Why WordPress Sites Need a Dedicated Cookie Consent Plugin
WordPress does not include any built-in mechanism for managing cookie consent. Out of the box, a fresh WordPress installation sets session cookies like wordpress_logged_in_* and wp-settings-*, which are classified as strictly necessary. The problem starts the moment you install a theme or plugin that loads Google Analytics, Meta Pixel, or advertising scripts - these set non-essential cookies such as _ga, _fbp, and _gcl_au without asking your visitors for permission.
Under the ePrivacy Directive (Article 5(3)) and the GDPR (Articles 6 and 7), storing or accessing information on a visitor's device requires prior informed consent - unless that cookie is strictly necessary for a service the user explicitly requested. A cookie banner that merely informs visitors without actually blocking scripts is not compliant.
Enforcement actions continue to rise. In 2025, the CNIL fined SHEIN EUR 150 million for installing cookies before users gave permission and for providing reject options that did not function properly. The ICO launched a systematic review of the top 1,000 UK websites in January 2025, issuing 134 warnings from the first 200 sites reviewed alone. WordPress site owners are not exempt from these rules simply because a plugin handles their tracking setup.
The WP Consent API: A Standard Worth Understanding
The WP Consent API is a feature plugin maintained under the WordPress GitHub organisation. It provides a standardised interface that allows consent management plugins and other WordPress plugins to communicate about a visitor's consent status.
The API defines five consent categories: functional, statistics-anonymous, statistics, preferences, and marketing. A simple function call - wp_has_consent('marketing') - returns true or false depending on whether the visitor has accepted that category. Plugins that support this API, including Jetpack and WooCommerce, can check consent status before setting cookies. This means your CMP plugin and your analytics plugin speak the same consent language, reducing the risk of cookies firing without permission.
When evaluating any WordPress cookie consent solution, check whether it integrates with the WP Consent API. A plugin that supports it will work well with a growing ecosystem of privacy-aware WordPress plugins.
What to Look for in a WordPress Cookie Consent Plugin
Not every plugin labelled "GDPR compliant" actually delivers compliance. Here is what matters.
Prior Consent and Script Blocking
The most important feature is the ability to block non-essential scripts before a visitor opts in. Some plugins only display a notice without preventing cookies from loading - this fails the basic requirement under both the ePrivacy Directive and the GDPR. Look for plugins that intercept script output, change type="text/javascript" to type="text/plain", or use similar mechanisms to prevent execution until consent is granted.
Granular Category Controls
Your banner must allow visitors to accept or reject cookies by category (strictly necessary, functional, analytics, marketing). A single "Accept All" button without granular options is a dark pattern that regulators actively target. The plugin should also make rejecting non-essential cookies as easy as accepting them - button parity is now a baseline expectation.
Google Consent Mode v2
Since March 2024, Google Consent Mode v2 is required for websites using Google Ads or Google Analytics that serve EU visitors. Your cookie consent plugin must fire the correct consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization) via the dataLayer. Without this, you lose access to conversion modelling and remarketing audiences in Google's advertising products.
Geo-Targeted Consent Rules
If your site receives traffic from multiple jurisdictions, you need different consent behaviour depending on the visitor's location. EU visitors require opt-in consent. Visitors in California fall under the CCPA opt-out model. Some plugins handle this with region-based rule sets - showing a full opt-in banner in the EU and a simpler opt-out notice in the US.
Comparing WordPress Cookie Consent Approaches
The table below summarises key differences across the main types of cookie consent solutions available for WordPress.
| Feature | CMP-Based Plugins | WordPress-Native Plugins | Script-Only (No Plugin) |
|---|---|---|---|
| Script blocking before consent | Yes (cloud-based scanning) | Yes (server-side blocking) | Requires manual implementation |
| Automatic cookie detection | Cloud scanner | Built-in or basic scanner | None |
| WP Consent API support | Varies | Common | No |
| Google Consent Mode v2 | Usually included | Usually included | Manual setup required |
| Consent log storage | Third-party cloud | Your own database | Custom implementation |
| Geo-targeting | Yes | Some plugins | Requires custom logic |
| Page view or domain limits | Often on free tiers | Rarely | None |
| Performance impact | External JS loaded | Local assets | Minimal |
CMP-based plugins connect to an external service that scans your site and manages consent through a cloud platform. WordPress-native plugins handle everything within your WordPress installation, storing consent records in your own database. Script-only approaches bypass the plugin architecture entirely but require significant developer effort to implement properly.
Key Evaluation Criteria for Your Shortlist
Rather than recommending specific plugins (the market shifts constantly), focus your evaluation on these criteria.
Does It Actually Block Cookies?
Install the plugin, reject all cookies, then open Chrome DevTools and check the Application tab. If you still see _ga, _fbp, or other non-essential cookies, the plugin is not doing its job. This is the single most important test. The cookie banner verification process should be part of every implementation.
Consent Record Keeping
Under GDPR Article 7(1), you must be able to demonstrate that consent was given. Your plugin should log the timestamp, categories accepted, IP address (or anonymised version), and the version of your cookie policy at the time of consent. If a data protection authority investigates, these records are your primary evidence.
Compatibility with Your Theme and Plugins
Some cookie consent plugins conflict with caching plugins (WP Super Cache, W3 Total Cache, LiteSpeed Cache), page builders (Elementor, Divi), and security plugins. Test thoroughly in a staging environment before deploying to production. Check the plugin's support forum for known conflicts.
Performance and Core Web Vitals
Cookie banners can negatively affect Core Web Vitals, particularly Cumulative Layout Shift (CLS) if the banner pushes page content. Plugins that load external JavaScript from a cloud service add to your page weight. WordPress-native plugins serving local assets tend to have a lighter footprint.
WooCommerce and eCommerce Considerations
If you run WooCommerce, your cookie consent setup must account for additional scripts. WooCommerce sets its own session cookies (woocommerce_cart_hash, woocommerce_items_in_cart) that are generally classified as strictly necessary because they enable the shopping cart function.
The complexity increases when you add payment gateways like Stripe or PayPal, which set fraud detection cookies, and remarketing pixels for Google Ads or Meta. Each of these needs correct categorisation in your consent banner. A plugin that supports the WP Consent API simplifies this, as WooCommerce itself integrates with the API and can check consent before loading non-essential features.
Test your checkout flow after configuring the plugin. If rejecting analytics cookies breaks the cart or checkout, your cookie classification is wrong - cart and checkout cookies should always be marked as strictly necessary.
Integration with Google Tag Manager
Many WordPress sites use Google Tag Manager (GTM) to manage third-party scripts. Your cookie consent plugin should integrate with GTM's consent initialisation trigger, pushing consent states to the dataLayer so that GTM tags fire only when the appropriate consent category has been granted.
The recommended pattern is to load GTM with default consent states set to "denied", then update those states when the visitor interacts with the banner. This approach, combined with Consent Mode v2, ensures that Google tags respect the visitor's choices and that you retain access to modelled conversion data.
Common Mistakes When Setting Up Cookie Consent on WordPress
Several pitfalls catch site owners repeatedly.
Relying on a cookie notice without script blocking is the most frequent error. Displaying a banner does not equal compliance if tracking scripts still fire before consent.
Failing to re-scan after plugin updates is another oversight. Every time you add a new plugin, update a theme, or add an embedded widget, your site may set new cookies. Running regular cookie audits catches these changes before a regulator does.
Ignoring mobile responsiveness causes problems too. If your cookie banner covers the entire mobile screen without a clear reject option, you risk both a poor user experience and regulatory scrutiny. CNIL and other DPAs have specifically flagged mobile banner designs that make refusal difficult.
Using a free plugin without understanding its limitations is risky. Some free solutions lack consent logging, geo-targeting, or automatic script blocking. Evaluate whether a free or paid solution meets your actual compliance obligations.
Frequently Asked Questions
Does WordPress set cookies by default without a consent plugin?
WordPress itself sets session cookies like wordpress_logged_in_* for logged-in users and wp-settings-* for preferences. These are strictly necessary and do not require consent. Non-essential cookies typically come from themes, plugins, or embedded third-party content such as YouTube videos or analytics scripts.
What is the WP Consent API and do I need it?
The WP Consent API is a standardised interface that allows WordPress plugins to check whether a visitor has consented to specific cookie categories. It is not required, but using a consent plugin that supports it improves compatibility with other privacy-aware plugins such as Jetpack and WooCommerce.
Can I use a free WordPress cookie consent plugin and still be GDPR compliant?
It is possible, but many free plugins lack script blocking, consent logging, or geo-targeting. Without these features, you may display a banner without actually preventing non-essential cookies from loading, which does not meet GDPR or ePrivacy requirements.
How do I test whether my cookie consent plugin actually blocks cookies?
Open Chrome DevTools, go to the Application tab, clear all cookies, reload the page, and reject all cookies in the banner. Then check whether non-essential cookies like _ga or _fbp still appear. If they do, your plugin is not blocking correctly.
Do WooCommerce cart cookies need consent?
No. Cookies that enable the shopping cart and checkout process, such as woocommerce_cart_hash and woocommerce_items_in_cart, are classified as strictly necessary because they deliver a service the user explicitly requested.
Is Google Consent Mode v2 required for WordPress sites?
If your WordPress site uses Google Ads or Google Analytics and serves visitors in the EU or EEA, Google requires Consent Mode v2 signals to be sent via a certified CMP. Without it, you lose access to conversion modelling and remarketing features.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
