It is debatable that StopForumSpam requires consent under GDPR. I'd argue not because it's providing username and e-mail, without any associated data. But you could argue that StopForumSpam could do origin tracing to know an e-mail is using a certain website. Then, anything that was external embedded in a webpage could also do similar tracking on IP, and that's really unavoidable.
So I think it's worth documenting this and our interpretation.

Google Analytics does offer explicit GDPR compliance, because it does do more sophisticated probing. Facebook connect too. But no explicit personal data is being sent to them.

Consents should also be added to the eCommerce system, under a different set of options. We need to have consents for Shippo, Taxcloud, PayPal, etc - as we really do pass along personal data to these services.

Also our use of ipstack (formally freegeoip.net) may need considering.