Grav is currently logging IP addresses in logs/visitors.json (maybe also in other places). I could not find a way to disable this from the Admin Panel.
The reason I’m asking is because I’m preparing my web for EU GDPR legislation and I’m reviewing all parts where there could be issues. I try to have full control over what data is stored. Even pseudo anonymous data.
In Admin there are some options on visitor tracking. See Administration Panel - Options - Popularity.
Visitor tracking and setting the
Ignore URL to
/ is enough to stop Grav from storing IP addresses.
Thank you Ron.
After I disabled Visitor tracking and removed the popularity directory inside of logs, the IP addresses are not tracked any more (at least not inside of the popularity directory).
Now I’m looking for other places where there could be issues.
I didn’t find anything else inside of grav core. I don’t really play with Grav’s code and I don’t know much about its internals, so I cannot be sure if I didn’t miss something.
From the plugins that I use, only the comments plugin could have a reason to store IP addresses. However, I didn’t find any IPs inside of files generated by comments.
Being a flat file CMS it’s fairly easy to check for ip address storage and other sensitive data. Just use a tool to calculate checksums of all files of your Grav website. Then let it run for a while and do the same again. Any changed files will have a different checksum. Examine those files and look for what you’re interested in.
I have created a pull request to store hashed IPs instead.
Just found that you can also edit /user/config/plugins/admin.yaml and set popularity.history.visitors to ‘0’
This option is not editable via Admin UI