WP Cookie Consent: A Complete Setup Guide
Learn how to set up WP cookie consent on your WordPress site. Covers plugins, GDPR compliance, cookie banners, and best practices for consent management.
WP cookie consent is a critical compliance requirement for any WordPress site that uses analytics, advertising, or social media cookies. If your site has visitors from the EU, UK, Brazil, or other jurisdictions with cookie consent laws, you need a mechanism that collects consent before placing non-essential cookies.
This guide walks you through setting up cookie consent on WordPress, choosing the right plugin, configuring consent categories, and meeting legal requirements. This article is educational content, not legal advice. Consult a qualified attorney for guidance specific to your situation.
Why Your WordPress Site Needs Cookie Consent
Most WordPress sites use cookies far beyond what site owners realise. A typical WordPress installation with a handful of plugins might set 15 to 30 cookies across analytics, marketing, and functionality categories. Each non-essential cookie requires consent under the GDPR (Regulation 2016/679) and the ePrivacy Directive (Directive 2002/58/EC).
The legal requirements are straightforward:
- Prior consent is required before setting non-essential cookies (Article 5(3) of the ePrivacy Directive)
- Consent must be freely given, specific, informed, and unambiguous (Article 4(11) of the GDPR)
- Users must be able to withdraw consent as easily as they gave it (Article 7(3) of the GDPR)
- You must document consent to demonstrate compliance (Article 7(1) of the GDPR)
Penalties for non-compliance are significant. GDPR fines can reach EUR 20 million or 4% of global annual turnover. National data protection authorities have issued fines specifically for cookie consent violations, including the French CNIL's EUR 150 million fine against Google in 2022 for making cookie rejection harder than acceptance.
Beyond the EU, cookie consent laws exist in the UK (PECR), Brazil (LGPD), South Africa (POPIA), and several US states. A proper WP cookie consent setup protects you across these jurisdictions.
How WordPress Cookies Work
Before configuring consent, you need to understand what cookies your WordPress site actually sets.
WordPress Core Cookies
WordPress itself sets a limited number of cookies:
- wordpress_logged_in_[hash]: Authenticates logged-in users
- wordpress_sec_[hash]: Authentication cookie for secure admin areas
- wp-settings-[UID]: Stores user interface customisation preferences
- comment_author, comment_author_email, comment_author_url: Remembers commenter details (set only when someone leaves a comment)
These are generally classified as strictly necessary or functionality cookies. They do not require consent because they are essential for the site to operate as expected.
Plugin and Theme Cookies
The real compliance challenge comes from plugins and themes. Common sources of non-essential cookies include:
- Google Analytics (analytics cookies: _ga, _gid, _gat)
- Google Ads and Tag Manager (marketing cookies: _gcl_au, IDE, NID)
- Facebook Pixel (marketing cookies: _fbp, fr)
- YouTube embeds (marketing cookies: VISITOR_INFO1_LIVE, YSC)
- WooCommerce (functionality cookies for cart and sessions)
- Social sharing plugins (various third-party cookies)
- Caching plugins (functionality cookies)
A thorough cookie audit is the first step toward compliance. You can run a manual audit using browser developer tools, or use a scanning tool to identify all cookies and scripts loading on your pages.
Choosing a WP Cookie Consent Plugin
Several WordPress plugins handle cookie consent. Here is a comparison of the most established options.
WP Cookie Consent (by flavor)
The plugin that shares the "WP Cookie Consent" name directly. It offers a free tier with basic banner functionality and a premium version with automatic cookie scanning, granular consent categories, and consent logging. It supports Google Consent Mode v2 out of the box.
CookieYes
One of the most widely installed cookie consent plugins for WordPress, with over one million active installations. CookieYes provides automatic cookie scanning, a customisable banner, consent logging, and support for multiple regulations. The free plan covers basic needs, while the premium plan adds geo-targeting and advanced analytics.
Complianz
A comprehensive privacy suite that goes beyond cookie consent to include a cookie policy generator, privacy policy integration, and region-specific consent configurations. Complianz detects cookies automatically and integrates with popular page builders. It also handles US state privacy laws.
Real Cookie Banner
A privacy-focused option built in Germany. Real Cookie Banner takes a conservative approach by blocking all non-essential content and scripts by default until consent is given. It includes a content blocker that replaces embeds with placeholder notices, visual customisation tools, and TCF 2.2 support.
Key Features to Evaluate
When selecting a WP cookie consent plugin, prioritise these capabilities:
- Automatic cookie scanning to detect cookies without manual configuration
- Script blocking that prevents non-essential cookies before consent
- Granular consent categories (necessary, analytics, marketing, functionality)
- Consent logging with timestamped records for compliance documentation
- Google Consent Mode v2 integration for maintaining analytics functionality
- Geo-targeting to show consent banners only where legally required
- Customisable design that matches your site's branding
- Regular updates reflecting changes in regulations and browser behaviour
Setting Up WP Cookie Consent Step by Step
This section walks through a general setup process that applies to most WP cookie consent plugins. Specific menu names and settings vary by plugin.
Step 1: Install and Activate the Plugin
- Navigate to Plugins > Add New in your WordPress admin
- Search for your chosen cookie consent plugin
- Click Install Now, then Activate
- Open the plugin's settings page (usually under Settings or a dedicated menu item)
Step 2: Run a Cookie Scan
Most modern WP cookie consent plugins include an automatic scanner. Run it to identify all cookies your site sets. The scanner typically:
- Visits your site's pages programmatically
- Records all cookies set during the visit
- Categorises cookies based on a known database
- Flags unknown cookies for manual review
Review the scan results carefully. Unidentified cookies need manual categorisation. Assign each cookie to one of the standard categories: strictly necessary, functionality, analytics, or marketing.
Step 3: Configure Consent Categories
Set up the consent categories your banner will present to visitors:
- Strictly necessary: Always active, no consent required. Includes session cookies, security tokens, and load balancers.
- Functionality: Enhances user experience but is not essential. Includes language preferences, video player settings, and chat widgets.
- Analytics: Measures site usage. Includes Google Analytics, Matomo, and heatmap tools.
- Marketing: Tracks users for advertising. Includes Facebook Pixel, Google Ads, retargeting pixels, and ad network cookies.
Write clear, plain-language descriptions for each category. Avoid legal jargon. Visitors should understand what each category does and why you use it.
Step 4: Design the Cookie Banner
Configure the visual appearance of your consent banner:
- Match colours and typography to your site's design
- Position the banner at the bottom of the page or as a centred modal
- Include an Accept All button, a Reject All button, and a Manage Preferences link
- Keep the text concise but informative
- Link to your cookie policy
The reject option must be equally prominent as the accept option. Hiding the reject button behind a secondary menu or using dark patterns (such as a bright green "Accept" next to a grey "Manage") has been specifically called out by data protection authorities as non-compliant.
Step 5: Link Your Cookie Policy
Your cookie banner should link to a detailed cookie policy that lists every cookie your site uses, its purpose, duration, and category. This policy can be a standalone page or a section within your privacy policy.
A complete cookie policy includes:
- What cookies are and how your site uses them
- A table of all cookies with name, provider, purpose, type, and expiry
- How users can control cookies through browser settings
- How users can withdraw consent
- Contact details for privacy enquiries
Step 6: Enable Script Blocking
This is the most technically important step. Your WP cookie consent plugin must prevent non-essential scripts from executing until the user grants consent. There are two common approaches:
- Script wrapping: The plugin modifies script tags to change their type attribute (for example, from
text/javascripttotext/plain) until consent is recorded - Tag manager integration: The plugin sends consent signals to Google Tag Manager or another tag manager, which controls script firing based on consent state
Test thoroughly after enabling script blocking. Verify that analytics, marketing pixels, and embedded content only load after consent is given. Use your browser's developer tools to check the Network tab before and after granting consent.
Step 7: Test and Verify
After configuration, test your WP cookie consent setup:
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate Now- Clear all cookies and visit your site in a private browser window
- Check that no non-essential cookies are set before interacting with the banner
- Click "Reject All" and verify no analytics or marketing cookies appear
- Clear cookies again, revisit, and click "Accept All," then verify expected cookies load
- Test the "Manage Preferences" flow: accept some categories, reject others
- Verify that consent choices persist across pages and return visits
- Check the consent log in the plugin's admin panel
Google Consent Mode v2 and WordPress
Google Consent Mode v2 became required in March 2024 for sites using Google services in the EEA and UK. It communicates user consent status to Google tags, allowing them to adjust behaviour based on whether consent was granted or denied.
The two required signals are:
- ad_storage: Controls cookies for advertising purposes
- analytics_storage: Controls cookies for analytics purposes
When a user denies consent, Google Consent Mode tells Google tags to operate without cookies. Google Analytics still collects aggregated, cookieless data through modelling, preserving some measurement capability while respecting the user's choice.
Most modern WP cookie consent plugins include built-in Google Consent Mode v2 support. During setup:
- Enable Google Consent Mode in the plugin settings
- Map your consent categories to the appropriate Google signals
- Set default consent states (typically "denied" for EU/UK visitors)
- Verify the implementation using Google Tag Assistant
Common WP Cookie Consent Mistakes
Avoid these frequent errors when implementing cookie consent on WordPress:
Consent Banner Without Script Blocking
Displaying a cookie banner without actually blocking cookies before consent is the most common mistake. The banner alone provides no legal protection if cookies are already set when the page loads. Always verify that non-essential scripts are blocked until consent is received.
Missing Reject Option
Every cookie consent banner must offer a way to reject non-essential cookies that is as easy as accepting them. A banner with only "Accept" and "Manage Preferences" does not meet this standard. Include a visible "Reject All" button.
Cookie Wall (Take It or Leave It)
Blocking access to your site unless the visitor accepts all cookies violates GDPR consent requirements in most cases. The European Data Protection Board has stated that cookie walls generally do not provide freely given consent. Allow access to your content regardless of consent choice.
Ignoring Plugin and Theme Updates
Cookie consent plugins require regular updates as regulations change and new browser privacy features are introduced. An outdated plugin may fail to block newly added scripts or may not support current standards like Google Consent Mode v2. Keep your consent plugin updated and re-scan your site after installing or updating any plugin.
Not Logging Consent
GDPR Article 7(1) requires you to demonstrate that the user consented. Without consent logs that record the timestamp, consent choices, and user identifier, you cannot prove compliance if questioned by a supervisory authority.
WP Cookie Consent and Your Privacy Policy
Cookie consent does not exist in isolation. Your WordPress site also needs a comprehensive privacy policy that covers all personal data processing, including cookie-based tracking. The cookie consent banner and cookie policy handle the specific requirements of the ePrivacy Directive, while your privacy policy addresses the broader GDPR obligations.
Ensure consistency between your documents. If your cookie policy lists Google Analytics as an analytics cookie requiring consent, your privacy policy should mention Google Analytics as a data processor and explain the legal basis for processing.
For WordPress sites, TermsBox provides a cookie policy generator that creates a policy covering standard WordPress cookies, plugin cookies, and third-party services. Pair it with a compliance scanner to identify what your site actually loads, so your policy matches reality.
Advanced WP Cookie Consent Configuration
Once the basics are in place, consider these additional configurations for a more robust setup.
Geo-Targeting
Not all jurisdictions require cookie consent. If a significant portion of your traffic comes from regions without cookie consent laws, geo-targeting allows you to show the consent banner only to visitors from regulated jurisdictions. This reduces friction for visitors who are not covered by consent requirements while maintaining compliance where it matters.
Premium versions of most WP cookie consent plugins support geo-targeting based on the visitor's IP address. Configure it to show the full consent banner to EU, UK, and Brazilian visitors while showing a simplified notice or no banner to visitors from other regions.
Consent Renewal
Consent does not last forever. Best practice is to re-request consent periodically, typically every 6 to 12 months. Configure your plugin to expire consent records and show the banner again after a set period. This ensures your consent records remain current and reflect any changes to your cookie usage.
Integration With Caching
WordPress caching plugins can interfere with cookie consent by serving cached pages that bypass the consent mechanism. If you use a caching plugin:
- Exclude cookie consent plugin scripts from caching and minification
- Configure your caching plugin to serve different cached versions based on consent cookies
- Test that the consent banner appears correctly on cached pages
- Verify that script blocking works after a page is served from cache
Accessibility
Your cookie consent banner must be accessible to users with disabilities. Ensure the banner:
- Can be navigated and operated using only a keyboard
- Has sufficient colour contrast (WCAG 2.1 AA minimum, 4.5:1 for text)
- Uses proper ARIA labels and roles
- Is announced to screen readers
- Does not trap keyboard focus
Frequently Asked Questions
Do I need a cookie consent banner on my WordPress site?
Yes, if your WordPress site uses non-essential cookies such as analytics, advertising, or social media cookies and you have visitors from the EU, UK, or other jurisdictions with cookie consent laws. The GDPR and ePrivacy Directive require prior consent before placing non-essential cookies.
What is the best WP cookie consent plugin?
The best plugin depends on your needs. WP Cookie Consent (by flavor), CookieYes, Complianz, and Real Cookie Banner are popular options. Look for features like automatic cookie scanning, granular consent categories, consent logging, and Google Consent Mode v2 support.
Does WordPress set cookies by default?
WordPress core sets a small number of cookies for logged-in users and commenters, but does not set tracking cookies by default. However, most WordPress sites use plugins and themes that load third-party scripts such as Google Analytics, Facebook Pixel, or embedded videos, all of which set cookies.
How do I block cookies before consent in WordPress?
Most WP cookie consent plugins offer script blocking that prevents non-essential cookies from loading until the user grants consent. This typically works by wrapping script tags or using a tag manager integration. Some plugins also support automatic script detection and blocking.