Cookies are small text files that are used to store information on a user’s browser. Cookies are stored for multiple purposes, like providing security, maintaining user sessions, track user behavior on the website for site analytics and targeted marketing, etc.

When a website uses certain third-party services, for example, for advertising purposes, they also set cookies on the website. These cookies are usually set by scripts provided by these third parties for enabling their services on the website.

Common types of cookies are:

First-party cookies –These are placed on the user’s device directly by the website.

Third-party cookies – These are placed by a third-party, and they are commonly used for advertising and analytics.

Session cookies – This type of cookies expires once the user’s session on a website expires.

Persistent cookies – This type of cookies remain in the user’s system unless they delete it, or the site does. They usually have expiration dates coded in.

Strictly necessary cookies – They are often mandatory for a website to function smoothly. This type of cookies is essential for the users to use certain features of a website, such as remembering past activity in the site or holding items in the shopping cart.

Read more about cookies here.

35% of the web uses WordPress, and it is only increasing day by day. It is a simple web page system that allows anyone to create their own website. And just like any web management system, WordPress also set cookies. It does not use sessions by default; instead, it uses cookies for achieving the same behavior.

This article takes a look at WordPress cookies and why they are used.

There are two types of cookies set by WordPress.

  1. User cookies – These are ‘strictly necessary’ cookies as WordPress will not be able to function without it. They are also session cookies as they expire once the user logs out or exits the page.
  2. Comment cookies – These are not ‘strictly necessary’ cookies and are set when users leave a comment on a post. These can also be classified as persistent cookies.

WordPress Users Cookie

To check the cookies set by WordPress, deactivate all the plugins on the website. This is because other plugins may also install cookies on a WordPress website. Or you can check with a fresh installation of WordPress.

Without plugins installed, WordPress sets the following cookies:

  • wordpress_[hash]
  • wordpress_logged_in_[hash]
  • wordpress_test_cookie
  • wp-settings-{time}-[UID]

These are the cookies that activate in the admin area of the website.

WordPress uses the cookie wordpress_[hash] to store the authentication details on login. The authentication details include the username and double hashed copy of the password. However, this usage of the cookie is limited to the admin console area, the backend dashboard of the website. 

The cookie wordpress_logged_in_[hash] is used to indicate when you are logged in, and who you are. This cookie is maintained on the front-end of the website as well when logged in.

Here [hash] represents the value that is obtained by applying a specific mathematical formula applied to the username and password. It is to ensure that the input values are safe, and no one can access these data using the cookies as it is difficult to ‘unhash’ the hashed data.

The cookie wp-settings-{time}-[UID] is used to customize the view of your admin interface and the front-end of the website. The value represented by [UID] is the individual user ID of the user as given to them in the users’ database table.

WordPress also sets a cookie named wordpress_test_cookie to check if the cookies are enabled on the browser to provide appropriate user experience to the users. This cookie is used on the front-end, even if you are not logged in.

Apart from these, WordPress also uses:

wp-saving-post: it lets the admins restore data for a post that is currently being edited if a saved version exists.

wporg_logged_in, wporg_sec: it checks if the current visitor is a logged-in WordPress user. The expiration period of this cookie is 14 days if the user has consented to let the site remember the login credentials. Else, it acts as a session cookie.

WordPress Commenters Cookie

WordPress also sets cookies on the devices of those who comment on the website. These cookies are used to remember the users so that the values are automatically filled in the corresponding fields. The user doesn’t have to enter their details every time they want to leave a comment. Below listed are the cookies set for commenters.

  • comment_author_[hash]
  • comment_author_email_[hash]
  • comment_author_url_[hash]

The cookie comment_author_[hash] cookie remembers the value entered into the comment form’s name field.

The cookie comment_author_email_[hash] remembers the value entered into the comment form’s email field.

The cookie comment_author_url_[hash] remembers the value entered into the comment form’s URL field.

The cookies set for the commenters are persistent in nature and remain in the system for 347 days. These are only activated if the visitors check the checkbox to save these details.

To identify the cookies used on a website, you can refer to this article. You can also enter the URL of the site to scan and list all the cookies being used in the URL using this free cookie checker tool.

Cookies set by WordPress Plugins and tools

If plugins are activated on a WordPress website, they also set cookies on the user’s device. For example, the plugin GDPR Cookie Consent sets a cookie named viewed_cookie_policy that is used to check whether or not the user has given their consent to the usage of cookies. It is done by loading the scripts you want to block until you obtain user consent.  The plugin also records the cookies the site uses and displays a list via a shortcode that you can add on your privacy and cookie policy.

Another cookie that this plugin uses is cookielawinfo-checkbox-necessary/cookielawinfo-checkbox-non-necessary. It records the default button state of the corresponding category. It works in coordination with the primary cookie, that is, viewed_cookie_policy.

There can be other plugins on the website that can set cookies on the device. You can check this by activating the plugins one by one and checking what cookies are being installed when that particular plugin is activated.

It is also best to check the inner pages of the website to check for the cookies being installed on the website. This is because even though the plugin is activated, the cookie will only be set on pages that have the functionality of the plugin. For example, a plugin that helps you add a social media sharing functionality to the blog posts will only set the cookie on each of the blog posts.

If you are looking for compliance with the GDPR and ePrivacy Directive, you must also check for the cookies set by third-party services that you may be using on your WordPress website, apart from the cookies that are placed by WordPress and WordPress plugins

Once you know what cookies are set by your WordPress website, the next step is to be cookie compliant per GDPR and other privacy law requirements. There are many tools that will help you to get WordPress cookie consent and manage cookie scripts. CookieYes is a popular consent managing platform to for cookie compliance with GDPR, CCPA, ePrivacy Directive, LGPD, RGPD, DGSVO and CNIL.  Try it today for free!