If you have a WordPress website, you should be aware that WordPress uses cookies like every website on the internet. Cookies are small text files that contain information about your site visitors and their activities on your website.
If it were not for cookies, the whole browsing experience and personalization wouldn’t be there for websites. Yet, in a world where privacy regulations reign supreme, cookies can quickly turn from sweet to sour, with hefty fines looming over non-compliance.
In this article, we delve into WordPress cookies, how they are used, their potential risks, and the measures you need to take to ensure compliance. Whether you’re a seasoned webmaster or a curious newcomer, this article has got you covered.
Key Takeaways:
- WordPress uses cookies for its functionality, such as authentication and comments
- WordPress creates three users cookies and commenter cookies on a website
- Learn how to get, set, and delete cookies on WordPress websites.
- GDPR Cookie Consent plugin can help you obtain consent for using cookies on your WordPress website.
Cookies are small text files stored on a user’s browser when they visit a website. These files contain information about the visitors and their activities on the website. Cookies serve a number of purposes, including enhancing user experience, enabling personalized content and advertisements, and tracking user behavior.
WordPress uses cookies for its functionality, such as authentication and comments. For example, WordPress cookies are used to find your login status (whether or not you are logged in). Without these cookies, users can’t log in or post comments on a WordPress website.
These cookies are stored in a hashed format to ensure security, safeguarding them against unauthorized access by external parties.
In the absence of cookies, or if they have expired or become invalid due to manual editing for any reason, WordPress will prompt users to log in again to acquire new cookies.
What Cookies Does WordPress Use?
The core WordPress software uses two types of cookies.
- Users cookies – Tracks users’ sessions on a website
- Commenter cookies – Remembers details of commenters on a website.
Users cookies
Users cookies are used for authenticating users who have registered an account on a WordPress website.
Here are the three users cookies set by WordPress:
- wordpress_[hash]: Upon logging in, WordPress uses the wordpress_[hash] cookie to store your authentication information. This particular cookie is limited to the Administration screen, specifically to the /wp-admin/ page.
- wordpress_logged_in_[hash]: When a visitor log in, WordPress establishes the wordpress_logged_in_[hash] cookie. This cookie serves the purpose of indicating your logged-in status and identifying your user identity for most interactions within the interface.
- wp-settings-{time}-[UID]: WordPress sets several wp-settings-{time}-[UID] cookies. The numerical value at the end represents your unique user ID from the users’ database table. These cookies are used to personalize the admin interface and influence the appearance of the main site interface.
If your website does not have active logged-in visitors, then the users cookies are hardly used.
Commenter cookies
Commenter cookies refer to the cookies that are stored on a visitor’s browser when they submit a comment on your website. These cookies are used to store information about the commenter so that they don’t have to enter the information each time they post a comment on your website.
Below are the different types of commenter cookies set by WordPress:
- comment_author_{HASH} – Stores the author name of the commenter
- comment_author_email_{HASH} – Stores the email address of the commenter
- comment_author_url_{HASH} – Stores the website URLs of the commenter
The commenter cookies are set to expire within a year.
These two are the cookies used by the core WordPress software. However, additional third-party cookies may be added to your WordPress website depending on your installed and activated plugins and themes. Also, there can be other third-party services that can add cookies, like Google Analytics, Hotjar, etc.
These cookies may be necessary to retain toggle settings, preserve search history, facilitate analytics tracking, enable advertising features, or support eCommerce functionality.
The key point to remember is that while WordPress itself uses only two types of “core” cookies, it doesn’t imply that your website is limited to using only two cookies. You need to Identify all the cookies set by your website and then provide a cookie policy with the details of the cookies used.
WordPress plugins and extensions often use cookies for various purposes, such as tracking user behavior, enabling analytics, and adding eCommerce features.
For example, if you are using a product recommendation plugin on your WooCommerce store, it might use cookies to track user preferences and deliver tailored product suggestions. Similarly, many third-party plugins rely on cookies to collect customer data for better functionality.
However, this doesn’t mean you can’t use third-party plugins. Just make sure to disclose the use of cookies to your customers and do not load the third-party cookies until the user gives consent.
Once you have their consent to load the cookies to their browser, the plugin can operate as intended, and you have no risk of non-compliance with cookie laws.
WordPress cookies store information in an encrypted or ‘hashed’ format, making it nearly impossible for anyone to decrypt and extract the original information.
However, it is important to note that third-party cookies on your website, which are set by the plugins you use, may not be stored in an encrypted format. If these third-party cookies contain the personal information of your visitors, there is a potential risk of someone gaining access to and extracting personal information from these cookies.
In WordPress, cookies are typically used to store temporary information or user-specific data. They are sent as part of the HTTP headers between the server and the user’s browser.
Each cookie has a name-value pair and may include additional attributes such as expiration time, path, and domain. These attributes determine the lifespan and accessibility of the cookie. WordPress provides developers with various functions and methods to manage cookies effectively.
As a website owner, you can set, get or delete cookies on your website.
How to Set Cookies in WordPress?
To set a cookie in WordPress, you must pass specific values using the setcookie() function. Let’s assume we want to store the visitor’s username as a cookie. Here’s an example code snippet that can be added to the functions.php file in your active theme’s directory:
In the above code, we define the username, set the expiration time, and use the setcookie() function to create the cookie. The COOKIEPATH and COOKIE_DOMAIN variables are set automatically by WordPress based on your site’s configuration.
As you can see, the ‘user_username’ cookie has been added to our website.
How to Get Cookies in WordPress?
When we refer to “getting cookies” in WordPress, it means retrieving the values stored in cookies that have been set on the user’s browser. WordPress uses the $_COOKIE superglobal array to access these cookies and retrieve their values.
The $_COOKIE array contains key-value pairs where the keys represent the names of the cookies, and the corresponding values are the data stored within those cookies. By accessing the $_COOKIE array, you can retrieve and use the values stored in cookies to personalize user experiences, remember user preferences, or perform other necessary tasks.
Here’s an example code snippet to get the cookie we set earlier:
In the above code, we check if the cookie named user_username exists using the isset() function. We retrieve its value and display a personalized welcome message if it exists. Otherwise, we display a message indicating that the cookie was not found.
How to Delete Cookies in WordPress?
Sometimes, you may want to remove a cookie from your WordPress site. To delete a cookie, you need to unset its value from the $_COOKIE array and set its expiration time to a past timestamp. Here’s an example code snippet:
In the above code, we use the unset() function to remove the cookie’s value from the $_COOKIE array. Then, we set the expiration time to a past timestamp (15 minutes ago) to make the cookie immediately expire.
How to Obtain Cookie Consent on WordPress?
Since cookies carry information about site visitors, many data protection laws regulate the use of cookies on websites. To use cookies, you need prior consent from your site visitors, or else you will be penalized.
Now, let’s see how to obtain consent from site visitors for using cookies to collect information from them.
To obtain cookie consent in WordPress, you need a consent management platfrom for your website. We recommend our GDPR Cookie Consent plugin as it is a native WordPress CMP that will work within the WordPress ecosystem. With this plugin, you can comply with major privacy laws like GDPR, CCPA, LGPD, etc., for cookie usage on your website.
Follow the below steps to obtain cookie consent in WordPress:
- Step 1: Install and activate the GDPR Cookie Consent plugin.
- Step 2: Go to GDPR Cookie Consent >> Settings >> General.
- Step 3: Enable the cookie bar option.
- Step 4: Select the type of cookie law.
- Step 5: Click on Update Settings to save the settings.
And that’s it, the cookie banner will be active on your WordPress website. You can customize the cookie banner, its content, buttons, and themes from the tabs next to the General tab.
Here is a preview of the cookie banner on a WordPress website.
Refer to our examples of GDPR cookie consent banners.
GDPR Cookie Consent- Best Plugin for WordPress Cookie Compliance
Our GDPR Cookie Consent Plugin is the best WordPress cookie consent plugin to obtain cookie consent and manage cookies in WordPress. This WordPress cookies plugin is a certified Consent Management Platform (CMP) by Google for WordPress websites.
With this plugin, you can create a cookie banner on your WordPress website and obtain consent from your site visitors to load cookies on their browsers. The plugin will help you comply with global data privacy laws such as GDPR and CCPA for using cookies to collect information from your site visitors.
If you are unaware of the cookies on your website, the plugin provides a cookie scanner tool that scans your website for cookies and blocks all third-party cookies until the user grants consent to them. You can allow your visitors to provide granular consent to cookies. Meaning they can specifically allow certain cookies and need not have to consent to all cookies on your website.
You can create a well-defined cookie policy on your website using the free cookie policy generator tool within this plugin. Additionally, if you want to show the cookie banner based on user location, you can do that as well.
Simply put, this WordPress cookie consent plugin is a complete cookie compliance suite for WordPress websites.
Key features:
- Deploy a cookie banner
- Scan website for cookies
- Block third-party cookies automatically
- IAB TCF integration
- Supports Google Consent Mode v2
- Show cookie banner based on Geo-IP
- Cookie policy generator
- Granular control for website cookies
Frequently Asked Questions – WordPress Cookies
Yes, WordPress uses cookies to enhance user experience and provide various functionalities, such as authentication and comments. For example, cookies help WordPress identify whether a user is logged in. Without WordPress cookies, users cannot log in, and site visitors cannot post comments on your WordPress website.
Cookies used on a WordPress website are stored in the users’ web browsers as local files. Each cookie is assigned a unique ID that helps identify sessions or remember user preferences on your website.
No, the core WordPress cookies, such as user cookies and commenter cookies, do not require prior consent from users. They come under the category of strictly necessary cookies as they are important for the website to function properly. However, non-essential cookies, such as those used for analytics, advertising, or tracking user behavior, typically require user consent.
Yes, you can disable WordPress cookies by modifying your website configuration or by using any plugins. However, disabling cookies completely may impact certain functionalities and user experiences on your website. It is important to carefully consider the consequences and inform your users about the absence of cookies. Additionally, updating your privacy policy to reflect the disabled cookies is recommended.
Yes, there are legal requirements and regulations regarding WordPress cookies. The General Data Protection Regulation (GDPR) and the ePrivacy Directive are two notable regulations that govern the use of cookies on websites, including those built on the WordPress platform. These regulations emphasize the need for informed user consent before using non-essential cookies that collect personal data.
Yes. Your WordPress website needs a cookie policy to comply with privacy laws like GDPR and CCPA. Using a cookie policy, you can disclose the use of cookies, provide detailed information on the cookies used, and let users know how they can control the cookies and exercise their rights regarding data collected through cookies.
Conclusion
Understanding WordPress cookies is crucial for website owners to ensure compliance with privacy laws and provide a seamless user experience. WordPress uses cookies for authentication, tracking sessions, and remembering user preferences.
The core WordPress software utilizes session cookies and commenter cookies, while plugins may add additional third-party cookies. WordPress stores cookies in a hashed format, ensuring security and protecting user information.
However, it’s important to be aware of legal requirements and regulations, such as the GDPR and ePrivacy Directive, which govern the use of cookies and emphasize the need for user consent, particularly for non-essential cookies.
By understanding and effectively managing WordPress cookies, website owners can enhance user experiences while maintaining compliance with privacy regulations.