WordPress without cookies! Data protection in the WordPress blog

At the end of May 2018, the GDPR caused many bloggers to panic. This data protection guideline is about the protection of personal data and cookies are one of the criticisms.

In today’s article I will explain how you can free your WordPress blog from cookies, when it makes sense and why not all cookies are bad.

In the second part of this little series of articles next week, I’ll be looking at some helpful free WordPress plugins.

The dealer may pay a commission for advertising links on this page. These promotional links are marked with an asterisk

to recognize. The price doesn’t change for you. More info.

WordPress Blog Without Cookies – Why?


The data protection requirements of the GDPR (and current rulings) are intended to give website visitors more information and control over what personal data is collected and processed from them.

One aspect that has become very important on the web is cookies. These are small text files that are stored in the browser and in themselves do nothing bad. But they allow a visitor to be recognized. In an online shop, for example, this is a nice thing, because the next time you visit the shop, for example, the shopping cart is still filled with the products that you put in it last time.

But cookies are mainly used for tracking. For example, to recognize returning visitors when collecting statistics or to be able to display suitable advertisements across several websites. Data protectionists take a very critical view of this and would prefer that this only happens with the explicit consent of the user. The visitors of the blog would first have to agree and only then should cookies be set.

Even if the GDPR is actually not that strict and usually only requires an opt-out option, there have been many judgments that make a cookie opt-in (i.e. active consent before cookies are set) mandatory.

Technically, this is definitely possible with plugins, for example, but the question is whether it makes sense in a blog. It can be assumed that data protection will become even stricter in the future. In this respect, it is worth considering whether cookies should still be used at all. That would definitely set you up for the future.

1st party vs 3rd party cookies

A distinction must be made with cookies in any case. A distinction is made between 1st party vs. 3rd party cookies.

1st party cookies are those set by the website itself. For example, those that are set by WordPress itself. The cookie contains the same domain that is also in the browser address line. And only your own website can read these cookies again.

3rd party cookies are set by another domain. The cookie does not contain the domain that the user is currently on. This is often the case with tracking or advertising providers, for example. Such cookies can then be read by the domains specified in them. For example, if Facebook sets a 3rd party cookie in a blog, the user will be recognized on Facebook.

While 1st party cookies are all a bit more relaxed and many are allowed if they are necessary to operate the website or the operator has a legitimate interest, the situation is different with 3rd party cookies. These are very critical in terms of data protection law and some browsers are already blocking them by default.

Therefore, an opt-in is now necessary for the 3rd party cookies, which makes visiting many blogs and websites quite annoying.

What cookies does your WordPress blog set?

In order to rid your own blog of cookies, you first have to know which ones are set in the first place. There are different ways.

The website cookiebot.com, for example, offers a free analysis option. You will then be emailed a PDF report listing the cookies found.

Another option is browser add-ons. There are various of them for Firefox, Chrome and Co. These show which cookies are set on the website you are currently visiting. For example EditThisCookie for Chrome.

Of course you can also simply look at the settings of your own browser. In Firefox, for example, you can find the cookies under “Settings > Data protection & security > Manage data…”. Here you simply delete all cookies, then click through your own blog and then check which cookies are newly displayed here.

In my experience, the best method is different. I use Chrome’s built-in developer tools to do this. Here you can see exactly which cookies are set when you visit your own site. To do this, open the menu on the far right (with the 3 dots), then go to “more tools” and then to “developer tools”.

Here you click on the “Application” tab, where you will find a sub-item “Cookies”.  If you then reload the website, the cookies that have been set are displayed here.  In this way you can analyze very precisely which cookies are set on your own website.

Blog without cookies! Data protection in the WordPress blog part 1

Different cookies and how to get rid of them

In the following I will go into a few cookies that are typically found on a blog.
WordPress cookies

WordPress itself sets cookies. On the one hand, these are session cookies, which are only temporary and expire when you leave the blog. On the one hand, such cookies are necessary for the blog and on the other hand, as far as I know, they are not a problem in terms of data protection.

But WordPress also sets other cookies. For example a comment cookie. This is where the data you entered in the comment field is saved so that you don’t have to enter it next time. However, with the last WordPress update, a checkbox was added here. The user can decide whether he wants this cookie or not.

remove_action( 'set_comment_cookies', 'wp_set_comment_cookies' );

But you can also disable this completely with a PHP code:

Otherwise, WordPress does not cause any major problems when it comes to cookies. And the signs of the times were recognized late, but at least, so that work on WordPress will certainly continue in the future in terms of data protection.
Google Analytics cookies

Many bloggers use Google Analytics to measure the number of visitors to their own WordPress website. However, Google Analytics sets cookies and tracks users.

That is why it has been necessary in recent years to anonymize the IP address and to offer an opt-out in the data protection declaration. I have already shown here in the blog how to use Google Analytics in accordance with data protection regulations.

Nevertheless, Google Analytics is in the focus of privacy advocates (like all tracking services) and current judgments suggest that it can only be used via opt-in in the future.

That’s why I tried one or the other statistical alternative, which can do significantly less than Google Analytics, but is completely sufficient for many bloggers and also complies with data protection.

The following comparison shows that the alternatives, such as Statify, also measure access very well and are comparable to Google Analytics.

Blog without cookies! Data protection in the WordPress blog part 1
Google AdSense cookies

Many bloggers use Google AdSense as a source of income and it is often worth it. Especially since it is a very low-maintenance source of income.

Unfortunately, Google AdSense sets many 3rd party cookies, which makes it very problematic for privacy advocates. Even Google is introducing a system that is supposed to obtain prior consent.

But since you can’t disable all AdSense cookies, I personally refrained from AdSense and used other sources of income instead. Especially affiliate marketing.

For this I made my own AdSense copy.
Affiliate marketing cookies

In general (and as an AdSense replacement) I use affiliate marketing very often on my blogs. But you have to be careful here, too, because sometimes a lot of cookies are set. However, this only happens if you use advertising material provided by the partner programs that use JavaScript or iframes.

That’s why I changed all of my affiliate integrations so that I only use normal text affiliate links. With affiliate banners, I only use those that I can save locally on my server.

In this way, affiliate programs no longer set cookies on my blogs, which is very good in terms of data protection. The affiliate marketing still works, since the affiliate links are clear and the affiliate program learns that the user came from my website.

If you use the Amazon affiliate program, you should take a look at the AAWP plugin. This enables the integration of product boxes, product images, bestseller lists and much more in a data protection-compliant manner.
YouTube cookies

YouTube is becoming increasingly important. You can and should also embed videos in your own blog to improve the user experience, and Google likes that too. Of course, YouTube also sets cookies if you use the normal embed code or simply paste the URL into the article (and WordPress uses this converted automatically).

add_filter( 'embed_oembed_html', 'youtube_nocookie_loesung', 10, 4);
function youtube_nocookie_loesung( $original, $url, $attr, $post_ID ) {
	$html = str_replace("youtube.com","youtube-nocookie.com",$original);
	$html = str_replace("feature=oembed","feature=oembed&showinfo=0",$html);
	return $html;

I solved this by adding the following code to my theme’s functions.php.

As a result, all YouTube videos that you simply embedded via the URL are called up via the domain youtube-nocookie.com and YouTube then no longer sets any cookies. Alternatively, you can also use the Code Snippets plugin to integrate the code.

Anyone who has previously embedded YouTube videos using the embed code provided by YouTube without the additional data protection option must change all of these codes manually. The code doesn’t help there.

Of course, other services or plugins can also set cookies. You have to analyze this carefully for your own blog and then decide whether to deactivate the cookie or (if this is not possible) remove the service from the blog or delete the plugin.

WordPress: Create your own blog in five minutes Previous post WordPress: Create your own blog in five minutes
Next post Create a blog – WordPress vs. website builder