WordPress GDPR compliance: Standard WordPress cookies.

Understand the default WordPress cookies, and find out how to make sure your site meets all the GDPR cookie requirements.

The General Data Protection Regulation (GDPR) is the EU’s data protection law. It aims to protect the personal data and privacy of EU citizens, and affects any organisation (wherever it is based) that processes the data of EU residents.

If you manage a website, chances are you’ve heard a lot about GDPR. Since it came into effect in 2018, it has added a set of requirements that any website operating in the EU must comply with. 

These include:

  • Obtain explicit consent from users – before collecting any personal data, including via analytics or cookies.
  • Explain how you are processing data – via a detailed privacy policy that lays out how data is collected, stored and protected.
  • Let users manage their data – by providing systems to respond to users who want to access, correct or delete the data you have collected about them.

Failing to follow GDPR rules can mean a hefty fine, so it’s important to get it right.

In future articles, we’ll look at implementing cookie consent on your WordPress site, and the correct way to collect, store and process user data when using online forms.

For now, we’ll discuss how to find out what cookies are being set by your WordPress site, and how to document those in a privacy policy in order to comply with GDPR.

GDPR and cookies

“Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by your web browser. In and of themselves, cookies are harmless and serve crucial functions for websites. Cookies can also generally be easily viewed and deleted.”

– GDPR.eu

In general, cookies are both harmless and often necessary. However, it is possible for cookies to store personal identifying information, and are often the tool used by advertisers to track users across multiple sites in order to target them with ads. As such, there are a number of GDPR rules on cookies.

Website owners are required to:

  1. Explain in detail what each cookie tracks and why, in plain language, before getting consent
  2. Obtain user content before setting any cookies other than strictly necessary cookies – those required for the site to function properly
  3. Document and store consent received from users
  4. Allow users to access the website even if they refuse some or all cookies
  5. Allow users to withdraw consent as easily as they were able to give it

Points 2-5 concern implementing cookie consent controls on your site. Everyone’s seen the increasingly complex cookie consent popups that appear on every site these days. That’s a bit beyond the scope of this article (although if you’d like us to do it for you, get in touch), so the rest of this article will focus on Point 1.

How to document cookies for GDPR Compliance

The process for documenting cookies under GDPR has two main steps:

  1. Finding out what cookies your site uses
  2. Explaining them in your privacy policy

WordPress itself sets some cookies as standard, which are outlined below. You’ll also need to check to see if cookies are being set by any plugins you are using, or if you are setting some yourself through custom development work.

Standard WordPress Cookies

These are the standard cookies set by WordPress. These are set when logging into the CMS admin system, and thus not visible to public users. They also count as strictly necessary cookies under GDPR, which are allowed. As such, they don’t necessarily need to be included in your privacy policy, although you may wish to do so for completeness.

When documenting cookies, you can include them in a table, like below, including the name of each cookie, and the description of what it does and why.

wp-settings-time-UID and wp-settings-UIDUsed to customise the view of the admin interface and possibly the main site interface when you are logged in.
wordpress_logged_in_{HASH}To indicate when you’re logged in, and who you are.
wordpress_sec_{HASH}Helps keep you logged in to the admin system.
wordpress_test_cookieA test cookie to check if the browser is able to set cookies.

In addition, these cookies are set when a user comments on any post:

comment_author_{HASH}comment_author_email_{HASH}comment_author_url_{HASH}Details set by the user when posting a comment. These are saved to avoid the user having to enter them again when posting future comments.

Finding other cookies

The quickest way to find out what cookies your site is using, is to use a cookie checker service, such as https://www.cookieyes.com/cookie-checker. Put in your URL and it’ll spit out a report with a list of the cookies you are setting on your site – you can grab the information from there and paste it straight into your privacy policy.

If you don’t want to do that, you can use the Inspector in your browser to check what cookies have been set by a particular site. The process differs slightly from browser to browser. If you’re interested, https://www.cookielawinfo.com/does-my-website-use-cookies/ has instructions for all the major browsers.

Looking for help with anything related to cookies and WordPress?

You should get in touch.

* indicates required fields

What kind of organisation are you?*
What kind of support do you need?*
This field is for validation purposes and should be left unchanged.