TL;DR — WordPress powers over 40% of websites worldwide, making it a primary target for GDPR cookie compliance. By default, WordPress installs very few first-party cookies, but plugins and themes often add dozens of third-party scripts without any control. To be compliant, a WordPress site must block all third-party scripts before consent, display a valid cookie banner and store proof of consent.
Managing GDPR cookies on WordPress is not automatic. The platform itself is neutral, but the moment you install WooCommerce, Google Analytics, a Meta Pixel or a form plugin, cookies are set before the user has had any chance to consent. The ICO and other European authorities regularly sanction websites for non-compliance. This guide explains which cookies WordPress installs, how to control them and how to achieve lasting compliance.
Which cookies does WordPress install by default?
WordPress core installs very few first-party cookies. The main ones are wordpress_logged_in_[hash] (logged-in user session), wp-settings-[user-id] (admin interface preferences) and wordpress_test_cookie (a functional test cookie deleted after verification). These are strictly functional and do not require consent under GDPR or the ePrivacy Directive.
The plugins that create risk
The real risk comes from plugins and themes. WooCommerce adds cart cookies (functional, exempt), but associated payment and remarketing plugins often set advertising cookies. Google Analytics / GA4 sets _ga, _gid and _ga_XXXXXXXX — all subject to consent. Meta Pixel sets _fbp and _fbc — explicit consent required. Form plugins with reCAPTCHA, caching plugins that inject third-party scripts and Jetpack (depending on active modules) can also set analytical or advertising cookies.
How to audit cookies on a WordPress site
Before installing a CMP, you need to know exactly which cookies your site sets. The three-step method.
Step 1 — Scan the site
Use a cookie scanner: the FlowConsent scanner (/en/scan), Chrome DevTools (Application > Cookies) or a dedicated extension. Scan all main pages, WooCommerce product pages and pages with forms. Record each cookie: name, domain, duration, value.
Step 2 — Classify the cookies
For each identified cookie, determine its nature (first-party or third-party), its category (functional/essential, analytical, advertising, personalisation), its retention period and its issuer. Functional cookies are exempt from consent. All others require prior agreement.
Step 3 — Update the cookie policy
The cookie policy must list all active cookies, their purpose, duration and issuer. It must be accessible from the banner and the footer. Repeat this operation after every plugin installation.
Which CMP to choose for WordPress?
A CMP (Consent Management Platform) displays the banner, collects consent, blocks scripts before agreement and stores proof. Four non-negotiable criteria: real script blocking before consent, refusal accessible in one click, timestamped proof of consent and integration with Google Consent Mode v2.
FlowConsent integrates natively on WordPress via a JavaScript snippet and supports Consent Mode v2 without additional configuration. Common alternatives (Axeptio, Cookiebot, CookieYes) also offer dedicated WordPress plugins. The decisive criterion is not price but functional compliance: are scripts actually blocked before the click?
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
How to configure script blocking on WordPress
Script blocking is the most critical step and is often done poorly. Two main approaches.
Via Google Tag Manager
Load all your analytical and marketing scripts through GTM. The CMP sends consent signals to GTM via the dataLayer, which triggers or blocks tags accordingly. This is the most robust approach if you already use GTM: a single control point for all third-party scripts.
Via the CMP's native mechanism
Most modern WordPress CMPs modify the type attribute of <script> tags (e.g. type="text/plain") to prevent execution until consent is given. This method works but depends on script load order. Verify in DevTools (Network tab, private browsing) that no third-party calls occur before consent.
Common mistakes on WordPress sites
Mistake 1: scripts load before consent. Check in private browsing (no cookies) that GA, Meta Pixel and others do not appear in network requests before clicking Accept.
Mistake 2: refusal requires multiple clicks. Refusal must be accessible in one click from the main banner, without an intermediate screen.
Mistake 3: the cookie policy is outdated. Re-scan the site after every plugin installation and update the list.
Mistake 4: GA also fires for logged-in admins. Exclude administrator roles from analytical tracking.
Mistake 5: no 'Manage cookies' link in the footer. Add an accessible link in the footer that triggers the preferences panel.
Mistake 6: no proof of consent stored. Enable consent logging in the CMP: date, time, policy version, choices, session identifier.
WordPress cookie compliance checklist
- Scan all active cookies on main pages, product pages and forms.
- Classify each cookie: functional, analytical, advertising, personalisation.
- Install and configure a valid CMP (banner + script blocking + logging).
- Verify that refusal is accessible in one click from the main banner.
- Check in DevTools (private browsing) that no third-party script loads before consent.
- Integrate the CMP with Google Consent Mode v2 if GA4 or Google Ads are used.
- Update the cookie policy with purposes and durations of all active cookies.
- Add a 'Manage cookies' link in the footer.
- Enable proof of consent storage (timestamped logs).
- Schedule a monthly re-scan and after every plugin installation.
WordPress is flexible, but that flexibility creates risk when every plugin adds its own scripts without oversight. GDPR compliance rests on three pillars: regular auditing, blocking scripts before consent and storing proof. Scan your WordPress site at /en/scan to start by identifying exactly which cookies are active.