled_hook( 'nsl_weekly_ip_anonymize' );
// } );