You, as WordPress owner, you are
A controller is someone who determines the purpose (the why) and means (the how) of processing personal data. If you own a website that does anything with its visitor's personal data, you are the controller. You control your customers’ data and you are ultimately responsible for it.
GDPR Art. 4 (7): A controller is a natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
GDPR Art. 5: GDPR states that you (as the controller) are also responsible for demonstrating that you are actually following the rules of GDPR. Read a more user-friendly version of the full law here: http://www.privacy-regulation.eu/en/article-5-principles-relating-to-processing-of-personal-data-GDPR.htm
In the event of a data breach or another personal data related problem, being able to demonstrate GDPR compliance in your company should presumably lessen the wrath of your local data protection authority. However, we will see how exactly this plays out in each EU and not-EU member country.