Cookies are small text files that are used to store information on a user’s browser. Cookies are stored for multiple purposes, like providing security, maintaining user session, track user behavior on the website for site analytics and targeted marketing etc.
When a website uses certain third-party services, for example, for advertising purposes, they also set cookies on the website. These cookies are usually set by scripts provided by these third-parties for enabling their services on the website.
WordPress also set cookies. WordPress does not use sessions by default, instead, it uses cookies for achieving the same behavior. Let’s take a look at what are the WordPress cookies and why they are used for.
There are two types of cookies set by WordPress.
1 — Session cookies — These are ‘striclty necessary’ cookies as WordPress will not be able to function without it.
2 — Comment cookies — These are not ‘strictly necessary’ cookies and are set when users leave a comment on a post.
Session cookies set by WordPress
To check the what are the cookies set by WordPress deactivate all the plugins on the website. This is because other plugins may also install cookies on a WordPress website. Or you can check with a fresh installation of WordPress. When done the same, below are the cookies that were observed when a WordPress website with no plugins installed. These are the cookies that were seen in the admin area of the website.
- wordpress_[hash]
- wordpress_logged_in_[hash]
- wordpress_test_cookie
- wp-settings-{time}-[UID]
On the front-end of the website when logged in as administrator
When checked on the website with no plugins activated and logged in, the following were the cookies found.
- wordpress_logged_in_[hash]
- wordpress_test_cookie
- wp-settings-{time}-[UID]
WordPress uses the cookie wordpress_[hash] to store the authentication details on login. The authentication details include the username and double hashed copy of the password. This usage of the cookie is limited to the admin console area, the backend dashboard of the website. The cannot be seen on front-end of the website, even when logged in.
The cookie wordpress_logged_in_[hash] is used to indicate when you are logged in, and who you are. This cookie is maintained on the front-end of the website as well when logged in.
Here [hash] represents the value that is obtained by applying a specific mathematical formula applied to the username and password. This is to ensure that the input values are safe and no one can access these data using the cookies.
The cookie wp-settings-{time}-[UID] is used to customize the view of your admin interface and the front-end of the website. The value represented by [UID] is the individual user ID of the user as given to them in the users database table.
WordPress also sets a cookie named wordpress_test_cookie is set by WordPress to check if the cookies are enabled on the browser to provide appropriate user experience to the users.
On the front-end of the website without logging in
When the front end of the website was checked, the cookie found to be installed on the browser was wordpress_test_cookie, the cookie used to check whether cookies are enabled to provide the proper user experience.
WordPress Comment Cookies
WordPress also sets cookies for the commenters of the website. WordPress sets cookies on users’ device when they leave a comment on a website that is created on WordPress. The cookies are used to remember the users so that the values are automatically filled in the corresponding fields and the user doesn’t have to enter their details every time they want to leave a comment. Below listed are the cookies set for commenters.
- comment_author_[hash]
- comment_author_email_[hash]
- comment_author_url_[hash]
The cookie comment_author_[hash] cookies is set to remember the value entered into the comment form’s name field, the cookie comment_author_email_[hash] is set to remember the value entered into the comment form’s email field and comment_author_url_[hash] is set to remember the value entered into the comment form’s URL field.
The cookies set for the commenters are persistent cookies and are set for almost a year.
To identify the cookies used on a website, you can refer to this article. You can also enter the URL of the website to scan and list all the cookies being used in the URL using this free tool.
Cookies set by WordPress Plugins
When using a WordPress website, there are cookies that are set by different plugins used on the website. For example, the plugin GDPR Cookie Consent sets a cookie named viewed_cookie_policy that is used to check whether or not the user has given their consent to the usage of cookies.
There can be other plugins on the website that can set cookies on the website. This can be checked by activating the plugins one by one and checking what cookies are being installed when that particular plugin is activated.
It is also best to check the inner pages of the website to check for the cookies being installed on the website. This is because even though the plugin is activated, the cookie will only be set on pages that have the functionality of the plugin. For example, a plugin that helps you add a social media sharing functionality to the blog posts will only set the cookie on each of the blog posts.
If you are looking for compliance with the GDPR and ePrivacy Directive, you must also check for the cookies set by third-party services that you may be using on your WordPress website, apart from the cookies that are set by WordPress and WordPress plugins.
Originally published on Cookie Law Info.
