In light of data protection laws like GDPR and the ePrivacy Regulations (PECR) you may be concerned about whether your WordPress website is placing cookies on your visitors devices – and whether you should be concerned about this. In this article we’ve collaborated with wordpress web development experts to explore exactly what you can expect from a default WordPress installation and will provide you with some pointers on how to deal with this issue in a compliant way.
The short answer:
Out of the box with no additional functionality – no cookies are used unless you are an admin user working on the site. But as soon as you add Comments, e-Commerce or any analytics tools things will change.
What cookies are used on WordPress?
As mentioned briefly, the answer is “it depends”. Let’s look at some different situations and explore whether cookies will be used and what kind of cookies we can expect.
Clean installation – no plugins
On a totally clean install of WordPress, without additional plugins installed or code snippets containing tracking scripts – no cookies will be used. This means that a default wordpress install can be compliant with “cookie laws” out of the box, since data is not accessed or stored on a user’s device. Be aware that this will change quickly once you start adding tracking or analytics services, install an ecommerce solution like WooCommerce or encourage user contributions via comments or sign-ups, so we’ll look at those situations next.
After accessing the wp-login page and admin panel
After you have accessed the wp-login page and have logged in as a user you will now have cookies on your device from your WordPress website. These are used on WordPress to manage “logged-in users”. This allows you as an administrator to open your WordPress website and edit it and to stay “logged-in” as you move throughout the website and also when you return the website after some time away – this means you don’t have to log back in every time you access the site.
The cookies used are:
- WordPress_[hash]: This cookie is used to store authentication details upon login and is present in the admin area only.
- wordpress_logged_in_[hash]: This cookie enables WordPress to recognise you as a logged-in user and use this information to customise the information presented to you and to present the site according to your preferences.
- wp-settings-{time}-[UID]: This cookie customises your view of the admin and main site interface. It contains the individual user ID from the user database.
With Comments Enabled
If you have comments enabled on your posts or content, then cookies will be added to the user’s device when a comment is left. This is to allow them to revisit and be remembered as the comment poster – so that they can reply.
The cookies used for commenting are:
comment_author_{HASH}: This remembers the commenter’s name
comment_author_email_{HASH}: This remembers the commenter’s email address if provided.
comment_author_url_{HASH}: This remembers the commenter’s website if provided.
Remember you can turn off cookies on new posts by navigating to Settings > Discussions. You can also control the ability to leave comments on a post by post basis.
With WooCommerce Installed
With WooCommerce installed additional cookies will be used on your WordPress site in order to make the WooCommerce functionality work, for example in order to make the “shopping cart” work.
The cookies used are:
woocommerce_cart_hash: Helps your website determine when shopping cart contents/data changes.
woocommerce_items_in_cart: Helps your website determine when shopping cart contents/data changes.
wp_woocommerce_session_: Contains a unique code for each customer so that your website can remember the shopping cart data for the current visit.
woocommerce_recently_viewed: Logs what products a user has viewed recently in order to make the Recently Viewed Products section work.
Analytics and advertising is a more complicated story
What about if you have added Google Analytics or have set up some advertising on your website? In this case things will be very different, most analytics and advertising integrations rely on cookies. Be aware that while an analytics company or advertising partner may make the integration with your site seem “easy” – just a few clicks away, they do not take responsibility for ensuring that cookies are implemented on your WordPress website in a legally compliant way. A manual review is advised.
Summary
In summary, your WordPress website probably uses Cookies in some form. Remember that the use of cookies needs to comply with data protection laws around the world. In the EU and UK specifically this would be PECR (based on the ePrivacy Regulations). The general rule of thumb with PECR is that any cookies which are non-essential to the user should only be placed on a device or read from a device after consent is given. If you are managing a WordPress website we’d strongly recommend that you learn more about these rules and the implications they may have on your website.