WordPress Cookie Banner: Setup Guide for Compliance
Learn how to add a WordPress cookie banner that meets GDPR and ePrivacy requirements. Covers free and paid options, setup steps, and common mistakes.
A WordPress cookie banner is the consent mechanism that asks visitors whether they agree to non-essential cookies before your site sets them. If your WordPress site uses analytics, advertising pixels, or social media embeds, you almost certainly need one to comply with privacy regulations like the GDPR and the ePrivacy Directive.
This article explains how cookie banners work on WordPress, walks through setup options, and highlights the mistakes that lead to non-compliance. It is educational content, not legal advice. Consult a qualified attorney for guidance specific to your situation.
Why Your WordPress Site Needs a Cookie Banner
Most WordPress sites set cookies beyond the strictly necessary ones that keep the site functioning. Common sources include:
- Google Analytics (analytics cookies such as
_ga,_gid) - Facebook Pixel and other advertising trackers
- YouTube and Vimeo embedded videos (third-party cookies)
- WooCommerce and e-commerce plugins (marketing and tracking cookies)
- Comment plugins, social sharing buttons, and chat widgets
Under the ePrivacy Directive (Directive 2002/58/EC), which applies across the EU, and the UK's Privacy and Electronic Communications Regulations 2003 (PECR), you must obtain informed, freely given consent before placing non-essential cookies on a visitor's device. The GDPR reinforces this by requiring that consent be specific, granular, and as easy to withdraw as it is to give.
Failure to comply carries real consequences. Under GDPR Article 83, fines can reach 20 million EUR or 4% of annual worldwide turnover. National data protection authorities have been actively enforcing cookie consent rules. France's CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 specifically for cookie consent violations.
A cookie banner is not optional decoration. It is a legal requirement for the vast majority of WordPress sites serving European or UK visitors.
How a WordPress Cookie Banner Works
A compliant cookie banner does more than display a notification. It must actively manage which scripts and cookies load based on the visitor's choice. The process works like this:
- Page loads with non-essential scripts blocked. Before the visitor makes a choice, analytics, advertising, and other non-essential scripts must not execute or set cookies.
- Banner appears. The visitor sees a clear description of cookie categories (necessary, analytics, marketing, preferences) with the option to accept all, reject all, or choose specific categories.
- Visitor makes a choice. Their consent preferences are recorded, typically in a first-party cookie.
- Scripts load based on consent. Only the categories the visitor accepted are activated. Rejected categories remain blocked.
- Subsequent visits. The consent cookie is read on return visits, and scripts load according to the stored preferences without showing the banner again (unless consent has expired or needs renewal).
The critical technical requirement is prior blocking: non-essential cookies must not be set before consent is given. Many WordPress cookie banner implementations fail this test by showing a notice while cookies are already being set in the background.
WordPress Cookie Banner Options: Plugins vs External CMP
WordPress site owners generally have two paths for implementing a cookie banner: a WordPress plugin or an external consent management platform (CMP).
WordPress cookie banner plugins
Plugin-based solutions install directly into your WordPress admin. Popular options include:
- CookieYes (free tier available). Provides a customisable banner, auto-scanning, and script blocking. The free version supports basic compliance.
- Complianz (free and premium). Offers a configuration wizard, conditional script loading, and cookie policy generation. The premium version adds geo-based consent rules.
- GDPR Cookie Consent by WebToffee (free tier available). Provides category-based consent and script blocking with a straightforward interface.
- Cookie Notice by Flavor (free cookie banner for WordPress). Lightweight option with basic banner functionality and consent logging.
Plugins are convenient because they integrate directly with WordPress. However, they add PHP and JavaScript overhead to every page load, and their script-blocking mechanisms vary in reliability.
External consent management platforms
An external CMP runs independently of WordPress. You add a JavaScript snippet to your site (typically in the <head> tag), and the CMP handles the banner display, consent collection, and script management from its own infrastructure.
Advantages of external CMPs over plugins:
- Performance. Scripts are served from optimised CDNs rather than your WordPress server.
- Reliability. Script blocking happens at the network level rather than depending on WordPress hook timing.
- Multi-site consistency. If you operate sites on different platforms, one CMP covers all of them.
- IAB TCF compliance. Many external CMPs are registered with the IAB Transparency and Consent Framework, which is required by major ad networks.
TermsBox provides a consent management platform that works with any website, including WordPress. It scans your site to identify cookies automatically, generates a compliant cookie banner, and blocks scripts until visitors consent. You can pair it with a cookie policy generator to create a matching policy document.
Setting Up a Free Cookie Banner on WordPress
If you are looking for a free cookie banner for WordPress, here is a step-by-step process using a plugin-based approach:
Step 1: Audit your cookies
Before installing anything, identify what cookies your site sets. Open your site in an incognito browser window, open developer tools (F12), navigate to the Application tab, and check the Cookies section. Note every cookie, its source, and its purpose. Categorise each as:
- Strictly necessary (session management, security, load balancing)
- Analytics (Google Analytics, Matomo, Plausible)
- Marketing (Facebook Pixel, Google Ads, retargeting)
- Preferences (language, theme, display settings)
Step 2: Install and configure a plugin
From your WordPress admin dashboard:
- Navigate to Plugins, then Add New
- Search for your chosen cookie consent plugin
- Install and activate it
- Open the plugin settings and configure:
- Banner text that clearly explains what cookies you use and why
- Cookie categories matching your audit results
- An "Accept All" button and an equally prominent "Reject All" button
- A link to your cookie policy page
- Consent expiry period (12 months is common, though some regulators recommend shorter periods)
Step 3: Configure script blocking
This is the most important and most frequently botched step. You need to ensure non-essential scripts do not fire until the visitor consents. Depending on your plugin, this may involve:
- Adding script tags to the plugin's blocking list
- Changing the
typeattribute on script tags fromtext/javascripttotext/plain(the plugin swaps it back after consent) - Using the plugin's built-in integrations for popular services like Google Analytics
Step 4: Test thoroughly
After configuration, verify that your banner actually works:
- Clear all cookies and visit your site in an incognito window
- Open developer tools and check that no analytics or marketing cookies exist before you interact with the banner
- Click "Reject All" and verify that non-essential cookies are still absent
- Clear cookies again, revisit, and click "Accept All." Verify that the expected cookies now appear.
- Check that your consent preference persists on subsequent page loads
If cookies appear before you interact with the banner, your script blocking is not working. This is the single most common compliance failure with WordPress cookie banners.
Common WordPress Cookie Banner Mistakes
Even with a plugin installed, many WordPress sites fail to achieve actual compliance. Watch for these issues:
Not blocking scripts before consent
Displaying a banner while Google Analytics and Facebook Pixel are already running is not consent. It is a notification. Regulators do not accept this. Your implementation must prevent non-essential scripts from executing until the visitor affirmatively consents.
Using dark patterns
The following practices violate GDPR consent requirements and have been specifically called out by data protection authorities:
- Making "Accept All" a large coloured button while "Reject All" is a small text link
- Pre-selecting non-essential cookie categories
- Requiring multiple clicks to reject cookies but only one click to accept
- Using a "cookie wall" that blocks site access unless the visitor consents
Article 7 of the GDPR and the European Data Protection Board's Guidelines 05/2020 on consent require that refusing cookies be as easy as accepting them.
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate NowIgnoring consent for embedded content
YouTube videos, Google Maps embeds, and social media widgets all set third-party cookies. If your cookie banner only blocks your own scripts but leaves embedded iframes untouched, you are still setting non-essential cookies without consent. A compliant implementation must also handle embedded content, either by blocking iframes until consent or by replacing them with placeholder content.
Not having a cookie policy
A cookie banner without a supporting cookie policy is incomplete. Your cookie policy should list every cookie your site uses, its purpose, its duration, and whether it is first-party or third-party. Use a cookie policy generator to create a comprehensive policy, then link it directly from your banner.
Failing to record consent
Under Article 7(1) of the GDPR, you must be able to demonstrate that consent was given. Your cookie banner solution should log consent records, including when consent was given, what was consented to, and a mechanism to verify the consent was freely given. Many free WordPress cookie banner plugins lack proper consent logging, which creates an evidence gap if a regulator asks for proof.
WordPress Cookie Banner and Performance
A common concern with cookie banners on WordPress is their impact on page speed and Core Web Vitals. Here is what to consider:
- Largest Contentful Paint (LCP). A cookie banner that loads synchronously in the
<head>can delay rendering. Look for implementations that load asynchronously. - Cumulative Layout Shift (CLS). Banners that appear after the page has rendered can push content down, causing layout shift. Position your banner as a fixed overlay (top or bottom of viewport) to avoid affecting page layout.
- First Input Delay (FID) / Interaction to Next Paint (INP). Heavy JavaScript from consent management can delay interactivity. Minimise the JavaScript payload of your banner solution.
Plugin-based solutions tend to add more overhead than external CMPs because they load PHP on the server side and JavaScript on the client side. If your WordPress site is already resource-constrained, an external CMP delivered via a single lightweight script tag may be a better choice for performance.
Testing your site with Google PageSpeed Insights before and after adding a cookie banner will give you a clear picture of the performance impact.
Cookie Banner Requirements by Jurisdiction
While the GDPR and ePrivacy Directive are the most commonly cited regulations, cookie consent requirements vary by jurisdiction. Here is a summary for the regions most relevant to WordPress site owners:
European Union
The ePrivacy Directive requires prior consent for non-essential cookies. GDPR sets the standard for what constitutes valid consent: informed, specific, freely given, and unambiguous. Each EU member state has implemented these requirements through national law, and enforcement intensity varies. France (CNIL) and Italy (Garante) have been particularly active in cookie consent enforcement.
United Kingdom
PECR requires consent for non-essential cookies, aligned with the DPA 2018 and UK GDPR. The ICO has published detailed guidance on cookies and similar technologies and has issued enforcement actions for non-compliant cookie practices.
California (CCPA/CPRA)
California law does not require prior consent for cookies in the same way as EU law. However, the CPRA requires a "Do Not Sell or Share My Personal Information" link and opt-out mechanisms for certain tracking technologies. If your WordPress site uses advertising cookies that "sell" or "share" personal information as defined by the CPRA, you need opt-out functionality. Fines under the CCPA can reach $2,500 per unintentional violation and $7,500 per intentional violation.
Brazil (LGPD)
Brazil's General Data Protection Law requires consent for cookies that process personal data, similar to GDPR. Enforcement has been increasing since the ANPD became operational.
If your WordPress site serves a global audience, configure your cookie banner to apply the strictest applicable standard to all visitors, or use geo-targeting to show jurisdiction-appropriate consent mechanisms.
How to Write Effective Cookie Banner Text
The text on your cookie banner matters for both compliance and user experience. Here are guidelines:
- Be specific. "We use cookies" is not sufficient. Explain what categories of cookies you use and why. For example: "We use analytics cookies to understand how visitors use our site and marketing cookies to show relevant advertisements."
- Name the categories. Give visitors a clear understanding of what they are consenting to. Common categories are Necessary, Analytics, Marketing, and Preferences.
- Explain the consequence of each choice. Let visitors know what happens if they reject a category. For example: "If you reject analytics cookies, we will not collect data about your browsing behaviour."
- Link to your full cookie policy. The banner provides a summary. The policy provides the detail. Always include a link.
- Use plain language. Avoid legal jargon. Write for your actual audience, which for most WordPress sites is general consumers, not lawyers.
A well-written banner increases the consent rate because visitors understand what they are agreeing to. A vague or misleading banner increases the legal risk because consent given without understanding is not valid consent.
Frequently Asked Questions
Do I legally need a cookie banner on my WordPress site?
Yes, if your site uses non-essential cookies and serves visitors in the EU, UK, or other jurisdictions with cookie consent laws. The ePrivacy Directive (Directive 2002/58/EC) and GDPR require you to obtain informed consent before setting analytics, advertising, or social media cookies. Sites that only use strictly necessary cookies (such as session cookies for login) do not need a consent banner.
What is the best free cookie banner for WordPress?
Several free WordPress cookie banner plugins offer basic compliance, including CookieYes, Complianz, and GDPR Cookie Consent. The best choice depends on your needs: look for one that actually blocks scripts before consent, integrates with your cookie policy, and allows granular category-based consent rather than a simple accept/reject toggle.
Does a cookie banner slow down my WordPress site?
It depends on the implementation. Plugin-based banners add JavaScript and CSS to every page load, which can affect Core Web Vitals scores. Lightweight implementations that load asynchronously and avoid render-blocking scripts have minimal impact. Third-party consent management platforms that load from external CDNs add a DNS lookup but often deliver optimised, cached scripts.
Can I just add a cookie notice without blocking cookies?
No, not if you want to comply with EU or UK law. A notice-only approach (informing users without actually blocking cookies until consent is given) does not meet the requirements of the ePrivacy Directive or GDPR. Regulators have made clear that valid consent must be obtained before non-essential cookies are set, and several data protection authorities have issued fines for cookie walls and pre-ticked consent boxes.