In light of data protection laws like GDPR and the ePrivacy Regulations (PECR), you may be concerned about whether your WordPress website is placing cookies on your visitors’ devices—and what you need to do about it.
This guide explains exactly what cookies WordPress uses, when they’re set, and how to make your site compliant with UK and EU cookie laws. We’ll cover everything from a clean WordPress installation through to WooCommerce stores and analytics integrations.
The short answer: Out of the box with no additional functionality, WordPress doesn’t set cookies on visitors unless they log in or leave a comment. But as soon as you add analytics, advertising, e-commerce, or social sharing features, your compliance obligations change significantly.
What Does UK Law Say About Cookies?
Before diving into WordPress specifics, it’s worth understanding what the law requires.
In the UK, cookies are regulated by the Privacy and Electronic Communications Regulations 2003 (PECR), which sit alongside the UK GDPR. The key principle is straightforward:
You must get consent before setting non-essential cookies.
Essential cookies—those strictly necessary for your website to function—don’t require consent. Everything else does. This includes analytics cookies, advertising cookies, and social media tracking cookies.
The Information Commissioner’s Office (ICO) is clear that implied consent (such as “by continuing to browse, you accept cookies”) is not sufficient. Users must take a positive action to consent, and they must be able to refuse non-essential cookies without being disadvantaged.
What Cookies Does WordPress Use?
The cookies WordPress uses depend on what features and plugins you’ve enabled. Let’s look at each scenario.
Clean Installation (No Plugins)
On a totally clean WordPress installation without additional plugins or tracking scripts, no cookies are set for regular visitors. A visitor browsing your pages and posts won’t have any cookies placed on their device.
This means a basic WordPress site can be compliant with cookie laws out of the box—there’s nothing to consent to because no cookies are being used.
However, this changes the moment you:
- Enable comments
- Add analytics (Google Analytics, Matomo, etc.)
- Install an e-commerce plugin like WooCommerce
- Add social sharing buttons
- Embed YouTube videos or other third-party content
- Install advertising or remarketing pixels
Admin and Logged-In User Cookies
When you log in to WordPress as an administrator or registered user, several cookies are set:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
wordpress_[hash] | Stores authentication details for the admin area | Session | Essential |
wordpress_logged_in_[hash] | Indicates you’re logged in and personalises your experience | Session | Essential |
wp-settings-{time}-[UID] | Stores your admin interface preferences | 1 year | Essential |
wp-settings-[UID] | Stores your admin interface preferences | 1 year | Essential |
These cookies are essential for the admin interface to function—you don’t need consent for them because they’re strictly necessary. However, they only apply to logged-in users, not regular visitors.
Comment Cookies
If you enable comments on your posts, WordPress sets cookies when someone leaves a comment:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
comment_author_{HASH} | Remembers the commenter’s name | 347 days | Non-essential |
comment_author_email_{HASH} | Remembers the commenter’s email | 347 days | Non-essential |
comment_author_url_{HASH} | Remembers the commenter’s website | 347 days | Non-essential |
Important: These are convenience cookies, not strictly necessary ones. They exist purely to save the commenter from re-entering their details next time. Under PECR, you should obtain consent before setting them.
WordPress does include a checkbox option: “Save my name, email, and website in this browser for the next time I comment.” This can serve as your consent mechanism—but only if the checkbox is unticked by default. If it’s pre-ticked, you’re not getting valid consent.
You can disable comment cookies entirely by navigating to Settings > Discussion in your WordPress admin and unticking the relevant option.
WooCommerce Cookies
If you run an online store with WooCommerce, additional cookies are essential for e-commerce functionality:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
woocommerce_cart_hash | Detects when cart contents change | Session | Essential |
woocommerce_items_in_cart | Detects when cart contents change | Session | Essential |
wp_woocommerce_session_ | Contains unique session code for cart data | 2 days | Essential |
woocommerce_recently_viewed | Stores recently viewed products | Session | Non-essential |
Most WooCommerce cookies are essential—the shopping cart simply won’t work without them. These don’t require consent.
However, the “recently viewed products” cookie is a convenience feature, not strictly necessary. If you display a “Recently Viewed” section on your site, you should consider whether you need consent for this cookie.
Be aware: Many WooCommerce extensions add their own cookies. If you use upselling plugins, abandoned cart recovery, or product recommendation tools, audit what cookies they set.
Analytics and Advertising: Where It Gets Complicated
This is where most WordPress sites fall out of compliance.
Google Analytics
Google Analytics sets multiple cookies, and none of them are essential:
| Cookie Name | Purpose | Duration | Type |
|---|---|---|---|
_ga | Distinguishes unique users | 2 years | Non-essential |
_ga_[ID] | Maintains session state | 2 years | Non-essential |
_gid | Distinguishes users | 24 hours | Non-essential |
_gat | Throttles request rate | 1 minute | Non-essential |
You must obtain consent before Google Analytics cookies are set. This means your cookie consent plugin must block Google Analytics from loading until the user accepts analytics cookies.
Many site owners install Google Analytics without realising this. While Google makes the integration seem simple—just paste a code snippet—they don’t take responsibility for your legal compliance. That’s on you.
For guidance on using Google Analytics compliantly, see our article on GDPR and Google Analytics 4.
Facebook Pixel and Advertising Cookies
Advertising and remarketing pixels (Facebook/Meta Pixel, Google Ads, LinkedIn Insight Tag) set cookies that track users across websites. These require explicit consent before loading.
Embedded Content
Embedding YouTube videos, Google Maps, or social media posts often sets third-party cookies. Even if you’re not intentionally tracking visitors, the embedded content might be.
How to Make Your WordPress Site Cookie Compliant
Follow these steps to achieve cookie compliance:
Step 1: Audit Your Cookies
Before you can be compliant, you need to know what cookies your site sets. Visit your site in a private/incognito browser window and use your browser’s developer tools (F12 > Application > Cookies) to see what’s being set.
Alternatively, use a cookie scanning tool—several of the plugins below include this feature.
Step 2: Categorise Your Cookies
Organise cookies into categories:
- Strictly Necessary: Essential for the website to function (cart, login, security)
- Functional: Remember user preferences (language, region)
- Analytics: Track how visitors use your site
- Marketing: Track users for advertising purposes
Step 3: Install a Cookie Consent Plugin
You need a mechanism to:
- Inform visitors about your cookies
- Obtain consent before setting non-essential cookies
- Allow visitors to change their preferences
- Keep records of consent
Here’s a comparison of the leading WordPress cookie consent plugins:
| Plugin | Active Installs | Free Version | Key Features | Best For |
|---|---|---|---|---|
| CookieYes | 1+ million | Yes | Auto-scanning, Google Consent Mode v2, 40+ languages | Most sites |
| GDPR Cookie Compliance (Moove) | 300,000+ | Yes (full-featured) | Local data storage, GTM/GA integration, no external servers | Privacy-focused sites |
| Complianz | 800,000+ | Yes | Region-specific notices, auto cookie scanning, legal documents | Multi-region compliance |
| Cookie Notice | 1+ million | Yes | Simple setup, works with MonsterInsights | Basic needs |
| WPConsent | Newer | Yes | Automatic script blocking, auto-updates | Hands-off compliance |
Key considerations when choosing:
- Does it block non-essential cookies until consent is given? (Essential)
- Does it support Google Consent Mode v2? (Important for Google Analytics/Ads)
- Does it store consent records? (Recommended for demonstrating compliance)
- Is it accessible (WCAG/ADA compliant)? (Required)
Step 4: Configure Script Blocking
Simply showing a cookie banner isn’t enough. Your plugin must prevent non-essential cookies from loading until consent is given.
This means:
- Google Analytics shouldn’t load until the user accepts analytics cookies
- Facebook Pixel shouldn’t load until the user accepts marketing cookies
- YouTube embeds should show a placeholder until consent is given
Most modern cookie consent plugins handle this automatically, but verify it’s working by testing in an incognito window.
Step 5: Update Your Privacy Policy
Your privacy policy should explain:
- What cookies you use
- Why you use them
- How long they last
- How users can manage cookie preferences
Include a link to your cookie settings so users can change their preferences at any time.
Step 6: Train Your Team
If multiple people manage your WordPress site, ensure everyone understands that adding new plugins, tracking codes, or embedded content may affect cookie compliance. Any changes should trigger a cookie audit.
For guidance on training requirements, see our article on GDPR training requirements.
Cookie Compliance Checklist
Use this checklist to verify your WordPress site is compliant:
- Audited all cookies set by your site
- Categorised cookies (essential, functional, analytics, marketing)
- Installed a cookie consent plugin with script blocking
- Cookie banner appears before any non-essential cookies are set
- Users can accept or reject cookie categories
- Users can access cookie settings to change preferences later
- Comment cookie checkbox is unticked by default (if comments enabled)
- Privacy policy explains cookie usage
- Consent records are being stored (if using premium plugin)
- Tested in incognito mode to verify no cookies set before consent
Frequently Asked Questions
Do I need a cookie banner if I only use essential cookies?
If you genuinely only use strictly necessary cookies (no analytics, no advertising, no comment cookies), you don’t need a consent banner. However, you should still inform users about these cookies in your privacy policy. Most sites will have at least some non-essential cookies, so this scenario is rare.
Are WooCommerce cart cookies essential?
Yes, the core shopping cart cookies are essential—the cart won’t function without them. However, “recently viewed products” and similar features may not be essential and could require consent.
What happens if I don’t comply?
The ICO can issue fines up to £17.5 million or 4% of annual global turnover for serious GDPR/PECR breaches. In practice, most enforcement starts with warnings and orders to change practices, but fines are increasingly common. Beyond regulatory risk, poor cookie practices damage user trust.
Do I need separate consent for UK and EU users?
The requirements are very similar. Both UK PECR and EU ePrivacy Directive require consent for non-essential cookies. A single well-implemented consent mechanism typically covers both, though some plugins offer region-specific banners.
How often should I audit my cookies?
Audit your cookies whenever you add new plugins, change themes, or modify tracking configurations. Even without changes, an annual audit is good practice—plugins may update and change their cookie behaviour.
Summary
Your WordPress website almost certainly uses cookies in some form. While a clean installation doesn’t set cookies on visitors, adding comments, analytics, e-commerce, or virtually any third-party integration changes this.
UK law requires you to:
- Identify what cookies your site uses
- Obtain consent before setting non-essential cookies
- Allow users to refuse cookies without penalty
- Provide clear information about your cookie practices
The good news is that achieving compliance is straightforward with the right plugin and configuration. Choose a cookie consent plugin that blocks non-essential scripts until consent is given, configure it properly, and test that it’s working.
If your organisation handles personal data beyond just website cookies, explore our data protection training courses to ensure your team understands their responsibilities under UK GDPR.
