Recent CSP violation reports can be seen at https://csp-report.toolforge.org/search?ft=wdqs-wmil-tutorial
The theme of the WordPress install here is the most likely source of requests to Google and Gravatar servers. There seem to also be some requests to the legacy hosting environment at wikidata.wwwnlsrc4.supercp.com.
- The local cdnjs and fontcdn privacy protecting proxies can and should be used instead for the assets loaded from Google.
- Gravatar integration can be disabled using the WordPress admin interface.
- References to the prior hosting location should be fixed to point to the new tool instead.