Avoid storing the IP address? [GDPR]

Steps

Hi there,

While inspecting a database export, I noticed that an IP address is stored for every post.

I can see that the GDPR Data Management extension removes the IP address from a post when a user requests deletion and the anonymization action runs. For full GDPR compliance, however, I’d prefer not to store IP addresses with posts in the first place.

Is there an extension or configuration option to disable storing the IP address for posts? If not, is there a recommended approach to limit retention (e.g., automatically deleting the IP after 7 days)?

Keeping IP addresses indefinitely is difficult to justify under GDPR principles like data minimization and storage limitation. A short, documented retention period (e.g., “stored for 7 days to prevent abuse, then deleted”) would be much easier to justify than permanent storage.

Kind regards,
Steps

KBExit

Steps I researched GDPR real quick and see that storing IP Addresses is not a violation at all and is justified for security of your website. All you have to do is disclose the IP Addresses being stored in your Privacy Policy.
You're already GDPR compliant "fully."

Steps

Hi @KBExit, thanks.

I agree that storing IP addresses isn’t automatically a GDPR violation and can be justified for security/abuse prevention, and I already disclose it in my privacy policy. But “just disclose it” isn’t the full story: GDPR also requires data minimization (Art. 5(1)(c)) and storage limitation (Art. 5(1)(e)).

Keeping an IP permanently on every post is much harder to defend under those principles than a short retention window.

What I’m looking for is a practical solution: is there an extension/config to change this behavior, or does anyone have a script/cron job that clears posts.ip_address after, say, 7 days?

After that timeframe the abuse-prevention argument gets noticeably weaker, so a documented retention period would be much easier to justify.

NodeBB provides an option to disable this behavior entirely.

Steps

This is how it is currently declared in my policy.
I would prefer to remove it entirely.
The shorter the privacy policy, the better.

IP Addresses Stored with Posts (Flarum Core)

The forum software (Flarum) stores the IP address from which a post was submitted in the database. This IP address is stored per post.

Purpose: Ensuring security and stability of the forum, particularly for defense against and analysis of attacks, and abuse and fraud prevention.

Legal basis: Art. 6 para. 1 lit. f GDPR (legitimate interest in protection against unauthorized access and attacks and investigation of abuse).

Retention period: The IP address stored with a post can be retained as long as the post exists. If you anonymize your account using the forum’s GDPR tools, IP addresses associated with your user data are removed where supported by the GDPR extension.

Bavarian

Steps This can also be done purely in MySQL via cron:

30 3 * * * mysql -u user -pPASS dbname \
-e "UPDATE posts SET ip_address=NULL WHERE created_at < (NOW() - INTERVAL 7 DAY)"

If you prefer hashing instead of clearing (sometimes useful for abuse analysis), you can do it with php:

Recommended anonymization strategy (best practice)

IPv4

Example:
192.168.123.45 → 192.168.123.0

IPv6

~~Example:~~
2001:0db8:85a3:0000:0000:8a2e:0370:7334

anonymize to /64, keep first 4 blocks

This is explicitly accepted under GDPR as anonymization (not pseudonymization).

<?php
declare(strict_types=1);

/**
 * Flarum: Anonymize post IP addresses older than X days
 * IPv4 -> last octet zeroed
 * IPv6 -> anonymized to /64
 * Run via cron (CLI only)
 */

// ======================
// CONFIG
// ======================
$dbHost = 'localhost';
$dbName = 'your_database';
$dbUser = 'your_db_user';
$dbPass = 'your_db_password';

$days = 7;
$logFile = __DIR__ . '/flarum_ip_anonymizer.log';

// ======================
date_default_timezone_set('UTC');

try {
    $pdo = new PDO(
        "mysql:host={$dbHost};dbname={$dbName};charset=utf8mb4",
        $dbUser,
        $dbPass,
        [
            PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
            PDO::ATTR_EMULATE_PREPARES => false,
        ]
    );

    /**
     * IPv4 anonymization
     */
    $ipv4 = $pdo->prepare("
        UPDATE posts
        SET ip_address = CONCAT(
            SUBSTRING_INDEX(ip_address, '.', 3),
            '.0'
        )
        WHERE ip_address IS NOT NULL
          AND ip_address REGEXP '^[0-9]{1,3}(\\.[0-9]{1,3}){3}$'
          AND created_at < (NOW() - INTERVAL :days DAY)
    ");
    $ipv4->bindValue(':days', $days, PDO::PARAM_INT);
    $ipv4->execute();
    $ipv4Count = $ipv4->rowCount();

    /**
     * IPv6 anonymization (/64)
     */
    $ipv6 = $pdo->prepare("
        UPDATE posts
        SET ip_address = CONCAT(
            SUBSTRING_INDEX(ip_address, ':', 4),
            '::'
        )
        WHERE ip_address IS NOT NULL
          AND ip_address LIKE '%:%'
          AND created_at < (NOW() - INTERVAL :days DAY)
    ");
    $ipv6->bindValue(':days', $days, PDO::PARAM_INT);
    $ipv6->execute();
    $ipv6Count = $ipv6->rowCount();

    file_put_contents(
        $logFile,
        sprintf(
            "[%s] IPv4 anonymized: %d | IPv6 anonymized: %d\n",
            date('Y-m-d H:i:s'),
            $ipv4Count,
            $ipv6Count
        ),
        FILE_APPEND
    );

} catch (Throwable $e) {
    file_put_contents(
        $logFile,
        sprintf("[%s] ERROR: %s\n", date('Y-m-d H:i:s'), $e->getMessage()),
        FILE_APPEND
    );
    exit(1);
}

exit(0);

Cronjob:

15 3 * * * /usr/bin/php /var/www/scripts/flarum_anonymize_post_ips.php >/dev/null 2>&1

And this script is safe, cron-friendly, and does exactly one thing:

removes stored IPs after X days:

<?php
declare(strict_types=1);

/**
 * Flarum: Remove post IP addresses older than X days
 * Sets posts.ip_address to NULL
 * Run via cron (CLI only)
 */

// ======================
// CONFIG
// ======================
$dbHost = 'localhost';
$dbName = 'your_database';
$dbUser = 'your_db_user';
$dbPass = 'your_db_password';

$days = 7; // retention period
$logFile = __DIR__ . '/flarum_remove_ips.log';

// ======================
date_default_timezone_set('UTC');

try {
    $pdo = new PDO(
        "mysql:host={$dbHost};dbname={$dbName};charset=utf8mb4",
        $dbUser,
        $dbPass,
        [
            PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
            PDO::ATTR_EMULATE_PREPARES => false,
        ]
    );

    $stmt = $pdo->prepare("
        UPDATE posts
        SET ip_address = NULL
        WHERE ip_address IS NOT NULL
          AND created_at < (NOW() - INTERVAL :days DAY)
    ");

    $stmt->bindValue(':days', $days, PDO::PARAM_INT);
    $stmt->execute();

    $affected = $stmt->rowCount();

    file_put_contents(
        $logFile,
        sprintf(
            "[%s] Removed IPs from %d posts\n",
            date('Y-m-d H:i:s'),
            $affected
        ),
        FILE_APPEND
    );

} catch (Throwable $e) {
    file_put_contents(
        $logFile,
        sprintf("[%s] ERROR: %s\n", date('Y-m-d H:i:s'), $e->getMessage()),
        FILE_APPEND
    );
    exit(1);
}

exit(0);

I have tested this on my Forum, and it works perfectly, you just have to set up Cronjob by yourself:

0 3 * * * /usr/bin/php /var/www/scripts/flarum_remove_post_ips.php >/dev/null 2>&1

Greetings

Steps

@Bavarian Thank you a lot! 😀

IanM

Steps you raise a very good point here. Off the top of my head, IP addresses are stored in two places, on the post, and also with the access/session tokens. If fof/drafts is also enabled it is also stored alongside the draft (in the case of scheduled drafts).

I'd propose that we add a retention policy within flarum/gdpr for these IPs, so that individual forum admins can make a desicion on how long this data is retained for. This would be suitable for the post and draft IP storage for sure, but for the security side, I think that needs a different approach, or at least a serperate/longer retention peroid.

Let's use this discussion to work out some ideas on how to move forward with this - I'm happy to implement a solution once we have a solid way forward...

Steps

IanM That sounds good to me. 🙂

Yes,flarum/gdpr could simply use the scheduler to execute the command or script that @Bavarian posted here every minute.

If you allow setting retention days to 0, it would delete data immediately. That would make things a lot easier.

I cannot really comment on the security side, but having two different retention periods for different purposes does not sound like overkill to me.

For now, I will move forward with a cronjob, but strengthening GDPR support would definitely make Flarum better.

In fact, I tried other boards like Discourse first, but when I looked into how those systems store data and tried to put that into a privacy policy, I felt uncomfortable. I chose Flarum mainly because I can configure it in a way that will not get me sued immediately after launch. 😉