Your Liferay portal database holds registered user accounts, Message Boards post history, Document Library metadata, web content records, and in enterprise deployments sensitive role-based access data. Whoever handles your migration has access to every record in it.
What Is Actually Inside a Liferay Database
Liferay stores its data across a complex relational schema in MySQL, PostgreSQL, Oracle, or SQL Server depending on deployment. The User_ table contains every registered portal user: email address, hashed password, screen name, last login timestamp, and the portal-specific company assignment. The UserGroup and UserGroupRole tables map users to their access rights across the portal. If Liferay‘s expando attributes system has been used to capture custom user profile fields, that data is in the ExpandoValue table. The MBThread and MBMessage tables contain the full text of every Message Boards post, including any personal information users included in their posts. The DLFileEntry and associated tables track every document in the Document Library including who uploaded it and when. For financial institutions and government agencies running Liferay, these tables may contain data protected under GDPR, HIPAA, or sector-specific regulation.
All of that is in the database that any migration provider will back up and work from. The question of who holds that backup, on what infrastructure, under what security controls, and with what deletion policy is not optional to consider.
Your Liferay database during a migration with no documented data handling policy.
What Has Gone Wrong in Real Data Migrations
A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This exposed the database to attackers who breached over 5 billion data records.
Keepnet Labs breach, documented by Caylent security research
Ten minutes. No malicious intent. One operational shortcut during a migration window. For a Liferay portal at a bank or a government agency with thousands of registered users, the exposure window during an insecure migration is the period from when the database backup leaves your server to when it is formally deleted from the provider’s system. For most freelancers, that moment never arrives because there is no deletion policy in place.
Data is particularly vulnerable during transit and temporary storage phases. Without proper encryption and access controls, you are essentially broadcasting sensitive information. Customer data intercepted during a cloud migration, personally identifiable information exposed due to misconfigured permissions. These are not hypothetical scenarios.
Monte Carlo Data, September 2025
For Liferay specifically, the credential exposure surface is broad. Your Liferay admin credentials give access to the portal administration, all content, all user accounts, and all installed portlets. Database credentials expose the full schema including enterprise-specific custom tables. Server access (SSH or RDP) exposes the file system including the Document Library storage path. A migration provider holding all three simultaneously has complete access to your entire environment.
The Freelancer and Cheap Service Problem
The freelancer who migrated your Liferay portal: the database backup is in their downloads, no DPA, no deletion date.
Liferay migrations are technically demanding in ways that most freelancers do not anticipate. The JournalArticle schema, the expando attribute system, the FreeMarker theme architecture, and the portlet-instance model are all specific to Liferay and require someone who has done it before. Competent technical work is hard enough to find. Technical competence combined with a formal data protection process is extremely rare.
- No Data Processing Agreement. GDPR Article 28 requires a signed DPA before any third party processes personal data on your behalf. A Liferay portal almost certainly contains personal data from EU residents. Without a DPA, your organization is in violation regardless of what the provider does or does not do with the data.
- No credential security policy. Your Liferay admin credentials, database connection string, and server access details are typically shared by email and retained indefinitely. No encrypted vault. No deletion timeline. No audit trail.
- No data retention policy. After the job, the database backup stays on the provider’s machine or server. For how long? There is no answer. No secure deletion. No notification when it eventually disappears.
- No breach notification obligation. If the provider’s system is compromised while holding your data, they have no contractual obligation to notify you. Your users’ data could be circulating without your knowledge.
- No professional liability. If the migration fails, loses Message Boards history, breaks the Document Library, or triggers a GDPR investigation, a marketplace freelancer has no insurance and no legal exposure. Your organization absorbs the full cost.
- Liferay-specific technical failures. Most providers who advertise Liferay migrations underestimate the JournalArticle field structure, the expando system, and the portlet-to-plugin mapping complexity. The result is a migration that looks complete on the surface but is missing large amounts of structured content with no record of what went wrong.
Why Automated Migration Tools Do Not Work Here
Unlike WordPress-to-WordPress migrations or basic blog platform conversions, there are no widely-used automated migration tools for Liferay to WordPress. Migration services that handle Liferay typically require manual database extraction and custom scripting because the Liferay schema is Java-framework-specific and has no standard export format that maps cleanly to the WordPress post structure.
The few tools that do exist work by routing your data through third-party servers. Your personal data, including user records, form submission history, and Message Boards content, passes through infrastructure you have not audited and have no contractual data protection relationship with. If your Liferay portal has EU users and you use such a service without a signed DPA, you are processing personal data outside a lawful data sharing framework. GDPR fines start at 2% of annual global turnover or 10 million euros, whichever is higher.
How gConverter Does It
How gConverter starts every Liferay migration: legal documentation before any credentials are shared.
gConverter is a registered US company with full EU GDPR compliance for all European and international clients. We act as a Data Processor under GDPR Article 4(8) with a documented six-step security process applied to every migration including Liferay.
Step 1: DPA before credentials
Before you share any credentials, you receive a Data Processing Agreement for review and signature. For GC-ExtraSecurity clients, a Non-Disclosure Agreement is also executed. No data access is granted until both documents are countersigned. The DPA defines what we process, the lawful basis, retention limits, and our liability in the event of a breach.
Step 2: Encrypted credential vault
Your Liferay admin credentials, database connection details, and server access are transmitted via an encrypted channel, never by email. They are stored immediately in an AES-256 encrypted vault accessible only to the single assigned engineer and deleted within 24 hours of job completion with written confirmation sent to you.
Step 3: Isolated staging environment
Your database is exported and transferred over TLS 1.3. For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, keeping all data inside the EEA throughout the migration. For standard clients, processing is on the assigned engineer’s encrypted machine (Apple FileVault AES-256). Your data is never on shared hosting and never alongside other clients’ data.
Steps 4 to 6: Logged migration, verified delivery, 30-day deletion
Every database query and file operation is logged. The migration is completed on staging and presented to you for review before going live. After approval and launch, credentials are revoked and deleted immediately. All customer data is permanently deleted within 30 days using secure overwrite deletion. Breach notification within 72 hours if required by GDPR Article 33.
Read the complete GDPR and Data Protection documentation →
Questions to Ask Any Liferay Migration Provider
- Will you sign a Data Processing Agreement before accessing any data? No DPA means no GDPR compliance and direct legal exposure for your organization.
- How do you handle Liferay-specific data: JournalArticle fields, expando attributes, MBThread data, Document Library files? If they cannot answer specifically, they have not done it before.
- How are credentials transmitted and stored? Acceptable: encrypted channel and AES-256 vault. Not acceptable: email, Slack, or any plain-text method.
- Where is my data processed and stored during migration? Specific server location, encryption method, and single-engineer access policy.
- When and how is my data deleted after completion? A timeline and a deletion method – secure overwrite, not just closing a window.
- Do you carry professional liability insurance? Without it, no financial recourse if a breach or data loss occurs during the migration.
- What is your breach notification procedure? Without a documented procedure, they have no obligation to tell you if your data is compromised.
Technical Quality Matters Too
Security is the foundation. But a migration that is secure but technically incomplete is still a failed migration. A complete Liferay to WordPress migration by gConverter covers all pages and portal content, JournalArticle web content records mapped to WordPress posts with ACF Pro fields, Document Library files imported to the WordPress Media Library, Message Boards content migrated to wpForo 360° AI, user accounts with role mapping and expando attribute data preserved, FreeMarker theme rebuilt as a custom WordPress theme, navigation menus reconstructed, 301 redirects for every URL that changes, and SEO metadata transferred to Yoast SEO.
For the full picture of why organizations are moving off Liferay and what the technical migration covers: Why Enterprises Are Moving From Liferay to WordPress →
To discuss your specific site: Liferay to WordPress migration at gConverter →
What Our Clients Say
Went FAR above and beyond to help us work through this project. We are thrilled with the final result and they were professional, great to work with, and responsive every step of the way. Would highly recommend.
Anna P., Wilmington NC – Customer Lobby, January 2026
Extremely professional and efficient, we had very good contact, the work was done in due time.
Timoti F., Berlin DC – Customer Lobby, February 2024
Liferay portal data, Message Boards history, and Document Library, all verified in WordPress.
The Bottom Line
A Liferay database contains the personal data of every registered portal user, every message board participant, and every person who submitted a form or uploaded a document through the platform. For enterprise organizations and government agencies, this data requires the highest level of governance during any transfer. Most migration providers do not come close to meeting that standard.
gConverter is US-registered and EU GDPR-compliant, with signed legal agreements before access, AES-256 encryption at rest, TLS 1.3 in transit, EU server options, and 30-day data deletion with written confirmation. Before the job starts, you have a signed DPA. While it runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems.