WordPress Cookie Audit: How Themes and Plugins Fill Your Site with Trackers

The Hidden Cookie Problem in WordPress

Most WordPress site owners do not realise how many cookies their site sets. A fresh WordPress installation with a popular theme and a handful of common plugins can easily set 15 to 30 cookies across various domains, many of them before the visitor has any opportunity to consent. This is not the result of deliberate tracking — it is the cumulative effect of themes and plugins loading external resources that come with their own cookies.

Understanding where these cookies come from, what they do, and how to control them is essential for any WordPress site that needs to comply with GDPR, ePrivacy, or similar regulations. This guide walks through the audit process step by step.

Why WordPress Sites Accumulate So Many Cookies

WordPress's plugin architecture is both its greatest strength and its biggest privacy liability. Each plugin operates semi-independently, and most plugin developers focus on functionality rather than cookie compliance. Here are the primary sources of cookies on a typical WordPress site:

Themes and Google Fonts

Many WordPress themes load Google Fonts directly from fonts.googleapis.com. When a visitor's browser requests these fonts, Google can set cookies and collect the visitor's IP address, browser information, and the referring page. In 2022, a German court ruled that loading Google Fonts from Google's servers without consent violates GDPR, resulting in a fine of EUR 100 for each affected visitor. The solution is to host fonts locally, but most theme defaults still point to Google's servers.

Page Builders and Analytics

Elementor, the most popular WordPress page builder, loads external resources including fonts and can set usage tracking cookies. Some Elementor widgets embed third-party content (YouTube videos, Google Maps) that set their own cookies. Even the free version of Elementor may send anonymised usage data unless explicitly disabled in settings.

SEO Plugins

Yoast SEO and Rank Math themselves set few cookies, but they often integrate with Google Search Console and encourage adding Google Analytics tracking codes. The analytics scripts they help you implement are a major source of cookies. Yoast's premium version also communicates with Yoast's servers for SEO analysis, which can involve cookies.

Jetpack and WordPress.com Services

Jetpack is one of the most prolific cookie setters in the WordPress ecosystem. Depending on which modules are active, Jetpack can set cookies for:

• Site statistics (WordPress.com stats)
• Social sharing buttons (loading scripts from Facebook, Twitter, LinkedIn)
• Comment system (Gravatar cookies)
• Security features (Protect module cookies)
• CDN usage (WordPress.com CDN cookies)

A single Jetpack installation with default settings can be responsible for 8 to 12 cookies from various domains.

WooCommerce and E-commerce

WooCommerce sets several cookies that are considered strictly necessary for e-commerce functionality:

• woocommerce_cart_hash: Helps WooCommerce know when cart contents change.
• woocommerce_items_in_cart: Tracks whether there are items in the cart.
• wp_woocommerce_session_*: Contains a unique code for each customer's session.

While these are generally exempt from consent requirements as strictly necessary cookies, WooCommerce extensions for payment processing, abandoned cart recovery, and marketing automation add many more cookies that do require consent.

Contact Forms and reCAPTCHA

Contact form plugins like Contact Form 7, WPForms, and Gravity Forms often use Google reCAPTCHA for spam protection. reCAPTCHA v2 and v3 set multiple cookies including _GRECAPTCHA and load scripts from google.com that can set additional tracking cookies. This means that even a simple contact page can trigger advertising-related cookies.

Caching Plugins

Caching plugins like WP Super Cache, W3 Total Cache, and WP Rocket set their own cookies to manage cache behaviour. These are typically functional cookies (for example, to bypass cache for logged-in users), but they still need to be documented in your cookie policy.

How to Audit Cookies on Your WordPress Site

A thorough cookie audit involves scanning your site from the visitor's perspective. Here is the process:

Step 1: Use Browser Developer Tools

Open your site in Chrome, go to DevTools > Application > Cookies, and examine all cookies set for your domain and third-party domains. Do this in an incognito window to simulate a first-time visitor. Note every cookie's name, domain, expiration, and whether it is first-party or third-party.

Step 2: Use a Dedicated Cookie Scanner

Manual inspection catches cookies set on page load, but misses cookies set by interactions (clicking buttons, submitting forms, scrolling). Dedicated scanners like Cookiebot's free scanner, CookieYes scanner, or browser extensions like EditThisCookie provide more comprehensive results. Run scans on multiple pages, not just the homepage.

Step 3: Categorise Every Cookie

Group discovered cookies into standard categories:

• Strictly Necessary: Session cookies, authentication, security, cart functionality. These do not require consent.
• Functional: Language preferences, user interface customisation. Consent is technically required but these are low risk.
• Analytics: Google Analytics, WordPress.com stats, heatmap tools. Consent is required.
• Marketing/Advertising: Google Ads, Facebook Pixel, remarketing cookies. Consent is required and these are the highest priority to block.

Step 4: Map Cookies to Their Sources

For each cookie, identify which theme or plugin is responsible. This is where WordPress gets complicated — a single page might load scripts from 5 different plugins, each setting their own cookies. Temporarily deactivate plugins one by one to identify which plugin sets which cookies.

Common Cookie Sources and Their Solutions

Here is a quick reference for the most common WordPress cookie sources and how to address them:

• Google Fonts: Switch to locally hosted fonts. Plugins like OMGF or your theme's settings can automate this.
• Google Analytics: Must be blocked until consent is granted. This is handled by your CMP.
• YouTube embeds: Use youtube-nocookie.com domain instead of youtube.com. This prevents most tracking cookies.
• Google Maps: Load only after consent, or use a static map image as a placeholder.
• Facebook Pixel: Must be blocked until marketing consent is granted.
• reCAPTCHA: Consider alternatives like hCaptcha (more privacy-friendly) or honeypot techniques that require no external scripts.

Setting Up FlexyConsent WordPress Plugin for Complete Compliance

Once you have audited your cookies and understand what needs to be controlled, implementing FlexyConsent on WordPress is straightforward.

FlexyConsent's WordPress plugin integrates directly into your WordPress admin dashboard, providing a native configuration experience:

1. Install from the Plugin Directory: Search for "FlexyConsent" in Plugins > Add New, install, and activate. No manual file uploads needed.
2. Connect your site: Enter your FlexyConsent site ID in the plugin settings. The plugin automatically injects the consent script in the correct position — before any other third-party scripts.
3. Configure cookie categories: Map your audited cookies to FlexyConsent's consent categories. The plugin provides a visual interface for this directly in your WordPress admin.
4. Set up script blocking: FlexyConsent automatically manages Google tags through Consent Mode V2. For other scripts (Facebook Pixel, custom tracking), the plugin provides script-blocking rules that prevent execution until the appropriate consent category is granted.
5. Test thoroughly: Use an incognito window to verify that non-essential cookies are blocked until consent is granted, and that all functionality works correctly after consent.

As a Google-certified CMP with IAB TCF 2.3 support, FlexyConsent handles the most complex aspects of WordPress cookie compliance automatically. Consent Mode V2 signals are sent to Google services without any additional tag configuration, and geo-targeting ensures that visitors from different regions see the appropriate consent experience.

Key takeaway: WordPress's flexibility comes at a privacy cost — every theme and plugin can introduce cookies that require consent. A systematic audit followed by proper CMP implementation is the only reliable path to compliance. Do not assume your site only sets the cookies you know about; the reality is almost always more complex than expected.