In 2026 where digital privacy is increasingly treated as a luxury rather than a right, our ongoing project partnering with an agency for a global healthcare product client isn’t just about building a website. It’s about building and managing a number of WordPress sites with tight privacy and zero third-party tracking.
Here is how we stripped away the bloat of modern web development to create a privacy compliant, high-performance environment.
The problem: The hidden cost of convenience
Most modern websites are essentially data collection hubs disguised as informational portals. By default, a standard WordPress setup relies heavily on Google services:
- Google Fonts for typography
- Google Analytics for traffic insights
- Google reCAPTCHA for form protection.
While convenient, every external script loaded is a potential vector for data leakage. For a healthcare related company, relying on third-party servers for fonts or analytics is a compliance nightmare waiting to happen. It violates the spirit of GDPR by sending user data to jurisdictions and entities outside the client’s control.
Modern web development often uses an automated process (footnote 1) to include various bits of open source code. However this has been prone to malware attacks recently, and also increases the bloat of a site in the name of convenience.
The Solution: A Sovereign Stack
We didn’t just tweak the settings; we rebuilt the architecture from the ground up.
1. Typography Without Compromise
We removed all Google Fonts code. Instead, we consulted the client’s brand guidelines, selected the necessary fonts, and self-hosted the files directly on the server. This eliminates the DNS lookup to Google’s servers and ensures that no user IP address is ever transmitted to Google during page load. The result is faster load times and total control over the visual experience.
2. Analytics That Respect Privacy
Google Analytics is a data mine. We replaced it with Plausible Analytics, a lightweight, open-source alternative. Plausible is privacy-focused by design: it doesn’t use cookies, it doesn’t store personal data, and it is fully compliant with GDPR. Crucially, we self-hosted the Plausible instance. This means the analytics data never leaves the client’s infrastructure. They get the insights they need—traffic sources, popular pages, bounce rates—without sacrificing a single byte of patient privacy.
3. Contact Forms and Custom API Integration
WordPress plugins often send form submissions via third-party email gateways, store data in the cloud and often use annoying ‘captcha’ systems provided by Google. We bypassed this entirely. We built a custom, secure API endpoint that handles form submissions. When a user submits a contact form, the data is sent directly to the client’s CRM system via a custom integration. A simple quiz field blocks almost all spam submissions.
No privacy invading scripts, no third-party form processors, no data sitting in a public database, no clicking pictures of traffic lights.
4. The Human Element: Manual Maintenance
In a world of automated updates and AI-generated code, we chose the hard path: manual maintenance. Every plugin update and every core WordPress patch is carried out by hand. Security scans are manually reviewed on a weekly basis.
This allows us to vet every update before it touches the client’s portfolio of websites, ensuring no malicious updates or privacy invading ‘features’ slip through. It’s slower, but it’s infinitely safer.
5. Manual code selection
Instead of relying on those automated code installers during development, we choose what gets installed and test it thoroughly. We also code many features ourselves to reduce the potential privacy or security issues.
Badly maintained code libraries or WordPress plugins can be a security issue, and greedy companies trying to mine data can be a privacy issue.
Tech note: We don’t use NPM or Composer to include third party code we haven’t audited – because this can happen: https://dev.to/rverwey/the-axios-supply-chain-attack-what-happened-how-to-check-and-what-to-do-next-18n
The Result: Lean, fast and more secure sites
The outcome is a website that loads faster so visitors ‘bounce’ less, can rank in search engines well because search engines love speed, and offers a level of security that cluttered site with third party software included can’t match. The sites are also more stable as they don’t rely on a stack of plugins or external software libraries.
By removing the “invisible” third parties, we didn’t just protect data; we help protect the brand’s reputation and made maintenance easier for the lifetime of the websites.
In the 3+ years we’ve been working together as of 2026, we haven’t had a single breach reported on any of the websites we built and manage.
Notes
- Modern web development often uses ‘build systems’ like NPM or Composer to add software libraries to your project. This is increasingly getting subverted by bad actors however, increasing the risk of malware being included in your software. It also creates a mess of dependencies that make maintenance harder. many packages are maintained by individuals for free, and they move on so the package end up getting abandoned, which breaks your project. Additionally, a lot of the popular software is actually pretty simple and can be coded into a WordPress theme instead of including 14 package dependencies.
References
https://snyk.io/blog/axios-npm-package-compromised-supply-chain-attack-delivers-cross-platform/