Most of the points in it boil down to one thing—if you visit my site, that fact remains between you and my site. No one else will know—not Google, not Facebook, not your ISP, not the airplane WiFi you’re using, not some ad network.
I went to some trouble to make these assurances. For example, I had to create a WordPress child theme which prevents loading stylesheets associated with Google Fonts used by default. Then—since I still wanted to use some of those fonts—I needed to check the licensing on them, download them, convert them to a form I could host locally, and incorporate them into a stylesheet on my own server.
I also needed to audit the source code for all the WordPress plugins I use to see what requests they make, if any, to other parties (and I’ll have to repeat this process if I ever add a new plugin). This was more challenging than I realized.
I needed to ensure I had no malware present and that my website remain free of malware. I began with WordPress’s hardening guide. I found a very thorough plugin for comparing file versions against known-good versions (WordFence, which I found recommended in the hardening guide). I also made additional checks of file permissions, excised unused plugins, made sure all server software was up to date, and incorporated additional protections into the web server configuration to limit my attack surface.
Finally, I had to browse my website for a while using my local developer tools built into my browser, both to see if any requests went to a domain other than my own and to inspect what cookies, local storage, and session storage data were created. This turned up a plugin that brought in icons from a third party site, which I had to replace.