Cookies are small pieces of data, contained within text files, that are stored on your computer or other device when websites are loaded in a browser. They are widely used to ‘remember’ you and your preferences, either for a single visit (through a ’session cookie’) or for multiple repeat visits (using a ‘persistent cookie’). They ensure a consistent and efficient experience for visitors, and perform essential functions such as allowing users to register and remain logged in. Cookies may be set by the site that you are visiting (known as ‘first party cookies’), or by other websites who serve up content on that site (‘third party cookies’).
Below the different categories of cookies set by WordPress.org are outlined, with specific examples detailed in the tables that follow. This includes their name and purpose. Certain cookies are only set for logged in visitors, whereas others are set for any visitors, and these are marked below accordingly. Where a cookie only applies to specific subdomains, they are included under the relevant header.
Strictly Necessary: These are the cookies that are essential for WordPress.org to perform basic functions. These include those required to allow registered users to authenticate and perform account related functions.
Functionality: These cookies are used to store preferences set by users such as account name, language, and location.
Performance: Performance cookies collect information on how users interact with websites hosted on WordPress.org, including what pages are visited most, as well as other analytical data. These details are only used to improve how the website functions.
Tracking: These are set by trusted third party networks (e.g. Google Analytics) to track details such as the number of unique visitors, and pageviews to help improve the user experience.
Third Party/Embedded Content: WordPress.org makes use of different third party applications and services to enhance the experience of website visitors. These include social media platforms such as Facebook and Twitter (through the use of sharing buttons), or embedded content from Youtube and Vimeo. As a result, cookies may be set by these third parties, and used by them to track your online activity. We have no direct control over the information that is collected by these cookies.
| Cookie | Duration | Purpose | Logged in Users Only? |
| devicePixelRatio | Browser default (1 year) | Used to make the site responsive to the visitor’s screen size. | No |
| wordpress_test_cookie | Session | Tests that the browser accepts cookies. | No |
| __qca | 5 years | Quantcast | No |
| __utma | 2 years | Google Analytics - ‘Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.’ | No |
| __utmb | 30 minutes | Google Analytics - ‘Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.’ | No |
| __utmc | Session | Google Analytics - ‘Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit.’ | No |
| __utmt | 10 minutes | Google Analytics - ‘Used to throttle request rate.’ | No |
| __utmz | 6 months | Google Analytics - ‘Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.’ | No |
| wp-settings-{user_id} | 1 year | Used to persist a user’s wp-admin configuration. | Yes |
| wporg_logged_in wporg_sec | 14 days if you select "Remember Me" when logging in. Otherwise, Session. | Used to check whether the current visitor is a logged in WordPress.org user. | Yes |
| Cookie | Duration | Purpose | Logged in Users Only? |
| welcome-{blog_id} | Permanent | Used to record if you’ve chosen to hidden the "Welcome" message at the top of the corresponding blog. | No |
| showComments | 10 years | Used to determine if you prefer comments to be shown or hidden when reading the site. | No |
| Cookie | Duration | Purpose | Logged in Users Only? |
| trac_form_token | Session | Used to check whether the current visitor is a logged in WordPress.org user. | Yes |
| Cookie | Duration | Purpose | Logged in Users Only? |
|
codexToken |
6 months |
Used to check whether the current visitor is a logged in WordPress.org user. Only set if you select "Keep me logged in" when loggin in. |
Yes |
| codexUserId codexUserName | 6 months | Used to check whether the current visitor is a logged in WordPress.org user. | Yes |
| codex_session | Session | Used to check whether the current visitor is a logged in WordPress.org user. | Yes |
Visitors may wish to restrict the use of cookies, or completely prevent them from being set. Most browsers provide for ways to control cookie behaviour such as the length of time they are stored – either through built-in functionality or by utilizing third party plugins.
To find out more on how to manage and delete cookies, visit aboutcookies.org. For more details on advertising cookies, and how to manage them, visit youronlinechoices.eu (EU based), or aboutads.info (US based).
Some specific opt out programs are available here:
Quantcast - https://www.quantcast.com/opt-out/
Google Analytics - https://tools.google.com/dlpage/gaoptout
It’s important to note that restricting or disabling the use of cookies can limit the functionality of sites, or prevent them from working correctly at all.
Self-hosted WordPress.org sites also use cookies, in core there is a authentication cookie. But also WordPress plugins and themes can set/use cookies, how can we help WordPress users to identify these?
In the GDPR plugin by Trew Knowledge and @fclaussen WordPress administrators can manually register the cookies used on their site to display a Privacy Policy with all the used cookies.
There was also a suggestion by @remcotolsma for a WordPres Cookies API so WordPress plugin and theme developers can register the cookies they set/use. This should work in combination with a user interface like the one in the Trew Knowledge GDPR plugin.
wp_register_cookies( 'wordpress', array(
'label' => __( 'WordPress' ),
'cookies' => array(
'wordpress_*' => array(
'label' => __( 'WordPress Authentication Cookie' ),
'description' => __( 'This cookie is used for WordPress user authentication.' ),
'category' => 'required',
'expiration' => 2 * DAY_IN_SECONDS,
),
) );
wp_register_cookies( 'woocommerce', array(
'label' => __( 'WooCommerce', 'woocommerce' ),
'url' => __( 'https://github.com/woocommerce/woocommerce/blob/3.3.3/includes/class-wc-cart-session.php#L203-L218', 'woocommerce' ),
'cookies' => array(
'woocommerce_cart_hash' => array(
'label' => __( 'WooCommerce Cart Hash', 'woocommerce' ),
'description' => __( 'This cookie is used to verify the visitors shopping cart.', 'woocommerce' ),
'category' => 'required',
'expiration' => HOUR_IN_SECONDS,
),
'woocommerce_items_in_cart' => array(
'label' => __( 'WooCommerce Number Items in Cart', 'woocommerce' ),
'description' => __( 'This cookie is used to keep track of the number of items in the visitors shopping cart.', 'woocommerce' ),
'category' => 'required',
'expiration' => HOUR_IN_SECONDS,
),
'wp_woocommerce_session_*' => array(
'label' => __( 'WooCommerce Session ID', 'woocommerce' ),
'description' => __( 'This cookie is used to keep track of visitors session.', 'woocommerce' ),
'category' => 'required',
'expiration' => 48 * HOUR_IN_SECONDS,
),
),
) );
wp_register_cookies( 'google-analytics-for-wordpress', array(
'label' => __( 'MonsterInsights - Google Analytics', 'google-analytics-for-wordpress' ),
'url' => __( 'https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage', )
'cookies' => array(
'_ga' => array(
'label' => __( '_ga', 'google-analytics-for-wordpress' ),
'description' => __( 'Used to distinguish users.', 'google-analytics-for-wordpress' ),
'category' => 'analytics',
'expiration' => 2 * YEAR_IN_SECONDS,
),
'_gid' => array(
'label' => __( '_gid', 'google-analytics-for-wordpress' ),
'description' => __( 'Used to distinguish users.', 'google-analytics-for-wordpress' ),
'category' => 'analytics',
'expiration' => 24 * HOUR_IN_SECONDS,
),
'_gat' => array(
'label' => __( '_gat', 'google-analytics-for-wordpress' ),
'description' => __( 'Used to throttle request rate.', 'google-analytics-for-wordpress' ),
'category' => 'analytics',
'expiration' => array(
'from' => 30,
'to' => YEAR_IN_SECONDS,
),
),
'_gac_*' => array(
'label' => __( '_gac_<property-id>', 'google-analytics-for-wordpress' ),
'description' => __( 'Contains campaign related information for the user.', 'google-analytics-for-wordpress' ),
'category' => 'analytics',
'expiration' => 90 * DAY_IN_SECONDS,
),
),
) );