WordPress Cookies

WordPress Cookies: A Complete Guide

If you have a WordPress website, you should be aware that WordPress uses cookies like every website on the internet. Cookies are small text files that contain information about your site visitors and their activities on your website.

If it were not for cookies, the whole browsing experience and personalization wouldn’t be there for websites. Yet, in a world where privacy regulations reign supreme, cookies can quickly turn from sweet to sour, with hefty fines looming over non-compliance.

In this article, we delve into WordPress cookies, how they are used, their potential risks, and the measures you need to take to ensure compliance. Whether you’re a seasoned webmaster or a curious newcomer, this article has got you covered.

What Are WordPress Cookies?

Cookies are small text files stored on a user’s browser when they visit a website. These files contain information about the visitors and their activities on the website. Cookies serve a number of purposes, including enhancing user experience, enabling personalized content and advertisements, and tracking user behavior.

WordPress cookies are primarily used for logged-in users and commenters. Users could not log in or post comments on your website without these cookies. These cookies are stored in a hashed format to ensure security, safeguarding them against unauthorized access by external parties.

In the absence of cookies, or if they have expired or become invalid due to manual editing for any reason, WordPress will prompt users to log in again to acquire new cookies.

What Cookies Does WordPress Use?

The core WordPress software uses two types of cookies.

  • Users cookies – Tracks users’ sessions on a website
  • Commenter cookies – Remembers details of commenters on a website.

Users cookies

Users cookies are used for authenticating users who have registered an account on a WordPress website.

Here are the three users cookies set by WordPress:

  1. wordpress_[hash]: Upon logging in, WordPress uses the wordpress_[hash] cookie to store your authentication information. This particular cookie is limited to the Administration screen, specifically to the /wp-admin/ page.
  1. wordpress_logged_in_[hash]: When a visitor log in, WordPress establishes the wordpress_logged_in_[hash] cookie. This cookie serves the purpose of indicating your logged-in status and identifying your user identity for most interactions within the interface.
  1. wp-settings-{time}-[UID]: WordPress sets several wp-settings-{time}-[UID] cookies. The numerical value at the end represents your unique user ID from the users’ database table. These cookies are used to personalize the admin interface and influence the appearance of the main site interface.

If your website does not have active logged-in visitors, then the users cookies are hardly used.

Commenter cookies

Commenter cookies refer to the cookies that are stored on a visitor’s browser when they submit a comment on your website. These cookies are used to store information about the commenter so that they don’t have to enter the information each time they post a comment on your website.

Below are the different types of commenter cookies set by WordPress:

  • comment_author_{HASH} – Stores the author name of the commenter
  • comment_author_email_{HASH} – Stores the email address of the commenter
  • comment_author_url_{HASH} – Stores the website URLs of the commenter

The commenter cookies are set to expire within a year.

These two are the cookies used by the core WordPress software. However, additional third-party cookies may be added to your WordPress website depending on your installed and activated plugins and themes. Also, there can be other third-party services that can add cookies, like Google Analytics, Hotjar, etc.

These cookies may be necessary to retain toggle settings, preserve search history, facilitate analytics tracking, enable advertising features, or support eCommerce functionality.

The key point to remember is that while WordPress itself uses only two types of “core” cookies, it doesn’t imply that your website is limited to using only two cookies. You need to Identify all the cookies set by your website and then provide a cookie policy with the details of the cookies used.

Are WordPress Cookies Secure?

WordPress stores the information in the cookies in an encrypted or ‘hashed’ format. It is nearly impossible for someone to decrypt these cookies and extract the original information from the cookies. The commenter cookies are also stored in a hashed format, so they are also protected from being accessed by third parties.

However, it is important to note that third-party cookies on your website, which are set by the plugins you use, may not be stored in an encrypted format. If these third-party cookies contain the personal information of your visitors, there is a potential risk of someone gaining access to and extracting personal information from these cookies.

How to Manage WordPress Cookies? – Set, Get and Delete WordPress Cookies

In WordPress, cookies are typically used to store temporary information or user-specific data. They are sent as part of the HTTP headers between the server and the user’s browser.

Each cookie has a name-value pair and may include additional attributes such as expiration time, path, and domain. These attributes determine the lifespan and accessibility of the cookie. WordPress provides developers with various functions and methods to manage cookies effectively.

As a website owner, you can set, get or delete cookies on your website.

How to Set Cookies in WordPress?

To set a cookie in WordPress, you must pass specific values using the setcookie() function. Let’s assume we want to store the visitor’s username as a cookie. Here’s an example code snippet that can be added to the functions.php file in your active theme’s directory:

<?php  add_action('init', 'setting_my_first_cookie');  function setting_my_first_cookie() {      $username = 'JohnDoe'; // Replace with actual username      $expiration_time = 30 * DAY_IN_SECONDS; // Cookie expiration time (30 days)      setcookie('user_username', $username, time() + $expiration_time, COOKIEPATH, COOKIE_DOMAIN);  }  ?>

In the above code, we define the username, set the expiration time, and use the setcookie() function to create the cookie. The COOKIEPATH and COOKIE_DOMAIN variables are set automatically by WordPress based on your site’s configuration.

As you can see, the ‘user_username’ cookie has been added to our website.

How to Get Cookies in WordPress?

When we refer to “getting cookies” in WordPress, it means retrieving the values stored in cookies that have been set on the user’s browser. WordPress uses the $_COOKIE superglobal array to access these cookies and retrieve their values.

The $_COOKIE array contains key-value pairs where the keys represent the names of the cookies, and the corresponding values are the data stored within those cookies. By accessing the $_COOKIE array, you can retrieve and use the values stored in cookies to personalize user experiences, remember user preferences, or perform other necessary tasks.

Here’s an example code snippet to get the cookie we set earlier:

<?php  if (isset($_COOKIE['user_username'])) {      $username = $_COOKIE['user_username'];      echo "Welcome back, $username!";  } else {      echo "Cookie not found.";  }  ?>

In the above code, we check if the cookie named user_username exists using the isset() function. We retrieve its value and display a personalized welcome message if it exists. Otherwise, we display a message indicating that the cookie was not found.

How to Delete Cookies in WordPress?

Sometimes, you may want to remove a cookie from your WordPress site. To delete a cookie, you need to unset its value from the $_COOKIE array and set its expiration time to a past timestamp. Here’s an example code snippet:

<?php  unset($_COOKIE['user_username']);  setcookie('user_username', '', time() - (15 * 60));  ?>

In the above code, we use the unset() function to remove the cookie’s value from the $_COOKIE array. Then, we set the expiration time to a past timestamp (15 minutes ago) to make the cookie immediately expire.

Frequently Asked Questions – WordPress Cookies

Do WordPress Cookies need consent?

No, the core WordPress cookies, such as users cookies and commenter cookies, do not require prior consent from users. They come under the category of strictly necessary cookies as they are important for the website to function properly. However, non-essential cookies, such as those used for analytics, advertising, or tracking user behavior, typically require user consent.

Can I disable cookies on my WordPress website?

Yes, you can disable WordPress cookies by modifying your website configuration or by using any plugins. However, disabling cookies completely may impact certain functionalities and user experiences on your website. It is important to carefully consider the consequences and inform your users about the absence of cookies. Additionally, updating your privacy policy to reflect the disabled cookies is recommended.

Are there any legal requirements or regulations regarding WordPress cookies?

Yes, there are legal requirements and regulations regarding WordPress cookies. The General Data Protection Regulation (GDPR) and the ePrivacy Directive are two notable regulations that govern the use of cookies on websites, including those built on the WordPress platform. These regulations emphasize the need for informed user consent before using non-essential cookies that collect personal data. 

How are cookies stored in WordPress?

Cookies used on a WordPress website are stored in the users’ web browsers as local files. Each cookie is assigned a unique ID that helps identify sessions or remember user preferences on your website. 

How do I add a cookie banner in WordPress?

You can add a cookie banner to your WordPress website using any cookie consent plugin. The GDPR Cookie Consent plugin by WebToffee will help you easily set up cookie banners on your WordPress website. With this plugin, you can comply with major privacy laws like GDPR, CCPA, LGPD, etc., for cookie usage on your website. 

For more information, check out our detailed guide on creating a cookie consent banner in WordPress.


Understanding WordPress cookies is crucial for website owners to ensure compliance with privacy laws and provide a seamless user experience. WordPress uses cookies for authentication, tracking sessions, and remembering user preferences.

The core WordPress software utilizes session cookies and commenter cookies, while additional third-party cookies may be added by plugins. WordPress stores cookies in a hashed format, ensuring security and protecting user information.

However, it’s important to be aware of legal requirements and regulations, such as the GDPR and ePrivacy Directive, which govern the use of cookies and emphasize the need for user consent, particularly for non-essential cookies.

By understanding and effectively managing WordPress cookies, website owners can enhance user experiences while maintaining compliance with privacy regulations.

Article by

Content Writer @ WebToffee. Specialized in WordPress and eCommerce. When I am not writing, I enjoy my downtime with a good cup of coffee and a movie.

Got any query? Please leave a comment or reach out to our support

Your email address will not be published. Required fields are marked *