Cookie consent on WordPress: the complete GDPR guide

TL;DR

WordPress does not natively handle cookie consent. To make a WordPress site GDPR-compliant, you need to install a consent management solution (CMP) that displays a banner, blocks non-consented scripts and stores proof of consent. Several approaches exist: a dedicated WordPress plugin, an external SaaS solution like FlowConsent, or manual integration via a code snippet.

Why WordPress alone is not enough for cookie compliance?

WordPress is a content management system. It contains no native mechanism to inform visitors about cookies, collect their consent or block scripts before agreement. Yet most WordPress sites set cookies from the very first page load.

The sources of cookies on a WordPress site are numerous: the WordPress core itself (session cookies, authentication cookies), installed plugins (forms, analytics, cache, e-commerce, SEO), the active theme (Google Fonts, embedded scripts) and integrated third-party services (Google Analytics, Facebook Pixel, YouTube, chat widgets). Each of these can set first-party or third-party cookies.

Without a CMP, all these cookies fire on page load, before the visitor has given consent. This is the most common compliance failure on WordPress sites.

What are the GDPR requirements for a WordPress site?

The requirements are the same as for any website, regardless of the technology used.

Display a compliant consent banner when the visitor arrives, with an Accept and a Reject button of equal visibility. Block all non-essential scripts (analytics, advertising, social media) until the visitor clicks Accept. Provide an accessible and up-to-date cookie policy listing all trackers present on the site. Store proof of consent to present during an inspection. Allow the visitor to change or withdraw consent at any time.

Using WordPress does not modify or reduce these obligations. A WordPress site with WooCommerce, Google Analytics and a Facebook Pixel has exactly the same requirements as a custom-built site.

How to manage cookies on WordPress?

Three main approaches can make a WordPress site cookie-compliant.

Option 1: a WordPress cookie consent plugin

This is the most common approach. Plugins like Complianz, CookieYes, Cookie Notice or GDPR Cookie Compliance add a consent banner and script-blocking mechanism directly within WordPress.

The advantage is simplicity: a few clicks in the WordPress interface are enough. The limitation is that these plugins depend on the WordPress ecosystem: compatibility with themes, other plugins and core updates. Some free plugins offer a basic banner but do not actually block scripts before consent, making the site non-compliant despite appearances.

Option 2: an external SaaS CMP

An external CMP like FlowConsent, Cookiebot or Didomi integrates via a JavaScript snippet in the site header. It works independently of WordPress and handles consent, script blocking and proof of consent server-side.

The advantage is reliability: the CMP does not depend on WordPress plugins and works identically regardless of the theme or configuration. It also offers advanced features (automatic cookie scanning, Google Consent Mode v2, TCF 2.2, compliance reports) that most free plugins do not provide.

Option 3: manual integration

For developers, it is possible to build a custom consent mechanism using the CMP JavaScript API or by manually coding script blocking (type="text/plain" attribute on script tags, then conditional activation after consent).

This approach offers full control but requires ongoing maintenance and a solid understanding of how cookies and the GDPR work. It is rarely justified for a standard WordPress site.

How to block scripts before consent on WordPress?

Script blocking is the most critical technical point. A banner that displays but does not block cookies before consent is non-compliant.

The standard method is to modify the type attribute of script tags. Instead of type="text/javascript" (which triggers immediate execution), use type="text/plain" with a data-category attribute identifying the cookie category (analytics, marketing, etc.). The CMP reactivates scripts in the corresponding category only after consent.

On WordPress, this modification can be done in three ways: via the consent plugin settings (most offer an automatic blocking mechanism), via a script management plugin like Header Footer Code Manager (to manually modify attributes), or via the child theme functions.php file (for custom integrations).

After setting up blocking, a cookie audit verifies that scripts are actually blocked before consent. This is an essential validation step.

Common cookies on a WordPress site

A standard WordPress site sets several categories of cookies that must be identified and documented.

Native WordPress cookies include wordpress_test_cookie (cookie functionality test), wordpress_logged_in_* (authentication session for logged-in users) and wp-settings-* (admin interface preferences). These cookies are strictly necessary and exempt from consent for authenticated users.

WooCommerce cookies (if installed) include woocommerce_cart_hash and woocommerce_items_in_cart (shopping cart). These are strictly necessary in the context of a purchase journey.

Third-party cookies are those requiring consent: _ga and _gid (Google Analytics), _fbp and _fbc (Facebook Pixel), YouTube cookies (if videos are embedded), social sharing plugin cookies, and chat or support solution cookies.

A scan of your site identifies all these cookies and allows you to classify them correctly in your CMP.

Common mistakes on WordPress sites

Installing a banner plugin without enabling script blocking. The banner displays, but analytics and advertising cookies still fire on load. This is the most widespread compliance failure on WordPress.

Using a free plugin that does not actually block cookies. Some free plugins merely display a notification without any technical blocking mechanism. The banner is purely cosmetic.

Not updating the configuration after adding a new plugin. Every WordPress plugin can set its own cookies. Adding a form plugin, chat tool or e-commerce module changes the site cookie inventory.

Forgetting cookies set by the theme. WordPress themes often load Google Fonts, external JavaScript libraries or built-in analytics scripts. These set third-party cookies that must be blocked before consent.

Not managing WordPress cache. Cache plugins (WP Rocket, W3 Total Cache, LiteSpeed Cache) can serve a cached page version that already contains cookies from a previous session. The CMP must be configured to work correctly with caching.

WordPress and Google Consent Mode v2

If your WordPress site uses Google Analytics 4 or Google Ads, Consent Mode v2 is essential. This mechanism allows Google tags to adapt their behaviour based on the visitor consent choice.

In basic mode, Google tags do not fire at all before consent. In advanced mode, tags send cookieless pings to feed Google machine learning, even without consent.

On WordPress, Consent Mode v2 can be configured via Google Tag Manager (GTM) or directly via the CMP. FlowConsent and most SaaS CMPs automatically transmit consent signals to Google tags. With a WordPress plugin, verify that the plugin natively supports Consent Mode v2.

Checklist: cookie compliance on WordPress

1. Run a site scan to inventory all cookies (core, plugins, theme, third-party).
2. Install a CMP (WordPress plugin or external SaaS solution).
3. Configure blocking of non-essential scripts before consent.
4. Verify that the Reject button is as visible as the Accept button.
5. Enable Google Consent Mode v2 if Google Analytics or Google Ads is used.
6. Write and publish a complete cookie policy.
7. Test behaviour in private browsing: no non-essential cookies before clicking Accept.
8. Configure the CMP to work with the WordPress cache plugin.
9. Schedule quarterly audits and after each plugin addition.
10. Document the configuration for presentation during inspections.

Conclusion

WordPress does not handle cookie consent natively, but compliance is achievable with the right tools. The key is choosing a solution that actually blocks scripts before consent, not just a cosmetic banner. A SaaS CMP like FlowConsent offers reliable integration, independent of plugins and themes, with automatic scanning and Consent Mode v2 included.

Start with a free scan of your WordPress site to identify all cookies present and assess your current compliance level.