What are Cookies?

Cookies are small text files that websites store in the visitor's browser. Technically, each cookie is a key-value pair with additional metadata (expiration date, domain, path, security flags). The browser sends all matching cookies back to the server with every HTTP request, which is how websites "remember" things between page loads. WordPress uses cookies for login sessions, admin preferences, comment forms, and various tracking purposes.

How Cookies Work at a Technical Level

When your WordPress site sends a response to a browser, it can include one or more Set-Cookie headers. Each header defines a cookie with a name, a value, and optional attributes like expiration time and scope. On every subsequent request to the same domain (and matching path), the browser automatically includes these cookies in the Cookie request header. The server reads them and uses the stored data to identify the user, restore session state, or track behavior.

This mechanism is what makes login sessions possible. Without cookies, the server would have no way to know that the person requesting the dashboard is the same person who just entered a password on the login page.

First-Party Cookies vs. Third-Party Cookies

The distinction between first-party and third-party cookies is central to privacy regulations and matters for every WordPress site owner:

• First-party cookies: Set by your own domain. These include WordPress login session cookies, GDPR consent preferences stored by your cookie banner plugin, WooCommerce cart contents, and any cookies your theme or custom code creates. First-party cookies are generally considered less privacy-invasive because they only operate within your own site.
• Third-party cookies: Set by external domains through resources loaded on your page. When your WordPress site loads Google Analytics, the Facebook Pixel, a YouTube embed, or an advertising script, these services set their own cookies on different domains. Third-party cookies can track visitors across multiple websites, which is why they are the primary target of privacy regulations. Major browsers like Safari and Firefox already block third-party cookies by default, and Chrome is phasing them out as well.

Session Cookies vs. Persistent Cookies

Cookies also differ in how long they last:

• Session cookies: These cookies have no explicit expiration date. They exist only in the browser's memory and are deleted when the browser is closed. WordPress uses session cookies for temporary state that does not need to persist.
• Persistent cookies: These cookies have a defined expiration date and remain stored on the visitor's device until that date arrives (or the user manually clears them). The WordPress login cookie wordpress_logged_in_* is a persistent cookie that typically lasts 48 hours, or 14 days if the user checks "Remember Me." Google Analytics cookies like _ga persist for 2 years by default.

WordPress Default Cookies Explained

A standard WordPress installation sets several cookies, all of which serve specific purposes:

• wordpress_test_cookie: Set on the login page to check whether the browser accepts cookies at all. If this cookie is blocked, WordPress displays an error saying that cookies must be enabled to log in.
• wordpress_logged_in_[hash]: The main authentication cookie for logged-in users. It contains the username, an expiration timestamp, and a hash that verifies the cookie has not been tampered with. This cookie is used to identify the user on the frontend.
• wordpress_[hash]: A separate authentication cookie used only in the admin area (/wp-admin/). It provides an additional layer of security by limiting access to admin functions.
• wp-settings-[uid]: Stores user-specific admin interface preferences like the editor mode (visual vs. code), the number of items per page in admin lists, and panel states.
• wp-settings-time-[uid]: Records when the wp-settings cookie was last updated.
• comment_author_[hash]: Remembers the name, email, and URL a visitor entered in a comment form, so they do not have to retype it on their next visit. Set only when a visitor submits a comment.

These default WordPress cookies are all first-party cookies and are generally considered essential (necessary for the site to function). However, the comment cookies are sometimes classified as non-essential because commenting is optional.

GDPR, ePrivacy, and Cookie Consent Requirements

The European GDPR and the ePrivacy Directive set strict rules about cookies. For WordPress site owners targeting European visitors, these rules apply regardless of where your server is located:

• Essential cookies: Cookies strictly necessary for the site to function (login sessions, security tokens, shopping cart state) do not require consent. You must still disclose them in your privacy policy.
• Non-essential cookies: Analytics cookies, marketing cookies, personalization cookies, and third-party tracking cookies require informed, explicit consent before they are set. The visitor must actively opt in; pre-checked boxes or "by continuing to browse" banners are not valid consent.
• Right to withdraw: Visitors must be able to withdraw their consent as easily as they gave it. Your cookie banner should include a way to change preferences at any time.
• Information requirements: You must clearly explain what each cookie does, who sets it, and how long it lasts. This information is typically provided in a cookie policy or privacy policy page.

Cookie Consent Management for WordPress

WordPress does not include a cookie consent mechanism by default. You need a consent management plugin. Popular options include:

• Complianz: A comprehensive GDPR/CCPA cookie consent plugin that automatically detects cookies on your site and generates cookie policies.
• CookieYes: A widely used consent management platform with a WordPress plugin and cloud-based cookie scanning.
• Real Cookie Banner: A WordPress-specific consent plugin with a strong focus on German/European privacy law.
• Borlabs Cookie: A premium German-made plugin popular in the DACH region. It supports granular cookie categories and integrates with many third-party services.

A proper consent management setup blocks non-essential cookies and scripts until the visitor gives consent. This means Google Analytics, Facebook Pixel, and similar services should not load or set cookies until the visitor clicks "Accept" in the consent banner.

Cookie Security Flags: SameSite, Secure, and HttpOnly

Modern cookies can include security flags that control how they are transmitted and accessed:

• Secure: The cookie is only sent over HTTPS connections. Without this flag, cookies could be intercepted on unencrypted HTTP connections.
• HttpOnly: The cookie cannot be accessed by JavaScript via document.cookie. This prevents cross-site scripting (XSS) attacks from stealing session cookies.
• SameSite: Controls whether the cookie is sent with cross-site requests. The value Strict means the cookie is never sent cross-site. Lax allows the cookie on top-level navigations (like clicking a link) but blocks it on cross-site POST requests and iframes. None (combined with Secure) allows the cookie to be sent in all contexts, which is necessary for third-party cookies that need to work across domains.

WordPress sets the HttpOnly flag on authentication cookies by default. You can learn more about these flags in our article on HTTP security headers.

How Many Cookies Is Too Many

Every cookie is sent with every HTTP request to the matching domain. This means that if your WordPress site sets 20 cookies totaling 4KB, that 4KB of cookie data is included in every single request for pages, images, stylesheets, scripts, and AJAX calls. On a page with 80 requests, that is 320KB of extra data traveling back and forth.

Browsers enforce limits on cookies:

• Per domain: Most browsers allow around 50 cookies per domain, with a total size limit of roughly 4KB per cookie.
• Total per cookie: The combined name and value of a single cookie should not exceed 4,096 bytes.

If your WordPress site sets many cookies (especially large ones from analytics and advertising scripts), it can noticeably slow down page loads. To avoid this, consider serving static assets from a cookie-free domain or subdomain, and minimize the number of third-party scripts you load.

What InspectWP Checks

InspectWP lists all cookies set by your WordPress site during the crawl, including their names, values, domains, paths, and security attributes (Secure, HttpOnly, SameSite). This helps you identify third-party cookies that may require GDPR consent, spot cookies from services you did not knowingly add, and verify that your authentication cookies have the proper security flags set. The cookie list in your InspectWP report is a useful starting point for building or updating your cookie policy.