Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
WP Rocket is a premium WordPress caching and performance plugin published by the French company WP Media. It bundles page caching, browser caching, lazy loading, database optimisation and an optional RocketCDN add on. WP Rocket does not track visitors and is widely used by European WordPress agencies and ecommerce sites.
WP Rocket is a premium WordPress performance plugin published by WP Media SAS, headquartered in Lyon, France. It provides page caching, browser caching, GZIP compression, lazy loading, database cleanup, CSS and JavaScript minification, image preloading and an optional RocketCDN add on powered by StackPath. WP Rocket is widely deployed by European WordPress agencies, ecommerce sites and publishers.
WP Rocket does not set any analytics or marketing cookies. It does manage cache variants: if your consent management platform sets a cookie when the visitor accepts optional categories, WP Rocket can serve a separate cached page version for visitors who have accepted versus refused. The plugin recognises cookie names such as cookielawinfo-checkbox-*, CookieConsent, cookieyes-consent or the visitor logged in cookie to vary the cache.
WP Rocket is purely a server side cache layer. It does not process personal data of website visitors beyond rotating IP addresses that may appear in server logs. WP Media SAS, as the publisher, processes only the licence email address, support requests and update telemetry. The plugin is fully compatible with the GDPR and falls outside the strict scope of the ePrivacy Directive for visitor cookies.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
WP Rocket itself does not require visitor consent because it sets no tracking cookies. It can however interfere with consent management platforms if the cache is not properly varied. Configure WP Rocket to add your CMP cookie (CookieConsent, cookieyes-consent, OptanonConsent, etc.) to the list of cookies that vary the cached page, so accepted and refused versions of pages stay separate.
WP Rocket licence checks contact wp-rocket.me, hosted in France. No visitor data is transferred. If you enable RocketCDN (the optional add on powered by StackPath), static asset requests are routed through StackPath global edges, including the United States. In that scenario StackPath becomes a processor: sign the StackPath DPA and document the transfer in your record of processing activities.
Keep WP Rocket up to date, configure the Mandatory Cookies setting to include your CMP cookie name, exclude unauthenticated checkout and account pages from cache, host the WordPress site itself in the EEA, and audit RocketCDN if enabled. WP Rocket does not require its own banner entry: only declare it as a technical caching plugin in your privacy notice.
Websites using WP Rocket must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for WP Rocket. The plugin only sets functional cookies that segment cached pages and does not collect visitor identifiers. A short risk assessment is still useful when activating RocketCDN to document the transfer of asset requests to StackPath edges.
Sample consent text
Our website uses WP Rocket to deliver pages faster through caching, lazy loading and asset minification. WP Rocket only sets strictly necessary functional cookies to differentiate logged in users and visitors who have already accepted optional cookies. No analytics or marketing data is collected by WP Rocket itself.
Third-party domains contacted
wp-rocket.mewp-rocket.merocketcdn.meapi.wp-rocket.merocketcdn.meimagify.iocloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| wordpress_logged_in_* | first_party | session | Read by WP Rocket to detect authenticated WordPress users and bypass cache for them, the cookie itself is set by WordPress core, not by WP Rocket, and serves the strictly necessary purpose of session continuity. |
| wp_rocket_mobile_detect | first_party | Session | Functional cookie used by WP Rocket to detect mobile devices and serve the mobile cache variant when separate mobile caching is enabled. |
| comment_author_* | first_party | 347 days | Read by WP Rocket to recognise recent commenters and serve them an uncached page, the cookie is written by WordPress when a visitor leaves a comment, WP Rocket only inspects it to decide which cache variant to deliver. |
| wp_rocket_geo_redirect | first_party | 1 day | Optional functional cookie used by WP Rocket Geolocation add on (when enabled) to remember the visitor country and avoid repeated geo redirects. |
| wp_rocket_optin | first_party | 1 year | Optional administrator side cookie that may be created when an administrator opts in to certain WP Rocket settings inside the WordPress dashboard, it is not set on the public visitor side and carries no tracking purpose. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. WP Rocket does not set analytics, advertising or profiling cookies. It only uses functional cache variation logic that respects existing cookies (your CMP cookie, the WordPress logged in cookie) to serve the right cached page version to each visitor.
No. WP Rocket does not require consent because it does not drop any cookie on visitor browsers. You still need consent for the analytics, advertising and embedded scripts that may be added to your WordPress site through other plugins or themes.
WP Rocket processing relies on legitimate interest under Article 6(1)(f) GDPR for the publisher (performance optimisation and bandwidth reduction). The licence email address and support requests handled by WP Media SAS rely on contract under Article 6(1)(b) GDPR.
WP Rocket itself transfers no visitor data. Licence checks contact wp-rocket.me in France. If you enable RocketCDN (StackPath powered), asset requests are routed through global StackPath edges including the United States. In that scenario sign the StackPath DPA and document the transfer.
No. WP Rocket does not process personal data of visitors beyond rotating IPs in server logs. A short risk assessment is useful when activating RocketCDN to document the additional processor and the transfer to US edges.
Keep WP Rocket and WordPress core up to date, configure the Mandatory Cookies setting to include your consent management platform cookie name (CookieConsent, cookieyes-consent, OptanonConsent), exclude checkout and account pages from cache, host the WordPress site in the EEA and audit RocketCDN if enabled.
Alternatives include LiteSpeed Cache (free, lightweight), W3 Total Cache (free), WP Super Cache (free, by Automattic), Cache Enabler (free, by KeyCDN), Swift Performance and Hummingbird. None of these set tracking cookies either; the main difference is in performance, configuration and pricing.
You usually do not need a dedicated entry for WP Rocket because it sets no tracking cookies. Mention it as a technical caching plugin in the section that describes hosting and performance, and if RocketCDN is enabled add a paragraph about the StackPath CDN and the related transfer outside the EEA.
WP Rocket sets no cookies of its own on the visitor's device. It does read existing WordPress cookies such as wordpress_logged_in_*, wp_postpass_*, comment_author_*, and the WooCommerce cart and session cookies, because these are the standard signals that tell a caching engine, do not serve a generic cached page to this visitor. Reading those cookies is necessary for the cache to behave correctly and does not create a separate storage event under Article 5(3) ePrivacy. Some configurations of Cloudflare APO can cause Cloudflare to set a __cfduid or cf_clearance cookie on top, that is Cloudflare's own cookie, not WP Rocket's.
No, the plugin itself does not require consent. It is a server side optimisation that processes no personal data of visitors and stores nothing on their device. The processing it performs falls outside the scope of Article 5(3) ePrivacy because nothing is written to the terminal equipment, and outside any consent based legal basis under GDPR because there is no personal data of visitors being processed by the plugin. Consent may become relevant for specific add ons, for example if Cloudflare APO sets non essential cookies, in which case those cookies, not the plugin, trigger the consent obligation.
For the small amount of processing that does happen, Article 6(1)(f) GDPR, legitimate interest, is the relevant basis. The interest is delivering a fast, stable and resource efficient website to the user, which the EDPB has consistently recognised as a legitimate interest, and the processing is proportionate because it does not single out individuals or build profiles. Article 6(1)(b), performance of a contract, applies in parallel to licence administration between the controller and WP Media. No consent based or vital interest based grounds are needed for the plugin itself.
The plugin itself does not. WP Rocket runs on your own server and communicates with WP Media's infrastructure in France for licence checks and updates, exchanging your domain and licence key rather than visitor data. Optional integrations change the answer, RocketCDN distributes static assets via a global edge network and can therefore touch non EU regions, Cloudflare APO uses Cloudflare's worldwide network, and Imagify processes images on its own EU servers. If you enable RocketCDN or Cloudflare APO, document the transfer with Standard Contractual Clauses and update your privacy notice accordingly.
A full DPIA under Article 35 GDPR is not required for WP Rocket alone, the plugin does not engage in any of the high risk categories such as systematic monitoring, large scale processing of special categories, or evaluation of individuals. A short entry in the record of processing activities under Article 30 is sufficient. A DPIA can become advisable if you stack WP Rocket with global CDN add ons, enable verbose performance logging that captures IP addresses, or combine it with analytics platforms that introduce profiling, because then the overall processing operation, not the plugin itself, may cross the threshold.
Install the plugin, accept the licence terms with WP Media, and review the settings tab by tab. Keep cache exclusions for logged in users and recent commenters enabled, this is the default and avoids serving personalised content from cache. If you do not need a global CDN, leave RocketCDN off, this keeps everything inside your own server. If you do enable RocketCDN, Cloudflare APO or Imagify, sign the relevant DPAs and add the providers to your record of processing. Avoid enabling verbose debug logging in production unless you have a clear retention policy, and apply the same patch discipline you apply to WordPress core.
The closest commercial alternative is FlyingPress, a French built premium caching plugin with a similar privacy profile. LiteSpeed Cache is free, very fast, and developed by LiteSpeed Technologies in the United States, although it runs entirely on your server it benefits from a LiteSpeed web server or compatible edge. W3 Total Cache is a long standing free option maintained by BoldGrid in the United States, feature rich but more complex to tune. WP Super Cache is the free option from Automattic, simple and conservative. For server side caching outside the plugin layer entirely, NGINX FastCGI cache or Varnish remain strong choices for high traffic sites.
Mentioning WP Rocket is optional because it sets no cookies and processes no visitor data. If you want full transparency, add a short paragraph under technical and organisational measures, for example, We use WP Rocket, a caching plugin developed by WP Media SAS in France, to deliver pages faster, the plugin runs on our server, sets no cookies of its own, and does not transmit visitor data to third parties. If RocketCDN, Cloudflare APO or Imagify is also active, list those providers separately as processors with their locations and the transfer mechanism in place.