WordPress Runs Nearly Half the Web - and That Makes It a Regulatory Target
WordPress powers roughly 43% of all websites on the internet, making it the dominant content management system by a wide margin. That scale draws attention from data protection authorities across Europe, the UK, California, Brazil, and beyond.
If your site runs on WordPress, it almost certainly sets cookies. Some are strictly necessary for the platform to function. Others - analytics trackers, advertising pixels, social embeds - require visitor consent under regulations like the GDPR, the ePrivacy Directive, and the CCPA. Ignoring that obligation carries real financial risk. In September 2025, France's CNIL fined SHEIN 150 million euros partly because cookies were installed before users gave permission and the reject option did not function properly.
The question is not whether your WordPress site needs a cookie banner. It does.
Which Cookies Does a Default WordPress Installation Set?
A fresh WordPress installation sets a handful of cookies tied to authentication and user preferences. These are classed as strictly necessary and do not require consent under Article 5(3) of the ePrivacy Directive.
The moment you add a plugin, a theme with embedded fonts, or a third-party tracking script, the picture changes. Most WordPress sites end up with dozens of cookies from multiple sources. Knowing which cookies belong to which category is the first step toward compliance.
| Cookie | Set By | Purpose | Category |
|---|---|---|---|
wordpress_logged_in_[hash] | WordPress core | Identifies logged-in users across the admin and front end | Strictly necessary |
wordpress_[hash] | WordPress core | Stores authentication details for the admin area | Strictly necessary |
wp-settings-{time}-[UID] | WordPress core | Persists dashboard display preferences per user | Strictly necessary |
comment_author_[hash] | WordPress core | Remembers commenter name and email for repeat visitors | Functional |
_ga / _ga_[ID] | Google Analytics | Distinguishes unique visitors, measures sessions | Analytics |
_fbp | Meta Pixel | Tracks visitors for Facebook advertising | Marketing |
wc_cart_hash_[hash] | WooCommerce | Stores cart contents for the shopping session | Strictly necessary |
tk_ai | Jetpack / WooCommerce | Anonymous traffic tracking within the admin dashboard | Analytics |
WooCommerce adds its own set of session and cart cookies. If your store uses payment gateways, abandoned cart recovery, or upsell plugins, expect additional payment-related cookies that may need consent depending on their function.
What the Law Actually Requires
Two legal frameworks matter most for cookie consent on WordPress sites. The GDPR sets the overarching data protection rules across the EU and EEA, while Article 5(3) of the ePrivacy Directive specifically governs the storing of information on a visitor's device. Together, they demand prior, informed, granular consent before any non-essential cookie fires.
That means your WordPress site must block analytics, marketing, and functional cookies until a visitor actively opts in. Pre-ticked boxes do not count. A banner that only says "this site uses cookies" without giving a genuine choice fails the test. The EDPB guidelines on consent make this explicit.
For visitors from California, the CCPA requires a clear opt-out mechanism for the sale or sharing of personal information, which includes data collected through tracking cookies. Since January 2026, updated CCPA regulations also prohibit dark patterns - if rejecting cookies takes more steps than accepting them, that is now a violation.
UK GDPR and PECR
Sites targeting UK visitors fall under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). The ICO applies the same consent standard: non-essential cookies need opt-in consent, and the reject option must be equally accessible.
Brazil, Canada, and South Africa
The LGPD in Brazil, PIPEDA in Canada, and POPIA in South Africa each impose their own consent or notice requirements for cookie use. A WordPress site with international traffic cannot rely on a single jurisdiction's rules.
Why a Basic Cookie Notice Is Not Enough
Many WordPress themes ship with a simple dismissible banner that reads something like "This website uses cookies to improve your experience." That notice, on its own, does not satisfy any major privacy regulation. It provides no mechanism for granular choice, does not block scripts before consent, and creates no auditable record of what visitors agreed to.
A compliant cookie banner must do several things at once: identify the cookies and their purposes, offer category-level controls (strictly necessary, functional, analytics, marketing), provide an equally prominent reject option on the first layer, and block non-essential scripts until consent is recorded.
Script blocking is the part most WordPress installations get wrong. Installing Google Analytics through a theme settings panel or a header/footer plugin typically means the tracking script loads immediately on every page view, regardless of consent status. That fires _ga and _gid cookies before the visitor has seen the banner, which is exactly the violation that led to large enforcement actions in 2025.
Google Consent Mode and WordPress
Since mid-2025, Google Consent Mode v2 has been mandatory for EEA and UK traffic. If your WordPress site uses Google Analytics 4, Google Ads, or Google Tag Manager, you need a consent management platform that sends the correct consent signals to Google's tags.
Without those signals, Google cannot model conversions or build remarketing audiences from European visitors. Your advertising data becomes incomplete and your campaign optimisation suffers. A properly integrated CMP sends ad_storage, analytics_storage, and other consent parameters to Google tags automatically based on the visitor's choice.
How to Add a Compliant Cookie Banner to WordPress
The Kukie.io WordPress plugin handles script blocking, consent collection, and Google Consent Mode integration from a single installation. The setup process takes a few minutes.
Step 1: Scan Your Site
Run a cookie scan to identify every cookie your WordPress site currently sets. The scanner detects first-party and third-party cookies, categorises them, and flags any that fire before consent. This audit is the foundation of an accurate cookie banner.
Step 2: Install the WordPress Plugin
The Kukie WordPress plugin can be installed directly from the WordPress admin panel. Once activated, it adds the consent banner script to every page and blocks non-essential cookies until the visitor makes a choice. Detailed installation steps are covered in the WordPress installation guide.
Step 3: Configure Categories and Geo-Detection
Set up geo-detection rules so European visitors see an opt-in banner while Californian visitors see the appropriate opt-out mechanism. Assign each cookie to its correct category and customise the banner design to match your theme.
Step 4: Test and Verify
Check that non-essential cookies are genuinely blocked before consent. Open Chrome DevTools, clear your cookies, and reload the page. Only strictly necessary cookies should appear before you interact with the banner. The article on auditing cookies with Chrome DevTools on the Kukie.io blog walks through this process.
Common WordPress Cookie Mistakes
Certain patterns appear repeatedly across WordPress sites that have received regulatory attention or failed compliance audits.
Loading _ga via the theme's built-in analytics field bypasses any consent logic. Google Analytics should only load after the visitor grants analytics consent. The same applies to Meta Pixel, Hotjar, and any marketing tag added through a header injection plugin.
Using a cookie-wall that blocks page content until the visitor clicks "Accept" is prohibited under EDPB guidance. Visitors must be able to browse the site regardless of their consent choice.
Forgetting WooCommerce analytics cookies is another blind spot. While cart and session cookies are strictly necessary, WooCommerce's Jetpack integration and usage tracking set additional cookies that fall under the analytics category.
WordPress Consent API Compatibility
WordPress introduced the WP Consent API to standardise how plugins communicate consent status. When a CMP supports this API, other plugins on the site can check whether the visitor has consented to a given cookie category before setting their own cookies.
This matters for sites running multiple plugins that each set their own tracking cookies. Without a shared consent layer, each plugin operates independently and may fire cookies regardless of the visitor's preferences.
Frequently Asked Questions
Does a WordPress blog without analytics need a cookie banner?
A plain WordPress installation sets only strictly necessary cookies for login and comments. If you use no analytics, no advertising pixels, and no third-party embeds, you may not need a consent banner. However, most themes and plugins add additional cookies, so running a scan is the safest approach.
Are WooCommerce cart cookies exempt from consent?
WooCommerce cookies that manage the shopping cart and checkout session are classed as strictly necessary under Article 5(3) of the ePrivacy Directive and do not require consent. Analytics and tracking cookies added by WooCommerce extensions do require consent.
Can I use a free cookie consent plugin for GDPR compliance?
Free plugins often display a notice without actually blocking scripts before consent. A compliant solution must prevent non-essential cookies from firing until the visitor opts in, support granular category controls, and maintain a consent log. Check whether the plugin offers genuine script blocking before relying on it.
How does Google Consent Mode work with WordPress?
Google Consent Mode sends consent state signals to Google tags. When a visitor declines analytics cookies, the tags fire in a restricted mode without setting cookies, allowing Google to model conversions. A CMP integrated with Consent Mode handles this automatically on each page load.
What happens if my WordPress site sets cookies before consent?
Setting non-essential cookies before a visitor gives consent violates Article 5(3) of the ePrivacy Directive and can trigger enforcement action. Fines vary by jurisdiction but can reach 20 million euros or 4% of annual global turnover under the GDPR.
Do I need different cookie banners for GDPR and CCPA?
The GDPR requires opt-in consent while the CCPA requires an opt-out mechanism. A CMP with geo-detection can show the appropriate banner type based on the visitor's location, ensuring compliance with both frameworks from a single installation.
Take Control of Your Cookie Compliance
If you are not sure which cookies your WordPress site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
