TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. WordPress Cookie Banner: Setup Guide for Compliance
Cookie Policy

WordPress Cookie Banner: Setup Guide for Compliance

Learn how to add a WordPress cookie banner that meets GDPR and ePrivacy requirements. Covers free and paid options, setup steps, and common mistakes.

TermsBox Team|April 4, 202613 min read

A WordPress cookie banner is the consent mechanism that asks visitors whether they agree to non-essential cookies before your site sets them. If your WordPress site uses analytics, advertising pixels, or social media embeds, you almost certainly need one to comply with privacy regulations like the GDPR and the ePrivacy Directive.

This article explains how cookie banners work on WordPress, walks through setup options, and highlights the mistakes that lead to non-compliance. It is educational content, not legal advice. Consult a qualified attorney for guidance specific to your situation.

Why Your WordPress Site Needs a Cookie Banner

Most WordPress sites set cookies beyond the strictly necessary ones that keep the site functioning. Common sources include:

  • Google Analytics (analytics cookies such as _ga, _gid)
  • Facebook Pixel and other advertising trackers
  • YouTube and Vimeo embedded videos (third-party cookies)
  • WooCommerce and e-commerce plugins (marketing and tracking cookies)
  • Comment plugins, social sharing buttons, and chat widgets

Under the ePrivacy Directive (Directive 2002/58/EC), which applies across the EU, and the UK's Privacy and Electronic Communications Regulations 2003 (PECR), you must obtain informed, freely given consent before placing non-essential cookies on a visitor's device. The GDPR reinforces this by requiring that consent be specific, granular, and as easy to withdraw as it is to give.

Failure to comply carries real consequences. Under GDPR Article 83, fines can reach 20 million EUR or 4% of annual worldwide turnover. National data protection authorities have been actively enforcing cookie consent rules. France's CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 specifically for cookie consent violations.

A cookie banner is not optional decoration. It is a legal requirement for the vast majority of WordPress sites serving European or UK visitors.

How a WordPress Cookie Banner Works

A compliant cookie banner does more than display a notification. It must actively manage which scripts and cookies load based on the visitor's choice. The process works like this:

  1. Page loads with non-essential scripts blocked. Before the visitor makes a choice, analytics, advertising, and other non-essential scripts must not execute or set cookies.
  2. Banner appears. The visitor sees a clear description of cookie categories (necessary, analytics, marketing, preferences) with the option to accept all, reject all, or choose specific categories.
  3. Visitor makes a choice. Their consent preferences are recorded, typically in a first-party cookie.
  4. Scripts load based on consent. Only the categories the visitor accepted are activated. Rejected categories remain blocked.
  5. Subsequent visits. The consent cookie is read on return visits, and scripts load according to the stored preferences without showing the banner again (unless consent has expired or needs renewal).

The critical technical requirement is prior blocking: non-essential cookies must not be set before consent is given. Many WordPress cookie banner implementations fail this test by showing a notice while cookies are already being set in the background.

WordPress Cookie Banner Options: Plugins vs External CMP

WordPress site owners generally have two paths for implementing a cookie banner: a WordPress plugin or an external consent management platform (CMP).

WordPress cookie banner plugins

Plugin-based solutions install directly into your WordPress admin. Popular options include:

  • CookieYes (free tier available). Provides a customisable banner, auto-scanning, and script blocking. The free version supports basic compliance.
  • Complianz (free and premium). Offers a configuration wizard, conditional script loading, and cookie policy generation. The premium version adds geo-based consent rules.
  • GDPR Cookie Consent by WebToffee (free tier available). Provides category-based consent and script blocking with a straightforward interface.
  • Cookie Notice by Flavor (free cookie banner for WordPress). Lightweight option with basic banner functionality and consent logging.

Plugins are convenient because they integrate directly with WordPress. However, they add PHP and JavaScript overhead to every page load, and their script-blocking mechanisms vary in reliability.

External consent management platforms

An external CMP runs independently of WordPress. You add a JavaScript snippet to your site (typically in the <head> tag), and the CMP handles the banner display, consent collection, and script management from its own infrastructure.

Advantages of external CMPs over plugins:

  • Performance. Scripts are served from optimised CDNs rather than your WordPress server.
  • Reliability. Script blocking happens at the network level rather than depending on WordPress hook timing.
  • Multi-site consistency. If you operate sites on different platforms, one CMP covers all of them.
  • IAB TCF compliance. Many external CMPs are registered with the IAB Transparency and Consent Framework, which is required by major ad networks.

TermsBox provides a consent management platform that works with any website, including WordPress. It scans your site to identify cookies automatically, generates a compliant cookie banner, and blocks scripts until visitors consent. You can pair it with a cookie policy generator to create a matching policy document.

Setting Up a Free Cookie Banner on WordPress

If you are looking for a free cookie banner for WordPress, here is a step-by-step process using a plugin-based approach:

Step 1: Audit your cookies

Before installing anything, identify what cookies your site sets. Open your site in an incognito browser window, open developer tools (F12), navigate to the Application tab, and check the Cookies section. Note every cookie, its source, and its purpose. Categorise each as:

  • Strictly necessary (session management, security, load balancing)
  • Analytics (Google Analytics, Matomo, Plausible)
  • Marketing (Facebook Pixel, Google Ads, retargeting)
  • Preferences (language, theme, display settings)

Step 2: Install and configure a plugin

From your WordPress admin dashboard:

  1. Navigate to Plugins, then Add New
  2. Search for your chosen cookie consent plugin
  3. Install and activate it
  4. Open the plugin settings and configure:
    • Banner text that clearly explains what cookies you use and why
    • Cookie categories matching your audit results
    • An "Accept All" button and an equally prominent "Reject All" button
    • A link to your cookie policy page
    • Consent expiry period (12 months is common, though some regulators recommend shorter periods)

Step 3: Configure script blocking

This is the most important and most frequently botched step. You need to ensure non-essential scripts do not fire until the visitor consents. Depending on your plugin, this may involve:

  • Adding script tags to the plugin's blocking list
  • Changing the type attribute on script tags from text/javascript to text/plain (the plugin swaps it back after consent)
  • Using the plugin's built-in integrations for popular services like Google Analytics

Step 4: Test thoroughly

After configuration, verify that your banner actually works:

  1. Clear all cookies and visit your site in an incognito window
  2. Open developer tools and check that no analytics or marketing cookies exist before you interact with the banner
  3. Click "Reject All" and verify that non-essential cookies are still absent
  4. Clear cookies again, revisit, and click "Accept All." Verify that the expected cookies now appear.
  5. Check that your consent preference persists on subsequent page loads

If cookies appear before you interact with the banner, your script blocking is not working. This is the single most common compliance failure with WordPress cookie banners.

Common WordPress Cookie Banner Mistakes

Even with a plugin installed, many WordPress sites fail to achieve actual compliance. Watch for these issues:

Not blocking scripts before consent

Displaying a banner while Google Analytics and Facebook Pixel are already running is not consent. It is a notification. Regulators do not accept this. Your implementation must prevent non-essential scripts from executing until the visitor affirmatively consents.

Using dark patterns

The following practices violate GDPR consent requirements and have been specifically called out by data protection authorities:

  • Making "Accept All" a large coloured button while "Reject All" is a small text link
  • Pre-selecting non-essential cookie categories
  • Requiring multiple clicks to reject cookies but only one click to accept
  • Using a "cookie wall" that blocks site access unless the visitor consents

Article 7 of the GDPR and the European Data Protection Board's Guidelines 05/2020 on consent require that refusing cookies be as easy as accepting them.

Cookie Policy Generator

Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.

Generate Now

Ignoring consent for embedded content

YouTube videos, Google Maps embeds, and social media widgets all set third-party cookies. If your cookie banner only blocks your own scripts but leaves embedded iframes untouched, you are still setting non-essential cookies without consent. A compliant implementation must also handle embedded content, either by blocking iframes until consent or by replacing them with placeholder content.

Not having a cookie policy

A cookie banner without a supporting cookie policy is incomplete. Your cookie policy should list every cookie your site uses, its purpose, its duration, and whether it is first-party or third-party. Use a cookie policy generator to create a comprehensive policy, then link it directly from your banner.

Failing to record consent

Under Article 7(1) of the GDPR, you must be able to demonstrate that consent was given. Your cookie banner solution should log consent records, including when consent was given, what was consented to, and a mechanism to verify the consent was freely given. Many free WordPress cookie banner plugins lack proper consent logging, which creates an evidence gap if a regulator asks for proof.

WordPress Cookie Banner and Performance

A common concern with cookie banners on WordPress is their impact on page speed and Core Web Vitals. Here is what to consider:

  • Largest Contentful Paint (LCP). A cookie banner that loads synchronously in the <head> can delay rendering. Look for implementations that load asynchronously.
  • Cumulative Layout Shift (CLS). Banners that appear after the page has rendered can push content down, causing layout shift. Position your banner as a fixed overlay (top or bottom of viewport) to avoid affecting page layout.
  • First Input Delay (FID) / Interaction to Next Paint (INP). Heavy JavaScript from consent management can delay interactivity. Minimise the JavaScript payload of your banner solution.

Plugin-based solutions tend to add more overhead than external CMPs because they load PHP on the server side and JavaScript on the client side. If your WordPress site is already resource-constrained, an external CMP delivered via a single lightweight script tag may be a better choice for performance.

Testing your site with Google PageSpeed Insights before and after adding a cookie banner will give you a clear picture of the performance impact.

Cookie Banner Requirements by Jurisdiction

While the GDPR and ePrivacy Directive are the most commonly cited regulations, cookie consent requirements vary by jurisdiction. Here is a summary for the regions most relevant to WordPress site owners:

European Union

The ePrivacy Directive requires prior consent for non-essential cookies. GDPR sets the standard for what constitutes valid consent: informed, specific, freely given, and unambiguous. Each EU member state has implemented these requirements through national law, and enforcement intensity varies. France (CNIL) and Italy (Garante) have been particularly active in cookie consent enforcement.

United Kingdom

PECR requires consent for non-essential cookies, aligned with the DPA 2018 and UK GDPR. The ICO has published detailed guidance on cookies and similar technologies and has issued enforcement actions for non-compliant cookie practices.

California (CCPA/CPRA)

California law does not require prior consent for cookies in the same way as EU law. However, the CPRA requires a "Do Not Sell or Share My Personal Information" link and opt-out mechanisms for certain tracking technologies. If your WordPress site uses advertising cookies that "sell" or "share" personal information as defined by the CPRA, you need opt-out functionality. Fines under the CCPA can reach $2,500 per unintentional violation and $7,500 per intentional violation.

Brazil (LGPD)

Brazil's General Data Protection Law requires consent for cookies that process personal data, similar to GDPR. Enforcement has been increasing since the ANPD became operational.

If your WordPress site serves a global audience, configure your cookie banner to apply the strictest applicable standard to all visitors, or use geo-targeting to show jurisdiction-appropriate consent mechanisms.

How to Write Effective Cookie Banner Text

The text on your cookie banner matters for both compliance and user experience. Here are guidelines:

  • Be specific. "We use cookies" is not sufficient. Explain what categories of cookies you use and why. For example: "We use analytics cookies to understand how visitors use our site and marketing cookies to show relevant advertisements."
  • Name the categories. Give visitors a clear understanding of what they are consenting to. Common categories are Necessary, Analytics, Marketing, and Preferences.
  • Explain the consequence of each choice. Let visitors know what happens if they reject a category. For example: "If you reject analytics cookies, we will not collect data about your browsing behaviour."
  • Link to your full cookie policy. The banner provides a summary. The policy provides the detail. Always include a link.
  • Use plain language. Avoid legal jargon. Write for your actual audience, which for most WordPress sites is general consumers, not lawyers.

A well-written banner increases the consent rate because visitors understand what they are agreeing to. A vague or misleading banner increases the legal risk because consent given without understanding is not valid consent.

Frequently Asked Questions

Do I legally need a cookie banner on my WordPress site?

Yes, if your site uses non-essential cookies and serves visitors in the EU, UK, or other jurisdictions with cookie consent laws. The ePrivacy Directive (Directive 2002/58/EC) and GDPR require you to obtain informed consent before setting analytics, advertising, or social media cookies. Sites that only use strictly necessary cookies (such as session cookies for login) do not need a consent banner.

What is the best free cookie banner for WordPress?

Several free WordPress cookie banner plugins offer basic compliance, including CookieYes, Complianz, and GDPR Cookie Consent. The best choice depends on your needs: look for one that actually blocks scripts before consent, integrates with your cookie policy, and allows granular category-based consent rather than a simple accept/reject toggle.

Does a cookie banner slow down my WordPress site?

It depends on the implementation. Plugin-based banners add JavaScript and CSS to every page load, which can affect Core Web Vitals scores. Lightweight implementations that load asynchronously and avoid render-blocking scripts have minimal impact. Third-party consent management platforms that load from external CDNs add a DNS lookup but often deliver optimised, cached scripts.

Can I just add a cookie notice without blocking cookies?

No, not if you want to comply with EU or UK law. A notice-only approach (informing users without actually blocking cookies until consent is given) does not meet the requirements of the ePrivacy Directive or GDPR. Regulators have made clear that valid consent must be obtained before non-essential cookies are set, and several data protection authorities have issued fines for cookie walls and pre-ticked consent boxes.

Related Tools

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Related Articles

Cookie Policy

CMP Cookie Guide: What It Is and Why You Need One

Learn what a CMP cookie is, how consent management platforms work, and how to implement cookie CMP compliance for GDPR and ePrivacy.

April 4, 202610 min read
Cookie Policy

Cookie Consent Banner: Complete Implementation Guide (2026)

Learn how to implement a cookie consent banner that meets GDPR, ePrivacy, and CCPA requirements. Covers design, script blocking, and compliance.

April 4, 202612 min read
Cookie Policy

Cookie Policy Banner: Setup Guide for Website Compliance

Learn how to set up a cookie policy banner that meets GDPR and ePrivacy requirements. Covers consent flows, design, and legal obligations.

April 4, 202610 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • Why Your WordPress Site Needs a Cookie Banner
  • How a WordPress Cookie Banner Works
  • WordPress Cookie Banner Options: Plugins vs External CMP
  • WordPress cookie banner plugins
  • External consent management platforms
  • Setting Up a Free Cookie Banner on WordPress
  • Step 1: Audit your cookies
  • Step 2: Install and configure a plugin
  • Step 3: Configure script blocking
  • Step 4: Test thoroughly
  • Common WordPress Cookie Banner Mistakes
  • Not blocking scripts before consent
  • Using dark patterns
  • Ignoring consent for embedded content
  • Not having a cookie policy
  • Failing to record consent
  • WordPress Cookie Banner and Performance
  • Cookie Banner Requirements by Jurisdiction
  • European Union
  • United Kingdom
  • California (CCPA/CPRA)
  • Brazil (LGPD)
  • How to Write Effective Cookie Banner Text
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.