WordPress Cookies: Everything You Need to Know

Every time someone logs into your WordPress site, leaves a comment, or adjusts their language preference, WordPress quietly sets a cookie in their browser. Most site owners know cookies exist — but understanding exactly what WordPress sets, why it sets them, and how to manage them properly is what separates compliant sites from ones sitting on a GDPR fine.

This guide covers everything you need to know about WordPress cookies — what they are, which ones WordPress sets by default, how plugins add more, how to check what’s running on your site, and how to stay compliant with privacy laws like GDPR and CCPA.

Cookies are small text files stored in a user’s browser when they visit a website. They hold information about the visitor and their activity — things like whether they’re logged in, what language they prefer, or what they’ve added to a shopping cart.

WordPress uses cookies to enable core functionality. Without them, users couldn’t stay logged in, and commenters would have to re-enter their details every single time.

• First-party cookies are set directly by your WordPress site. These include login cookies, session cookies, and commenter cookies. They’re generally secure and considered strictly necessary.
• Third-party cookies are set by external services — plugins, analytics tools, advertising platforms, social media integrations. These cookies often track user behavior across sites and almost always require explicit consent under privacy laws like GDPR.

The distinction matters because first-party core cookies typically don’t need a consent banner. Third-party cookies do. And most WordPress sites are running more third-party cookies than their owners realize.

The core WordPress software sets four types of cookies by default.

User Cookies

User cookies handle authentication — they’re what keep you logged in to your WordPress site.

• wordpress_[hash] — Set when you log in. Stores your authentication details and is limited to the admin area (/wp-admin/). Only 4 characters of your hashed password are stored, making it impossible to reverse-engineer your credentials from the cookie.
• wordpress_logged_in_[hash] — Indicates your logged-in status across the site interface. This is what tells WordPress who you are for most interactions outside the admin screen.
• wp-settings-{time}-[UID] — Personalizes your admin and site interface. The number at the end is your unique user ID from the WordPress users database table.

If no users are actively logged in, these cookies are rarely set. The lifetime of authentication cookies can be adjusted using the auth_cookie_expiration hook for developers who need custom session lengths.

Commenter Cookies

When a visitor leaves a comment on your site, WordPress sets three cookies so they don’t have to re-enter their details next time:

• comment_author_{HASH} — Stores the commenter’s name
• comment_author_email_{HASH} — Stores the commenter’s email address
• comment_author_url_{HASH} — Stores the commenter’s website URL

Commenter cookies expire after approximately one year.

GDPR tip: WordPress has a built-in opt-in checkbox for comment cookies. To enable it, go to Settings > Discussion and check Show comments cookies opt-in checkbox, allowing comment author cookies to be set. This gives commenters control over whether these cookies are stored — a simple but important compliance step.

WordPress Test Cookie

The wordpress_test_cookie is a temporary cookie WordPress sets to check whether a visitor’s browser supports cookies at all. It doesn’t store any personal data and is deleted automatically when the browser session ends.

If users see the error message “Cookies are blocked or not supported by your browser,” it’s usually this test cookie being blocked. Clearing cookies and the server cache (if you use a caching plugin) typically resolves it.

Language Cookie

The wp_lang cookie is a session cookie that stores a user’s selected language preference during login. It ensures the WordPress interface is displayed in their chosen language without them having to re-select it each time. It expires automatically when the user logs out or closes their browser.

Core WordPress cookies are just the beginning. Every plugin or theme you activate can introduce additional cookies — and many do.

Analytics plugins use cookies to track how visitors interact with your site. eCommerce plugins like WooCommerce set cookies to manage shopping carts and sessions. Advertising tools, social media embeds, live chat widgets, and heatmap tools all set their own cookies the moment they load.

The important thing to understand: you’re responsible for all cookies running on your site, not just the ones WordPress sets natively. If a plugin sets a tracking cookie, your site is legally required to disclose it, obtain consent where required, and block it from loading until that consent is given.

This is why most WordPress site owners need a consent management platform — not because of WordPress itself, but because of everything running on top of it.

Core WordPress cookies store data in a hashed format. The hash is the result of a mathematical formula applied to the original data, making it practically impossible to reverse and extract the original information. For user cookies, only 4 characters of the hashed password are stored — meaning even if someone intercepted the cookie, they couldn’t retrieve your credentials.

Commenter cookies use the same hashing approach, so commenter data is also secure at the WordPress level.

However, cookies set by third-party plugins and integrations may not follow the same standards. If those cookies contain personal data and aren’t properly secured, they become a vulnerability. This is why due diligence on every plugin you install matters — not just for performance, but for security and compliance.

Before you can manage cookies, you need to know which ones are actually running. Here are two ways to find out.

Method 1: Check Manually via Browser Developer Tools

Google Chrome:

1. Visit your WordPress website
2. Click the padlock icon in the address bar
3. Select Cookies and site data
4. Click Manage cookies and site data to see all cookies set by your site and any third parties

Mozilla Firefox:

1. Visit your WordPress website
2. Click the padlock icon in the address bar
3. Select Connection secure > More information
4. Go to the Security tab and click View Cookies

Safari:

1. Visit your WordPress website
2. Right-click the page and select Inspect Element
3. Go to the Storage tab in the developer console
4. Expand the Cookies dropdown to see all cookies and their attributes

Microsoft Edge:

1. Visit your WordPress website
2. Click the padlock icon in the address bar
3. Select Cookies
4. Browse cookies by domain to see what’s being set

The limitation of manual checking is that it only shows you what’s currently loaded. It won’t tell you the purpose of each cookie, who set it, or how long it lasts. For a complete picture, a cookie scanner is more reliable.

Method 2: Use a Cookie Scanner

A cookie scanner automatically crawls your website and generates a full report of every cookie in use — including name, purpose, provider, duration, and category. This is faster, more complete, and easier to keep up to date as your plugin list changes. The GDPR Cookie Consent plugin by WebToffee includes a built-in cookie scanner that identifies all third-party cookies on your site and automatically blocks them until the user grants consent.

Also Read:

Managing cookies for compliance comes down to three steps:

1. Identify all cookies running on your site (first-party and third-party)
2. Obtain consent for non-essential cookies before they load
3. Disclose cookie details in a cookie policy on your site

Step 1: Obtain Cookie Consent in WordPress

To obtain cookie consent, you need a Consent Management Platform (CMP) installed on your site. Here’s how to set one up using the GDPR Cookie Consent plugin by WebToffee — a Google-certified CMP for WordPress.

1. Install and activate the GDPR Cookie Consent plugin
2. Go to Cookie Consent settings from your WordPress sidebar menu
3. Under the Cookie Banner settings page, choose GDPR as the Consent Law
4. Select the Enable cookie banner checkbox
5. Set geo-targeting for EU Countries & UK to ensure the banner displays only to visitors from those regions
6. Enable IAB TCF and configure the related settings if you display third-party ads. Skip this if you don’t run ads.
7. Expand the Show advanced settings dropdown and enable the Reload page upon user consent checkbox
8. Optionally, choose pages where the banner should be hidden and set how long consent remains valid
9. Click Update Settings to apply the changes

Your cookie banner is now active. You can customize the banner’s content, button labels, colors, and layout from the Content & Colors tab.

Step 2: Add a Cookie Policy to Your WordPress Site

A cookie policy is a legal document that discloses what cookies your site uses, why they’re used, who sets them, how long they last, and how users can manage or delete them. It’s required under GDPR, CCPA, and most other major privacy laws.

You can write one from scratch or use a cookie policy generator. The GDPR Cookie Consent plugin includes a built-in cookie policy template that auto-updates as your site’s cookie list changes — so you’re not manually editing a policy page every time you add a new plugin. Create a dedicated Cookie Policy page on your site and link to it from your cookie banner and privacy policy.

1. General Data Protection Regulation (GDPR) — Europe

GDPR applies to any website that processes data from users in the European Economic Area. It’s one of the strictest privacy laws globally, and it has direct implications for how you use cookies.

Key requirements:

• Inform users about what cookies are used and for what purpose
• Obtain explicit consent before setting non-essential cookies (tracking, analytics, marketing)
• Allow users to accept or reject specific cookie categories
• Provide an easy way to withdraw consent at any time
• Strictly necessary cookies don’t require consent

2. ePrivacy Directive (EU Cookie Law) — Europe

The ePrivacy Directive works alongside GDPR and specifically regulates cookie use. It requires websites to obtain consent before storing or retrieving information on a user’s device, with an exception for essential cookies.

Key requirements:

• Display a clear, visible cookie notice
• No pre-ticked consent boxes — users must actively give consent
• Users must be able to manage their cookie preferences

3. California Privacy Rights Act (CPRA) — United States

The CPRA strengthens the previous CCPA and imposes stricter data protection rules for businesses collecting data from California residents. Unlike GDPR, it doesn’t require prior consent for cookies — but it mandates transparency and opt-out options.

Key requirements:

• Clearly disclose what cookies are used, their purpose, and who data is shared with
• Provide a “Do Not Sell or Share My Personal Information” option
• Honor Global Privacy Control (GPC) signals automatically

4. Digital Markets Act (DMA) — Europe

The DMA primarily targets large tech platforms, but it directly affects any WordPress site using Google Ads, Google Analytics, Facebook Pixel, or similar services. These platforms now require websites to use a Consent Management Platform to pass valid consent signals.

Key requirements:

• Obtain valid consent before using tracking cookies for advertising
• Integrate a CMP that supports Google Consent Mode v2
• Disable tracking features for users who don’t consent

If you’re building custom functionality, WordPress lets you set, retrieve, and delete cookies programmatically via PHP.

How to Set a Cookie in WordPress

Add the following to the functions.php file in your active theme:

function set_custom_cookie() {     $username = 'john_doe';     if ( !isset( $_COOKIE['user_username'] ) ) {         setcookie( 'user_username', $username, time() + 86400, COOKIEPATH, COOKIE_DOMAIN );     } } add_action( 'init', 'set_custom_cookie' ); 

This creates a cookie named user_username that expires after 24 hours (86400 seconds). The COOKIEPATH and COOKIE_DOMAIN constants are set automatically by WordPress based on your site configuration.

As you can see, the ‘user_username’ cookie has been added to our website.

How to Get a Cookie in WordPress

To retrieve a cookie value, access it through the $_COOKIE superglobal array:

function get_custom_cookie() {     if ( isset( $_COOKIE['user_username'] ) ) {         $username = sanitize_text_field( $_COOKIE['user_username'] );         echo 'Welcome back, ' . $username;     } else {         echo 'Cookie not found.';     } } 

Always sanitize cookie values before using them to prevent security vulnerabilities.

How to Delete a Cookie in WordPress

To delete a cookie, unset it from the $_COOKIE array and set its expiration to a past timestamp:

function delete_custom_cookie() {     if ( isset( $_COOKIE['user_username'] ) ) {         unset( $_COOKIE['user_username'] );         setcookie( 'user_username', '', time() - 900, COOKIEPATH, COOKIE_DOMAIN );     } } 

Setting the expiration to time() – 900 (15 minutes in the past) forces the cookie to expire immediately.

Our GDPR Cookie Consent Plugin is the best WordPress cookie consent plugin to obtain cookie consent and manage cookies in WordPress. This WordPress cookies plugin is a certified Consent Management Platform (CMP) by Google for WordPress websites.

With this plugin, you can create a cookie banner on your WordPress website and obtain consent from your site visitors to load cookies on their browsers. The plugin will help you comply with global data privacy laws such as GDPR and CCPA for using cookies to collect information from your site visitors.

If you are unaware of the cookies on your website, the plugin provides a cookie scanner tool that scans your website for cookies and blocks all third-party cookies until the user grants consent to them. You can allow your visitors to provide granular consent to cookies. Meaning they can specifically allow certain cookies and do not have to consent to all cookies on your website. 

You can create a well-defined cookie policy on your website using the built-in cookie policy template. Additionally, if you want to show the cookie banner based on user location, you can do that as well.

Simply put, this WordPress cookie consent plugin is a complete GDPR cookie compliance suite for WordPress websites.

Key features of the WebToffee CMP plugin

• Deploy a cookie banner
• Scan website for cookies
• Block third-party cookies automatically
• IAB TCF integration
• Supports Google Consent Mode v2, UET and Microsoft Clarity v2
• Show cookie banner based on Geo-IP
• Cookie policy generator
• Granular control for website cookies

WordPress cookies are straightforward at their core — a small set of essential files that keep your site functional. The complexity comes from everything layered on top: plugins, integrations, analytics tools, and advertising platforms that add third-party cookies most site owners don’t even know are running.

The path to compliance is the same for every WordPress site: know what cookies you’re running, get consent for the non-essential ones, and disclose everything in a clear cookie policy. The GDPR Cookie Consent plugin by WebToffee handles all three from a single dashboard.

Have questions about WordPress cookies or compliance? Drop them in the comments below.