What are Cookies?

Cookies are small text files that websites place on a user‘s computer or mobile device to store information about their visit. They serve many important purposes like remembering login information, tracking shopping cart contents, personalizing content, and more.

With privacy laws like GDPR going into effect, many website owners are wondering if their WordPress site uses cookies and how they can properly disclose this. In this comprehensive guide, I‘ll cover everything you need to know about identifying cookies on a WordPress website and making sure you comply with regulations.

Cookies are tiny pieces of data that websites store on a visitor‘s browser while they are visiting the site. They are very commonly used across the internet for a variety of important functions.

Here are some of the main reasons sites use cookies:

  • Session Management: Cookies can track login sessions so users don‘t have to re-enter credentials on every page.

  • Personalization: Cookies allow sites to remember user preferences and customize content specifically for them.

  • Tracking: Cookies are used to track user behavior, clicks, page visits, and more. This data powers analytics and advertising.

  • Shopping Carts: Cookies help ecommerce sites remember products added to the shopping cart across pages.

  • Security: Cookies can enhance security by detecting fraudulent activity and verifying legitimate users.

  • Consent Tracking: Some cookies track whether a user has consented to the use of other cookies on the site.

Cookies set by the website you are visiting are called first-party cookies. Cookies set by other sites referring traffic or providing functionality are called third-party cookies.

WordPress Sites Have Many Cookies

Over 83% of WordPress sites use cookies in some form based on scans of the top 1 million sites. The average WordPress site has around 20 unique cookies.

Here are some examples of cookies frequently used on WordPress sites:

Cookie Used By Purpose
wordpress_loggedin* WordPress Core Login session management
comment_* WordPress Core Remember commenter details
woocommerce_* WooCommerce Track cart and purchases
_ga, _gid Google Analytics Track unique visitors
fr, sb Facebook Identify users for ads and widgets
personalization_id Twitter Store widget preferences

As you can see, cookies on WordPress come from both the core system and third-party services. Later I‘ll show you how to identify where each one originates.

Cookies allow sites to collect a lot of data about their visitors. To protect user privacy, laws like GDPR require sites to:

  • Disclose what cookies they use
  • Obtain consent before setting certain cookies
  • Allow users to revoke cookie consent

Without proper disclosure and consent, sites are not allowed to use cookies except those strictly necessary for site functionality.

This is why you may see cookie consent notices when visiting sites based in certain regions. They help sites comply with local privacy laws.

Exact Regulations Depend on Location

Different countries have specific regulations around cookie usage and privacy:

  • EU: GDPR and the ePrivacy Directive regulate cookies in the European Union. Fines for non-compliance can be up to 4% of global revenue.

  • UK: Based on the EU regulations but with some differences after Brexit. Focuses on user control and transparency.

  • US: No federal cookie law but states like California have passed consumer privacy acts. FTC enforces consumer protection around deception.

  • Canada: PIPEDA requires meaningful consent similar to GDPR. Quebec has additional cookie regulations.

  • Australia: Privacy Act interpreted to require opt-in consent for certain cookies.

So while requirements vary, the general principles of disclosure, consent, and user control apply in most regions with privacy laws.

Yes, WordPress uses some essential first-party cookies to deliver standard functionality:

  • Login Cookies: WordPress uses session cookies to keep users logged into the site.

  • Comment Cookies: Cookies store commenters‘ name, email, and URL so they don‘t have to re-enter it every time.

  • Multisite Cookies: On multisite installs, cookies help track which site the user is on.

  • Admin Cookies: Cookies help keep admin users logged into the backend and enhance security.

In addition, many WordPress plugins and themes use cookies to store:

  • User preferences like volume settings on videos
  • Content personalization settings
  • Shopping cart data
  • Form data like name, email, etc.

Caching plugins like WP Rocket use cookies to show users the cached version of pages. Analytics plugins like Google Analytics use cookies to identify unique visitors.

So while WordPress core uses a minimal set of first-party cookies, plugins and themes often add more.

Next I‘ll show you how to detect exactly which cookies your specific WordPress site is using.

Let‘s go over how you can easily audit the cookies used on your WordPress site using built-in browser developer tools.

Step 1 – Visit Your Site While Logged Out

First, make sure to log out of your WordPress site completely and clear your browser cookies and cache.

This allows you to view the cookies a normal visitor to your site would get. If you check while logged in as an admin, you may see additional cookies.

Here‘s how to fully clear cookies in popular browsers:

  • Chrome: Settings > Privacy > Clear browsing data
  • Firefox: Options > Privacy > Clear data
  • Safari: Preferences > Privacy > Manage cookies and data

Also disable any ad blockers you may have enabled. They can sometimes block cookies from loading.

Step 2 – Open Browser Developer Tools

All major browsers make it easy to view cookies set by any website you visit:

Google Chrome

  • Click the padlock icon > Cookies
  • Or right-click > Inspect > Application > Cookies

Mozilla Firefox

  • Right-click > Inspect Element > Storage > Cookies

Microsoft Edge

  • Press F12 > Application > Cookies

This will show you all cookies set by the current site along with their expiration date.

Browser developer tools

Tip: You can also use extensions like EditThisCookie for easier cookie management.

Step 3 – Identify Cookie Sources

You will be able to see at a glance which cookies are set by your WordPress site directly and which are from third-party sources like plugins, social media, ads, and more.

Some common cookie sources you may see:

  • Your site‘s domain – First-party WordPress cookies
  • wp-settings-1,2 – WordPress login session cookie
  • comment_author – WordPress comment cookie
  • woocommerce_cart_hash – WooCommerce cookie
  • __utmz – Google Analytics cookie
  • fr – Facebook cookie
  • personalization_id – Twitter cookie

Make a note of all the different services setting cookies on your site. This will come in handy later.

Step 4 – Review Cookie Details

Click on any individual cookie to view additional details like the expiration date, contents, file size, and more.

This can help you determine exactly what kind of data is being stored in the browser.

For example, WordPress login cookies will show your user ID. Analytics cookies will contain a unique visitor ID. Advertising cookies will show identifiers linked to your browsing.

Cookie details

Tip: Watch out for cookies with long expiration dates, unique identifiers, tracking data, or personal info which have higher privacy risks.

Step 5 – Cross-check With Plugins

Next, cross-check the third-party cookies against plugins and services active on your site.

For example, if you see a __utmz cookie you can confirm it comes from Google Analytics. If you see woocommerce_items_in_cart, it must be from WooCommerce.

This allows you to trace each cookie back to a specific purpose on your site. If you find any unrecognized cookies, more investigation may be needed.

If your WordPress site is using any unnecessary cookies, you can try to disable them to improve privacy.

Disable Plugin Cookies

Many plugins provide settings to disable cookie usage or make it GDPR compliant.

For example:

  • Google Analytics – Use the MonsterInsights plugin and enable the EU Compliance addon.

  • WooCommerce – Go to Settings > Advanced > Disable cookie usage completely.

  • Contact Form 7 – Install the Contact Form 7 Data Export/Import plugin and disable cookies.

Refer to documentation for any plugins setting cookies to see if they can be disabled.

Remove Unneeded Plugins

If you have inactive plugins still setting cookies, uninstall them from your site completely.

Plugins no longer needed should be fully removed for privacy and performance.

Limit Third-Party Cookies

Try to limit the use of social media widgets, external ads, embedded content, and other third-parties.

They frequently set cookies, sometimes without control from the site owner.

More Privacy Plugins

Here are some other handy WordPress plugins to give you more granular control over cookies:

Clearly disclosing cookie usage is required for GDPR and other privacy law compliance. The easiest way is to add a dedicated Cookie Policy page.

Here‘s what should be included:

  • List of all first and third-party cookies used
  • Purposes of each cookie
  • Types of data collected
  • How to control cookie settings
  • How to delete cookies

Make sure your privacy policy and any cookie notices link to this page. It will show regulators you have proper disclosure.

There are also WordPress plugins like WP Cookie Consent that can auto-generate a cookie disclosure statement for your site.

Hopefully this guide covered the basics of identifying and controlling cookie usage on WordPress sites.

Here are the key takeaways:

  • Use browser tools to audit cookies set on your site
  • Trace each one back to a specific plugin or third-party
  • Disable non-essential cookies if possible
  • Add clear cookie disclosure and consent notices
  • Comply with regulations like GDPR and privacy laws

With a privacy-focused approach, you can ensure your WordPress site only uses cookies when absolutely necessary to deliver a great user experience.

Let me know if you have any other questions! I have over 15 years of experience dealing with WordPress cookies and privacy practices, so I‘m always happy to help out.

Written by Jason Striegel

C/C++, Java, Python, Linux developer for 18 years, A-Tech enthusiast love to share some useful tech hacks.