WordPress Cookie Consent: Setup Guide for Compliance
Learn how to add WordPress cookie consent to your site. Covers GDPR and ePrivacy requirements, plugin options, and step-by-step setup.
WordPress cookie consent is a legal requirement for any WordPress site that uses analytics, advertising, or social media cookies and serves visitors in the EU, UK, or similar jurisdictions. Getting cookie consent right means more than adding a banner to your site. It requires blocking non-essential cookies until a visitor actively opts in, providing granular choices by cookie category, and keeping records of that consent.
This guide walks through the legal requirements, how WordPress handles cookies, and the practical steps to implement compliant cookie consent on your site. This is educational content and not legal advice. Consult a qualified attorney for guidance specific to your situation.
Why WordPress Sites Need Cookie Consent
The legal obligation for cookie consent comes from two overlapping European laws: the ePrivacy Directive (Directive 2002/58/EC, amended by Directive 2009/136/EC) and the General Data Protection Regulation (GDPR).
Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user's device, with a narrow exception for strictly necessary cookies. The GDPR, through Articles 4(11) and 7, defines what valid consent means: it must be freely given, specific, informed, and unambiguous.
For WordPress site owners, these laws apply when:
- Your site serves visitors located in the EU or UK
- You use plugins or services that set non-essential cookies (Google Analytics, Facebook Pixel, WooCommerce tracking, etc.)
- You embed third-party content that places cookies (YouTube videos, social sharing buttons, Google Maps)
Penalties for non-compliance are significant. GDPR fines can reach up to 20 million EUR or 4% of annual global turnover, whichever is higher. The French authority CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 specifically for cookie consent failures. Smaller businesses face proportionate fines, but enforcement against sites of all sizes is increasing.
Beyond the EU, other jurisdictions have enacted similar requirements. Brazil's LGPD, South Africa's POPIA, and Canada's PIPEDA all include consent requirements for tracking technologies.
What Cookies WordPress Actually Sets
Before configuring cookie consent for WordPress, you need to understand what cookies your site places. WordPress core and the broader plugin ecosystem generate cookies at several levels.
WordPress core cookies
A default WordPress installation sets a limited number of cookies:
- wordpress_logged_in_[hash]: Identifies logged-in users after authentication
- wordpress_sec_[hash]: Authenticates logged-in users over secure connections
- wordpress_test_cookie: Tests whether the browser accepts cookies (set on the login page)
- wp-settings-[UID] and wp-settings-time-[UID]: Store dashboard preferences for logged-in users
- comment_author_[hash], comment_author_email_[hash], comment_author_url_[hash]: Remember commenter details (set when a visitor leaves a comment)
Most WordPress core cookies qualify as strictly necessary for logged-in users and do not require consent. Comment cookies are an exception, as storing commenter information for future visits is a convenience, not a necessity. WordPress 4.9.6 added a consent checkbox for comment cookies in response to the GDPR.
Plugin and theme cookies
The cookies that create compliance obligations almost always come from plugins and themes:
- Google Analytics / Google Tag Manager: Sets _ga, _gid, _gat, and related cookies for tracking visitor behavior
- WooCommerce: Sets cart, session, and recently viewed product cookies. Some are strictly necessary (cart), while others (recently viewed) are not
- Facebook Pixel: Sets _fbp and fr cookies for advertising and retargeting
- Contact Form 7, Gravity Forms: May set session cookies
- Jetpack: Sets multiple cookies for stats, comments, and social sharing
- Caching plugins: May set cookies to manage cache behavior for logged-in vs. anonymous users
- Embedded content: YouTube, Vimeo, Google Maps, and social media embeds all place third-party cookies
Running a scan of your site is the only reliable way to identify every cookie in use. Plugins add and change cookie behavior with updates, and third-party scripts can introduce cookies without any visible change to your site.
How WordPress Cookie Consent Works
A proper WordPress cookie consent implementation does three things: it blocks non-essential cookies before consent, it presents granular choices to the visitor, and it records the visitor's decision.
The blocking mechanism
The most critical technical requirement is that non-essential cookies must not load before the visitor opts in. This means analytics scripts, advertising pixels, and social embeds cannot execute until consent is given. There are two common approaches:
- Script modification: The consent tool changes the
typeattribute of script tags fromtext/javascripttotext/plain(or a custom type), preventing execution. When consent is given, the type is switched back and the scripts load. - Tag manager integration: The consent tool communicates with Google Tag Manager or a similar tag manager, which controls when tags fire based on consent state. Google Consent Mode v2 is a common implementation of this approach.
A cookie banner that simply displays a notice without blocking scripts is not compliant. The GDPR requires prior consent, meaning the cookies cannot exist on the device before the visitor agrees.
Consent categories
Valid cookie consent must be granular. Visitors need the ability to accept or reject cookies by category, not just a blanket accept/reject choice. Standard categories include:
- Strictly necessary: Always active, no consent required
- Analytics / Performance: Traffic measurement, heatmaps, session recording
- Marketing / Advertising: Retargeting, conversion tracking, ad personalization
- Functional / Preferences: Language settings, UI customization beyond the basics
- Social media: Share buttons, embedded feeds, social login
Each category should include a plain-language explanation of its purpose and, ideally, a list of the specific cookies and their durations.
Consent storage and proof
You must be able to demonstrate that consent was obtained. This means storing a record of when the visitor consented, what categories they accepted, and what version of your cookie policy was in effect at the time. Most consent management platforms handle this automatically by storing consent records server-side or via a first-party consent cookie.
Setting Up Cookie Consent on WordPress: Step by Step
There are two broad approaches to adding cookie consent for WordPress: installing a dedicated WordPress plugin, or using an external consent management platform (CMP) that loads via a script tag.
Option 1: WordPress cookie consent plugin
WordPress plugins handle consent within the WordPress admin interface. To set one up:
- Audit your cookies first. Identify every cookie your site sets by running a scan. You cannot configure consent categories accurately without knowing what cookies exist.
- Install and activate the plugin from the WordPress plugin directory or by uploading it manually.
- Configure cookie categories. Map each cookie to the correct consent category (analytics, marketing, functional, etc.). The plugin should let you define custom categories if needed.
- Set up script blocking. Configure the plugin to block scripts that set non-essential cookies. This usually involves adding script handles or patterns that the plugin should intercept.
- Customize the banner. Set the text, colors, and layout to match your site. Ensure the banner includes a link to your cookie policy.
- Configure the preferences panel. Visitors must be able to change their consent choices at any time. The plugin should provide a settings link or button that reopens the consent panel.
- Test thoroughly. Verify that no non-essential cookies load before consent is given. Open your browser's developer tools, clear all cookies, visit the site, and check the cookies and network tabs before interacting with the banner. Only strictly necessary cookies should be present.
Option 2: External CMP via script tag
External consent management platforms operate independently of WordPress. They load via a JavaScript snippet added to your site's <head> section:
- Sign up for the CMP and configure your consent settings in the platform's dashboard.
- Add the script to your WordPress site's
<head>. You can do this through your theme'sfunctions.phpfile usingwp_head, through a header/footer scripts plugin, or by editing the theme'sheader.phptemplate directly. - Configure cookie blocking in the CMP's dashboard. Most external CMPs automatically detect and block known third-party scripts.
- Set up Google Consent Mode v2 if you use Google Analytics or Google Ads. This ensures Google's scripts respect the visitor's consent state.
- Add a cookie preferences link to your footer menu so visitors can update their choices.
External CMPs have the advantage of working across any platform, not just WordPress. If you run multiple sites on different platforms, a single CMP can provide consistent consent management across all of them. TermsBox offers a cookie consent banner that works this way, loading as a lightweight script that handles consent collection, cookie blocking, and consent records without requiring a WordPress plugin.
WordPress Cookie Consent and Google Consent Mode v2
Google Consent Mode v2 is relevant to nearly every WordPress site because most sites use at least one Google product: Analytics, Ads, or Tag Manager. Since March 2024, Google requires Consent Mode v2 for any site that collects data from EEA visitors and wants to use Google's advertising features.
Consent Mode v2 introduces two new parameters beyond the original version:
- ad_user_data: Controls whether user data can be sent to Google for advertising purposes
- ad_personalization: Controls whether personalized advertising is allowed
These join the existing analytics_storage and ad_storage parameters.
Your WordPress cookie consent solution must communicate with Google Consent Mode so that Google's scripts respect the visitor's choices. When a visitor declines marketing cookies, the consent tool should set ad_storage, ad_user_data, and ad_personalization to "denied." When analytics cookies are declined, analytics_storage should be set to "denied."
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate NowTo verify the integration is working:
- Open Chrome DevTools on your site
- Go to the Console tab
- Type
dataLayerand press Enter - Look for
consentevents showingdefault(before interaction) andupdate(after interaction) entries - Confirm that denied categories show "denied" and accepted categories show "granted"
Writing a Cookie Policy for Your WordPress Site
WordPress cookie consent requires a cookie policy that visitors can access from the consent banner. This policy must explain what cookies your site uses, their purposes, durations, and whether they are first-party or third-party.
A complete cookie policy should include:
- What cookies are: A brief, non-technical explanation
- Categories of cookies used: Listed with descriptions of each category's purpose
- Specific cookies: A table listing cookie name, provider, purpose, type (first/third-party), and expiration
- How to manage cookies: Instructions for changing consent preferences and browser-level cookie controls
- Third parties: Identification of third parties that set cookies through your site, with links to their privacy policies
- Updates: How and when the policy will be updated
- Contact information: How visitors can reach you with questions
You can create a cookie policy using a cookie policy generator and then add it as a page in WordPress. Link to this page from your consent banner and your site footer.
WordPress includes a built-in Privacy Policy page template (added in WordPress 4.9.6), but it does not generate a cookie policy. You need a separate, dedicated cookie policy page.
Common WordPress Cookie Consent Mistakes
Even well-intentioned WordPress site owners make mistakes that undermine their cookie consent implementation. These are the most frequent issues regulators look for.
Pre-checked consent boxes
Having analytics or marketing cookie categories pre-selected as "on" when the banner loads is not valid consent. The Court of Justice of the European Union ruled in the Planet49 case (C-673/17) that pre-ticked checkboxes do not constitute active consent. All non-essential categories must default to off.
Cookie walls
Blocking access to your site unless the visitor accepts all cookies violates GDPR consent requirements. The European Data Protection Board stated in Guidelines 05/2020 that cookie walls do not provide freely given consent because the visitor has no genuine choice.
No reject option
The CNIL and other authorities have enforced the requirement that rejecting cookies must be as easy as accepting them. A banner with a prominent "Accept All" button and a buried "Manage Preferences" link does not meet this standard. Provide an equally visible "Reject All" option.
Loading scripts before consent
The most common technical mistake is loading Google Analytics, Facebook Pixel, or other tracking scripts before the consent banner loads or before the visitor makes a choice. This often happens when scripts are added directly to the theme rather than through the consent management system.
Ignoring consent for embedded content
YouTube embeds, Google Maps, and social media widgets all place cookies. These must be blocked until the visitor consents to the relevant category. A common approach is to show a placeholder with a message like "Click to load this content. Loading it will set cookies from [provider]."
Not providing a way to withdraw consent
Article 7(3) of the GDPR states that withdrawing consent must be as easy as giving it. Your site must provide a persistent, accessible way for visitors to reopen the consent panel and change their choices. A common approach is a small floating icon or a link in the site footer.
Testing Your WordPress Cookie Consent Setup
After implementing cookie consent on your WordPress site, thorough testing is essential. Here is a systematic approach to verify compliance.
Browser-based testing
- Clear all cookies and site data in your browser for your domain
- Visit your site and verify the consent banner appears immediately
- Open DevTools (F12) and check the Application > Cookies tab
- Before interacting with the banner, confirm only strictly necessary cookies are present. No _ga, _gid, _fbp, or other tracking cookies should exist
- Click "Reject All" and verify that no tracking cookies appear after dismissal
- Clear cookies again, revisit, and click "Accept All." Confirm that analytics and marketing cookies now appear
- Test category-level consent: Accept only analytics but not marketing, and verify the correct cookies load
- Find the preferences link and change your choices. Verify that cookies are removed when a category is revoked
- Test on mobile: Repeat the key steps on a mobile device or using responsive mode. The banner must be usable on small screens
Automated scanning
Manual testing catches obvious issues but can miss cookies set by asynchronous scripts or on specific pages. Use an automated scanner to crawl your entire site and identify every cookie set on every page.
TermsBox provides a compliance scanner that crawls your WordPress site, identifies all cookies and tracking technologies, and maps them to known vendors. This gives you a complete picture of what your site sets, which is essential for both configuring your consent categories accurately and maintaining compliance as your plugins change over time.
Ongoing monitoring
Cookie consent is not a one-time setup. Every plugin update, theme change, or new embed can introduce new cookies. Schedule regular audits, at minimum quarterly, to verify your consent implementation still covers all cookies on your site.
Frequently Asked Questions
Is a cookie consent banner required on a WordPress site?
Yes, if your WordPress site uses non-essential cookies and serves visitors in the EU, UK, or other jurisdictions with cookie consent laws. Article 5(3) of the ePrivacy Directive requires prior consent before placing analytics, advertising, or social media cookies on a visitor's device. Even if your business is based outside the EU, the GDPR applies when you process data of individuals in the EU.
Does WordPress set cookies by default?
A fresh WordPress installation sets a small number of cookies for session management and logged-in user preferences. These are generally classified as strictly necessary. However, most WordPress sites add plugins and themes that introduce analytics cookies, advertising trackers, embedded content from third parties, and comment system cookies, all of which require consent under EU law.
What is the best way to add cookie consent to WordPress?
The most reliable approach is a consent management platform that blocks non-essential cookies until the visitor opts in. This can be a WordPress plugin or a script-based solution that loads before other scripts. The key requirement is that it actually prevents cookies from firing before consent, not just displaying a notice. Look for solutions that support granular category-based consent and keep records of consent for audit purposes.
Can I just add a cookie notice without blocking cookies on WordPress?
No. Under the GDPR and ePrivacy Directive, a notice alone does not constitute valid consent. Consent must be prior, meaning non-essential cookies cannot load before the visitor actively agrees. Simply informing visitors that cookies exist, without giving them a genuine choice before those cookies are placed, violates Article 5(3) of the ePrivacy Directive. Enforcement authorities have fined organizations for this exact practice.