Your phone buzzes on a Wednesday afternoon.
The client forwards an email from their legal counsel: "Where is our CCPA opt-out mechanism from last quarter?" Your HIPAA privacy officer asks about audit logs on the patient portal. Marketing admits the last 150 blog posts were ChatGPT — no disclosures, no labels. And your WooCommerce store processes credit cards — is it PCI DSS compliant?
You didn't ignore compliance on purpose. You installed a privacy plugin in 2022, checked a box, and moved on. The regulatory landscape in the US has shifted — CCPA enforcement, HIPAA audits, ADA website accessibility lawsuits, and PCI DSS 4.0 requirements have all escalated.
This guide is different from a generic "best WordPress plugins" list. We picked 11 extensions that each cover one compliance role on WordPress in 2026 — cookie consent, accessibility, payment security, privacy rights, audit trails, and technical hygiene. No overlapping cookie banners. No accessibility widget that only fixes 10% of violations. No payment plugin that claims PCI compliance without actually offloading sensitive data.
What you'll learn:
- 11 plugins mapped to real 2026 US obligations (CCPA, HIPAA, PCI DSS, ADA/WCAG)
- Who each plugin is for — and when to skip it
- A phased install order aligned with enforcement timelines
- 4 Volade extensions that complement US compliance plugins without replacing them
- Downloadable checklist and timeline CSV
Create a free Volade account
Unlock this article's member resources and the full Volade pack.
No credit card · Public checklists stay free.
US compliance landscape — what actually matters in 2026
Before the plugin list, the compliance map. The US regulatory environment for websites is fragmented — federal, state, and industry-specific rules apply depending on your audience, sector, and payment processing.
CCPA/CPRA — California and beyond
The California Consumer Privacy Act (CCPA) and its amendment California Privacy Rights Act (CPRA) give California residents the right to know what personal data is collected, opt out of sale/sharing, and request deletion. Other states followed: Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and more in 2026. If your site serves US visitors, at least one state privacy law likely applies.
WordPress action: cookie consent banner with "Do Not Sell My Personal Information" link, privacy policy, data access/deletion request mechanism.
HIPAA — healthcare data protection
The Health Insurance Portability and Accountability Act applies if you handle Protected Health Information (PHI) — patient portals, telehealth, medical forms, health advice sites that collect personal health data. HIPAA requires: access controls, audit logs, encryption, breach notification procedures, and Business Associate Agreements (BAAs) with third-party services.
WordPress action: audit trails on all PHI access, encrypted data transmission, restricted admin access, signed BAAs with hosting and plugin providers.
PCI DSS — payment card security
The Payment Card Industry Data Security Standard (PCI DSS) applies to any site that stores, processes, or transmits credit card data. Version 4.0 is now in effect, with new requirements for multi-factor authentication, SAQ validation, and self-assessment questionnaires. WooCommerce stores accepting cards must complete SAQ A (if using Stripe) or SAQ A-EP (if forms process on your server).
WordPress action: use a payment gateway that offloads card data (Stripe, Square), keep core/plugins updated, run security scans, maintain firewall.
ADA/WCAG — web accessibility
The Americans with Disabilities Act (ADA) Title III requires places of public accommodation — including websites — to be accessible to people with disabilities. Courts have interpreted this to cover commercial websites. The Web Content Accessibility Guidelines (WCAG) 2.1/2.2 Level AA are the de facto standard. ADA website accessibility lawsuits numbered over 4,000 in 2025 alone.
WordPress action: accessible theme, proper heading structure, alt text, keyboard navigation, color contrast, screen reader compatibility.
FTC and AI content transparency
While the US doesn't have a direct equivalent to the EU AI Act, the FTC has issued guidance on AI transparency: deceptive or misleading AI-generated content may violate Section 5 of the FTC Act. The Colorado AI Act (effective 2026) requires transparency for certain AI systems. Best practice: label AI-generated content clearly.
WordPress action: AI content badges, audit log of AI-generated material, disclosure on AI-assisted posts.
How we selected these 11 plugins
Compliance articles often become fear marketing: install twelve tools, hope for the best, invoice the client. We see the opposite every week — two cookie banners, an accessibility plugin that only adds a toolbar, and a WooCommerce store with cards processed on the same server as the database.
This list follows one rule: one obligation layer = one plugin. Eleven roles, eleven extensions — already the ceiling for a maintainable pro site, not the floor.
Five selection criteria
| Criterion | Threshold |
|---|---|
| Maps to a 2026 US obligation | CCPA, HIPAA, PCI DSS, ADA/WCAG, or audit trail |
| Production-viable free tier | Not a 14-day trial disguised as compliance |
| Maintained in 2026 | Updated within 6 months or Volade shipped extension |
| No overlap | Does not duplicate another plugin on this list |
| Tested on staging | Installed on at least one Volade compliance mirror |
We excluded all-in-one "compliance suites" that bundle SEO, cache, and legal pages in one bloated package. We also excluded plugins abandoned in 2023 still recommended by outdated blog posts. Here: WordPress.org standards + Volade ecosystem, tested on brochure sites, WooCommerce stores, and membership/portal sites.
Who this list is for — and who it isn't
This list is for you if:
- you manage US-facing WordPress sites (visitors, customers, or patients in the US);
- you're an agency delivering repeatable compliance onboarding for US clients;
- you run a WooCommerce store and need PCI DSS compliance;
- you handle PHI (patient data) and need HIPAA audit trails;
- you publish content with AI tools and need transparency best practices.
This is not for you if:
- you're EU-only B2C with zero US traffic — read the accessibility and AI sections; best practices still apply;
- you need legal advice — this is a technical implementation guide, not counsel;
- you want to replace your CISO with a plugin — impossible.
Summary table — 11 plugins, 11 compliance roles
| # | Plugin | Compliance role | Free prod? | Best for |
|---|---|---|---|---|
| 1 | Complianz | CCPA/GDPR CMP + cookie consent | Yes (generous) | Most US brochure & WooCommerce sites |
| 2 | Termly | US privacy center + policy generator | Yes (basic) | CCPA/CPRA + state law coverage |
| 3 | WP Accessibility | ADA/WCAG foundation fixes | Yes | Free accessibility baseline |
| 4 | UserWay | AI accessibility widget + scan | Yes (basic) | ADA lawsuit prevention |
| 5 | Google Fonts Control (Volade) | Self-host fonts, privacy IP protection | Yes, no account | Any site using Google Fonts |
| 6 | AI Act Transparency (Volade) | AI content badges + audit log | Yes, no account | Blogs, stores with AI content |
| 7 | WooCommerce Stripe Gateway | PCI DSS compliant payments | Yes | WooCommerce stores |
| 8 | Wordfence Security | Security baseline, PCI DSS support | Yes (core) | All WordPress sites |
| 9 | Plugin Usage Detector (Volade) | Inherited plugin audit | Yes, no account | Agencies & takeovers |
| 10 | WP Activity Log | User audit trail (HIPAA, CCPA) | Yes (core) | HIPAA, multi-editor sites |
| 11 | Redirection | 301 integrity after legal URL moves | Yes | Migrations & restructures |
Pick Complianz or Termly for consent — not both. Everything else is complementary. WP Accessibility + UserWay can run together (one foundation, one widget).
1. Complianz — the CCPA cookie banner most US sites need first
Role: consent management (CMP), cookie scan, policy document generator, CCPA "Do Not Sell" opt-out, Google Consent Mode v2.
If you have one cookie compliance plugin to install this week, it's probably Complianz. Not because it's perfect — because it covers CCPA banner + opt-out + documentation + blocking in a package most freelancers can configure without a lawyer on retainer.
Why Complianz here instead of alternatives?
Complianz free tier is honestly usable on production brochure sites and light WooCommerce stores. Setup wizard asks the right questions (CCPA vs GDPR vs both). It generates the "Do Not Sell My Personal Information" link required by CCPA/CPRA. It integrates with Google Consent Mode v2 when configured correctly.
CCPA-specific setup (30 minutes)
- Run the wizard — pick region: US (California, Virginia, Colorado, Connecticut).
- Enable CCPA "Do Not Sell" banner — customize the opt-out link text.
- Run the cookie scan on staging, then production.
- Generate privacy policy with CCPA-specific disclosures.
- Test: visit as California resident (VPN), verify opt-out works.
When to pick Termly (#2) instead
You need a US-only privacy compliance hub with built-in policy templates for multiple state laws, or your legal team mandates Termly's specific language. Never run both active.
2. Termly — US privacy compliance hub for multi-state coverage
Role: privacy policy generator, CCPA/CPRA consent management, data subject access request (DSAR) portal, cookie scanner, multi-state law coverage.
Termly is built for the US privacy fragmentation. While Complianz handles EU+US well, Termly's templates and workflows are California-first: CCPA, CPRA, CalOPPA, plus Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and Texas TDPSA.
Why include both Complianz and Termly?
Different profiles. Complianz is stronger on technical cookie blocking and Google Consent Mode. Termly is stronger on legal policy language and DSAR request management. Pick based on your primary need. Some agencies run Complianz for consent + Termly for policy docs — but verify no overlap.
CCPA-specific features
- "Do Not Sell or Share" toggle with regional geolocation
- DSAR portal — users submit access/deletion requests via form
- Cookie scanner auto-classifies tracking technologies
- Multi-language for US Spanish audiences
Honest limits
Free tier includes basic policy generation. Consent management and DSAR portal require Pro ($14/mo). Evaluate before building a multi-state compliance program on the free version alone.
3. WP Accessibility — free ADA/WCAG foundation
Role: add accessible focus styles, skip-to-content links, image alt text reminders, ARIA landmarks helper, remove tabindex from elements.
ADA compliance is the most sued compliance area in US web law — over 4,000 lawsuits in 2025. WP Accessibility doesn't make your site fully WCAG 2.2 AA compliant by itself. It fixes the low-hanging fruit that most WordPress themes get wrong.
What it fixes for free
- Adds skip-to-content link (keyboard navigation)
- Forces alt text on images during upload
- Adds ARIA landmarks to theme elements
- Removes
tabindex="-1"that blocks keyboard focus - Improves admin focus styles for visual indicators
What it doesn't fix
Complex issues (color contrast, heading hierarchy, form labels, dynamic content) require theme-level changes. Use WP Accessibility as the foundation — then layer UserWay (#4) or a professional accessibility audit on top.
Setup (15 minutes)
- Install and activate — default settings cover most needs.
- Enable alt text forced in Media Library.
- Test with keyboard-only navigation: Tab, Enter, Escape.
- Run accessibility scan (WAVE, axe DevTools) — compare before/after.
4. UserWay — AI-powered accessibility widget
Role: accessibility widget, automated scan, remediation suggestions, WCAG 2.1/2.2 monitoring, ADA lawsuit compliance support.
UserWay adds an accessibility interface (font resize, contrast, keyboard navigation, screen reader adjustments) and an AI-powered scanner that detects issues and suggests fixes. It's the most popular accessibility widget on WordPress — installed on over 500,000 sites.
Why WP Accessibility + UserWay together?
They solve different layers. WP Accessibility fixes theme-level markup. UserWay provides the user-facing toolbar that lets visitors customize their experience, plus continuous scanning. Together they cover the most common ADA lawsuit triggers.
ADA lawsuit prevention context
Most ADA website lawsuits settle for $10,000–$50,000 plus legal fees. Having both a foundation plugin AND an accessibility widget shows good faith effort in court — though no plugin guarantees immunity.
Setup (20 minutes)
- Install UserWay, create free account.
- Configure widget position and appearance (match brand).
- Run initial accessibility scan.
- Review top 10 violations, fix in theme.
- Enable monthly scanning reports.
Honest limits
Free version shows "Powered by UserWay" branding. Premium ($19/mo) removes branding, adds PDF reports, and provides WCAG conformance statements. Widget alone does not make your site fully accessible — theme development and content practices matter more.
5. Google Fonts Control by Volade — privacy and IP protection
Role: detect theme/plugin font loads, self-host locally, block external fonts.googleapis.com requests, document changes for privacy records.
While the Munich ruling (C-252/21) is an EU case, the principle is relevant for US privacy compliance: loading Google Fonts from Google's CDN transmits visitor IP addresses to Google. Under CCPA, this may constitute a "sale" or "sharing" of personal information. Under HIPAA, transmitting IP addresses of patients to a third party without a BAA is problematic.
Google Fonts Control by Volade scans your stack, downloads fonts locally, rewrites enqueues, and documents the change for your compliance folder. 100% local — no font metadata sent to Volade servers.
CCPA connection
If your privacy policy states you don't "sell" personal information but Google receives visitor IPs via font CDN requests, your policy may be inaccurate. Self-hosting fonts eliminates this data flow.
Setup (20 minutes)
- Install GFC, run scan.
- Apply Self-host all preset on staging.
- Verify front in Network tab: zero calls to
fonts.googleapis.com. - Export JSON for client compliance file.
6. AI Act Transparency by Volade — AI content disclosure for US sites
Role: four disclosure levels (none, assisted, modified, generated), front badges, unlimited local audit log, JSON export.
The EU AI Act Article 50 is an EU regulation, but the concept of AI content transparency is rapidly becoming relevant in the US. The FTC has issued guidance that deceptive AI-generated content may violate Section 5 of the FTC Act. The Colorado AI Act (effective early 2026) requires transparency for certain high-risk AI systems. And best practice for any WordPress site: label AI content clearly.
AI Act Transparency by Volade does not auto-detect AI via a billed cloud API. Editors declare the level; the plugin displays badges and logs every change. Zero per-page fees. No content sent to third parties.
FTC alignment
The FTC's guidance on AI (2024–2026) emphasizes that consumers should know when they're interacting with AI-generated content. Transparent labeling reduces legal risk and builds trust. This plugin gives you the framework to implement that.
Four levels — quick reference
| Level | Meaning | Front badge |
|---|---|---|
none | Human-authored | None |
assisted | AI helped, human judges | Discreet |
modified | Substantially AI-rewritten | Visible |
generated | AI-generated | Prominent |
WooCommerce note
Apply the same levels to product descriptions and category intros. Agency preset includes stricter badges for generated commerce copy.
Deep dive: AI content transparency WordPress guide 2026.
7. WooCommerce Stripe Gateway — PCI DSS compliance via offloaded payments
Role: accept credit cards via Stripe, PCI DSS SAQ A compliance (card data never touches your server), Apple Pay / Google Pay, saved payment methods.
PCI DSS 4.0 is the single most overlooked WordPress compliance requirement. WooCommerce stores that process credit cards directly on their server (storing or transmitting card data) fall under SAQ A-EP or SAQ D — the most burdensome self-assessment questionnaires.
WooCommerce Stripe Payment Gateway uses Stripe Elements — card data is sent directly to Stripe's PCI-compliant infrastructure, never to your WordPress server. This reduces your PCI scope to SAQ A, the simplest questionnaire (~20 questions vs 300+ for SAQ D).
PCI DSS compliance with Stripe
- Card data offloaded — Stripe handles all card number, CVV, and expiration storage
- Tokenization — only a token is saved in your WordPress database
- SAQ A eligibility — if your form uses Stripe Elements or Stripe Checkout
- 3D Secure — included for fraud protection
Setup and verification (60 minutes)
- Install WooCommerce Stripe, configure live keys.
- Verify card fields load in an iframe (inspect element — look for Stripe origin).
- Confirm no credit card data in WooCommerce database (
wp_wc_order_stats,wp_postmeta). - Complete SAQ A (available from Stripe dashboard).
- Store BAA if processing PHI (Stripe offers BAAs for healthcare customers).
When this isn't enough
Enterprise PCI DSS compliance may require dedicated security plugins, network scans (ASV), and written security policies. Wordfence (#8) helps but doesn't replace a full PCI program.
8. Wordfence Security — security baseline for PCI DSS, HIPAA, and CCPA
Role: web application firewall (WAF), malware scanner, login security, live traffic monitoring, 2FA.
Security is the foundation of multiple US compliance regimes. PCI DSS Requirement 6 mandates keeping software updated. HIPAA Security Rule requires access controls and audit controls. CCPA indirectly requires reasonable security practices (companies with inadequate security face higher penalties for data breaches).
Wordfence is our security baseline on this list. Not because it's the only option — because the free tier is genuinely useful, the firewall rules are updated weekly, and the malware scanner catches infections before they become compliance incidents.
Compliance mapping
| Compliance requirement | Wordfence contribution |
|---|---|
| PCI DSS Req. 6 (updates) | Plugin vulnerability scanning |
| PCI DSS Req. 7 (access) | Login security, 2FA |
| HIPAA Security Rule | Audit logging (with WP Activity Log) |
| CCPA reasonable security | Firewall, malware scanner |
| HIPAA Breach Notification | Incident response via alerts |
Setup (30 minutes)
- Install Wordfence, run initial malware scan.
- Enable 2FA for all admin users.
- Configure firewall in learning mode, then enable.
- Review live traffic for suspicious patterns.
- Set up email alerts for critical changes.
Honest limits
Free version delays firewall rule updates by 30 days. Premium ($119/yr) provides real-time rule updates, country blocking, and premium support. For HIPAA-covered entities, premium is strongly recommended.
9. Plugin Usage Detector by Volade — audit before you add more compliance plugins
Role: detect unused plugins, shortcodes, widgets; export JSON audit for client reports.
The cruel irony: teams install more compliance plugins without removing conflicting ones. Two cookie consent plugins. An accessibility plugin from 2018. A "CCPA compliance" plugin that hasn't been updated since 2022.
Plugin Usage Detector by Volade runs before this entire stack — find what's actually loaded, what conflicts with Complianz or Termly, what's safe to remove on staging.
Why this matters for US compliance
Every active plugin is a potential attack surface (PCI DSS), a potential data processor (CCPA), and a potential PHI access point (HIPAA). Removing unused plugins reduces your compliance scope directly.
Guide: WordPress plugin audit 2026.
10. WP Activity Log — prove who did what (HIPAA, CCPA, PCI DSS)
Role: user activity log — plugin installs, option changes, post edits, logins, content changes, file modifications.
When a HIPAA compliance officer asks "who accessed patient record #442 on March 12?" or a CCPA auditor asks "who updated the privacy policy on April 1?", Complianz logs consent — but wp-admin changes need a separate trail.
WP Activity Log (free core) records who touched settings, roles, critical pages, and files. The free version covers the essentials: login/logout, post/page changes, plugin activations, user role changes.
Compliance mapping
| Compliance need | WP Activity Log feature |
|---|---|
| HIPAA audit control | All PHI-related post access logged |
| PCI DSS Req. 10 (audit trails) | Track all admin changes |
| CCPA data inventory | Log who exported or modified user data |
| ADA remediation evidence | Track accessibility fixes |
What to monitor
- Changes to privacy policy and cookie policy pages
- New admin users and role escalations
- Plugin activate/deactivate events (especially CMP and security)
- File changes in wp-content (premium)
HIPAA-specific setup
For healthcare sites, enable logging on all post types that contain PHI. Export logs weekly to a secure off-site location. The premium version ($99/yr) adds email notifications, report generation, and integrations with logging services.
11. Redirection — don't break SEO when legal pages move
Role: 301 redirects, 404 monitoring, regex rules, import/export, pass-through query strings.
Compliance projects often restructure URLs: /privacy → /legal/privacy-policy, /ccpa-opt-out → /privacy-policy#ccpa, or restructuring a WooCommerce store for PCI compliance. Without redirects, you lose SEO equity and break links in old contracts, emails, and marketing materials.
Redirection is the lightweight closer on this list. Install when migration starts — not six months after Google Search Console shows 400 errors on important URLs.
Compliance relevance
- CCPA: new opt-out page URL, redirect old links
- HIPAA: new patient portal URL, redirect bookmarks
- ADA: restructured navigation, redirect old pages
- PCI: restructured checkout, redirect old cart URLs
Feature matrix — how the 11 plugins cover US compliance regimes
| Plugin | CCPA/CPRA | HIPAA | PCI DSS | ADA/WCAG | Audit trail | Free tier |
|---|---|---|---|---|---|---|
| Complianz | ✅ Consent + opt-out | ❌ | ❌ | ❌ | Partial (consent log) | Yes |
| Termly | ✅ Policies + DSAR | ❌ | ❌ | ❌ | ❌ | Basic |
| WP Accessibility | ❌ | ❌ | ❌ | ✅ Foundation | ❌ | Yes |
| UserWay | ❌ | ❌ | ❌ | ✅ Widget + scan | ❌ | Basic |
| Google Fonts Control | ✅ IP protection | ✅ IP protection | ❌ | ❌ | ✅ JSON export | Yes |
| AI Act Transparency | ❌ | ❌ | ❌ | ❌ | ✅ Audit log | Yes |
| WooCommerce Stripe | ❌ | ❌ | ✅ SAQ A | ❌ | Partial (transaction log) | Yes |
| Wordfence | ✅ Security | ✅ Security | ✅ Reqs. 6, 7, 10 | ❌ | Partial (traffic log) | Yes |
| Plugin Usage Detector | ✅ Reduce scope | ✅ Reduce scope | ✅ Reduce scope | ❌ | ✅ JSON export | Yes |
| WP Activity Log | ✅ Change log | ✅ Audit control | ✅ Req. 10 | ❌ | ✅ Core logging | Yes |
| Redirection | ✅ URL mgmt | ✅ URL mgmt | ❌ | ❌ | ❌ | Yes |
Pricing USD — 2026 comparison
| Plugin | Free tier | Premium | Paid plan value |
|---|---|---|---|
| Complianz | Full CCPA/GDPR banner + scan | €69/yr (~$75) | Policy generator, consent stats |
| Termly | Basic policy + scan | $14/mo ($168/yr) | DSAR portal, multi-state |
| WP Accessibility | Full | — | — |
| UserWay | Basic widget + scan | $19/mo ($228/yr) | Remove branding, PDF reports |
| Google Fonts Control | Full (no account) | — | — |
| AI Act Transparency | Full (no account) | — | — |
| WooCommerce Stripe | Full (transaction fee) | — | — |
| Wordfence | Core firewall + scan | $119/yr | Real-time rules, premium support |
| Plugin Usage Detector | Full (no account) | — | — |
| WP Activity Log | Core logging | $99/yr | File changes, reports, integrations |
| Redirection | Full | — | — |
Total cost for full compliance stack (free tiers): $0 — all 11 plugins have production-viable free versions.
Total cost for strategic premium upgrades: ~$515/yr ($75 Complianz + $228 UserWay + $119 Wordfence + $99 WP Activity Log). Most sites need premium for 2-3 plugins max.
Top picks for US use cases
Best for CCPA/Privacy compliance
Complianz (consent) + Termly (policies + DSAR) + Google Fonts Control (IP data flow)
Don't run both for consent — use Complianz for the technical CMP, Termly for policy generation and data subject request portal. GFC closes the Google Fonts IP leakage that contradicts your privacy policy.
Best for HIPAA/Healthcare
WP Activity Log + Wordfence (premium) + Plugin Usage Detector (reduce PHI surface)
HIPAA requires audit trails, access controls, and security. WP Activity Log covers audit. Wordfence covers security and 2FA. PUD helps remove unnecessary PHI-touching plugins from the stack.
Best for PCI DSS/WooCommerce
WooCommerce Stripe + Wordfence + WP Activity Log
Stripe offloads card data (SAQ A). Wordfence provides firewall and vulnerability scanning (PCI Req. 6). WP Activity Log tracks admin changes (PCI Req. 10). This trio covers the three most burdensome PCI DSS requirements.
Best for ADA/WCAG accessibility
WP Accessibility (foundation) + UserWay (widget + scan)
Use both — WP Accessibility fixes theme markup, UserWay provides the user-facing toolbar and continuous scanning. Together they demonstrate good faith effort and reduce lawsuit risk.
Best for agencies managing multiple US client sites
Plugin Usage Detector + WP Activity Log + Redirection
PUD audits each client site before compliance work. WP Activity Log monitors agency admin changes across client sites. Redirection protects SEO during legal page restructuring.
Phased install order — aligned with the checklist
Don't install all eleven plugins in one hour on production. Follow the downloadable checklist phases:
Phase 1 (D-14) — Mapping and security
→ Plugin Usage Detector audit
→ List applicable obligations (CCPA, HIPAA, PCI, ADA)
→ Wordfence — security baseline
→ Download timeline CSV
Phase 2 — Privacy and consent
→ Complianz OR Termly (one only)
→ Google Fonts Control
→ WP Activity Log
Phase 3 — PCI DSS payments (WooCommerce only)
→ WooCommerce Stripe (if direct card processing)
→ Verify SAQ A eligibility
→ Disable any form builders capturing card data
Phase 4 — Accessibility
→ WP Accessibility — foundation fixes
→ UserWay — widget + scan
→ Test with keyboard + screen reader
Phase 5 — AI content transparency
→ AI Act Transparency + editorial policy
→ Bulk-label existing AI content
→ Export audit JSON for compliance file
Phase 6 — Sign-off
→ Redirection rules for moved legal URLs
→ PHP Compatibility Checker if host upgrade pending
→ Front + back tests on 3 critical flows
→ Generate compliance reports for counsel
Why PUD first? You cannot layer compliance on a conflicting stack.
Why Wordfence before CMP? Security baseline before expanding plugin surface — compromised sites invalidate all compliance work above.
Why Redirection last? URL changes should be final before you lock 301 rules.
Audit → security → privacy → payments → accessibility → AI labels → redirects → PHP scan → sign-off. One phase per sprint, backup between each.
5 compliance mistakes we see every week on US sites
1. Two cookie/consent banners active
Visitor confusion, double consent logs, analytics firing incorrectly. CCPA opt-out renders twice. Fix: one CMP, deactivate the other completely.
2. Credit cards processed on the same server as the database
Direct card entry via a form builder = PCI DSS SAQ D territory. 300+ questions vs 20 for SAQ A. Fix: switch to Stripe Elements or Stripe Checkout immediately.
3. Accessibility widget used as the only solution
A toolbar button does not fix missing alt text, poor color contrast, or keyboard traps. Fix: WP Accessibility for theme fixes + UserWay for user controls. Widget alone is insufficient.
4. Google Fonts still loading externally
Privacy policy says "we don't share personal information," but every page visit sends the visitor's IP to Google via fonts.googleapis.com. Fix: self-host with Google Fonts Control by Volade.
5. No audit trail for who changed what
HIPAA and PCI DSS require audit trails. CCPA data requests need proof of process. If you don't have WP Activity Log or similar, you cannot answer "who changed the privacy policy last month." Fix: install activity log plugin today.
When to go beyond this stack
| Situation | Path |
|---|---|
| Full security baseline missing | Add TOP 11 free WordPress plugins |
| Enterprise HIPAA compliance | Dedicated HIPAA compliance software + BAAs with all vendors |
| PCI DSS SAQ D | Full QSA involvement, network ASV scans, written security policies |
| 6+ Volade compliance sites | V+ Volade for XML exports, multisite rollup, WP-CLI bulk |
| Custom legal requirements | Counsel review + dedicated compliance management software |
Compliance plugins sit on top of a healthy WordPress floor: backup, security, SEO, cache. Don't skip the foundation.
Create a free Volade account
Unlock this article's member resources and the full Volade pack.
No credit card · Public checklists stay free.
Article resources
- Compliance checklist — 6 phases, printable, sign-off block
- Timeline CSV — deadlines vs WordPress actions
- ADA accessibility guide — WCAG 2.2 for WordPress
- PCI DSS WooCommerce guide — SAQ A vs SAQ A-EP vs SAQ D
- CCPA compliance guide — California + state privacy laws
- Plugin audit guide — inherited site playbook
- PHP migration guide — 7-phase host upgrade
FAQ — US compliance questions we actually get
Does CCPA apply to my WordPress site if I'm not in California?
Yes, if you have visitors from California and meet the threshold criteria (gross revenue >$25M, handles data of 50K+ consumers, or earns >50% revenue from selling personal information). The same pattern applies to Virginia, Colorado, Connecticut, and other state laws. If you're unsure, consult counsel — but installing a CMP is a low-risk first step.
Complianz or Termly — which is better for US compliance?
It depends on your primary need. Complianz is stronger for technical cookie blocking and Google Consent Mode. Termly provides better legal policy templates and DSAR portals. Many agencies use Complianz for consent + Termly for policies — just ensure they don't both manage consent banners. Never run both CMP features active.
Does HIPAA apply to my health blog?
If you collect, store, or transmit Protected Health Information (PHI) — any individually identifiable health data — HIPAA likely applies. A general health blog with comments and analytics may not meet the threshold. A site with patient portals, telehealth appointments, medical forms, or paid health consultations almost certainly does. The key question: would a data breach expose someone's health information combined with their identity?
Is PCI DSS compliance required for a small WooCommerce store?
Yes — PCI DSS applies to any business that stores, processes, or transmits credit card data, regardless of size. However, using Stripe (or Square, PayPal) reduces your compliance scope dramatically. If card data never touches your server, you complete SAQ A (~20 questions). If cards are entered on your server, you face SAQ D (~300+ questions). The plugin choice determines your compliance burden.
Do I really need an accessibility overlay/widget?
An overlay alone is not sufficient for ADA compliance — courts have dismissed "widget-only" defenses. However, user-facing accessibility tools combined with theme-level fixes (WP Accessibility) and content practices (alt text, heading structure) form a strong compliance approach. The pairing of foundation fixes + widget is a pragmatic stack for most WordPress sites.
What's the cheapest way to start US compliance on WordPress?
Start with free tiers: Complianz (CCPA consent) + WP Accessibility (ADA foundation) + Wordfence (security) + WooCommerce Stripe (PCI DSS if you sell). Total cost: $0. Add UserWay ($19/mo) if ADA risk is high. Add WP Activity Log ($99/yr) if HIPAA or audit trail requirements apply. Most small US businesses can achieve reasonable compliance for under $200/yr.
Are Volade compliance plugins free for US sites?
Yes. Base tiers work without a Volade account — install from volade.com/en/cms/wordpress/extensions/. Account adds history and ecosystem features; V+ unlocks premium exports and multisite management. Google Fonts Control, AI Act Transparency, Plugin Usage Detector, and PHP Compatibility Checker are all free without account.
How often should I review my compliance plugin stack?
Quarterly for most sites. Additional triggers: server migration, WooCommerce version upgrade, new state privacy law effective dates, HIPAA audit notification, PCI DSS SAQ renewal, or any data breach. The compliance landscape isn't static — neither should your plugin stack be.
Published July 2026 — next review October 2026 (CCPA enforcement updates, PCI DSS 4.0 SAQ revisions, cited plugin updates).
Discover Google Fonts Control
Self-host Google Fonts locally — theme + style scan, woff2 download, URL rewrite, 4 GDPR/perf presets and free JSON export without account.
Your feedback matters
Comment on “TOP 11 WordPress compliance plugins in 2026 — CCPA, HIPAA, PCI DSS, ADA/WCAG (tested stack)” or rate this article to help the community.
people shared this article
