How to Add Cookie Consent to WordPress (Step-by-Step)
WordPress sites represent over 40% of the web — and many of them have cookie banners that look compliant but aren't. Before diving into plugins, it helps to understand the cookie banner requirements under GDPR so you know what you're actually building toward.
Best free WordPress cookie consent plugins (2026)
Best for: Most WordPress sites
Best for: Larger or enterprise sites
Best for: WooCommerce sites
Best for: Sites needing multi-law support
Step-by-step setup guide
Install and activate a cookie consent plugin
Go to WordPress Admin → Plugins → Add New. Search for your chosen plugin (e.g. "CookieYes"). Click Install Now, then Activate.
Run the plugin's cookie scan
Most plugins include an automatic cookie scanner. Run it to detect all cookies your site sets — including those from themes, plugins, and embedded content like YouTube or Google Maps. This creates your cookie list.
Categorise your cookies
Assign each detected cookie to a category: Necessary (no consent needed), Analytics, Marketing, Preferences. Necessary cookies can be set without consent — all others need opt-in under GDPR.
Configure the banner appearance
Set up Accept and Reject buttons with equal visual prominence. Make sure "Reject" or "Decline" is as easy to click as "Accept" — a tiny grey link doesn't count. Enable "Reject All" as a single-click option.
Enable script blocking
Enable the plugin's script blocking feature. This prevents Google Analytics, Facebook Pixel, and other tracking scripts from loading until the user gives consent. This is the most critical technical step — without it your banner is cosmetic only.
Link to your Cookie Policy / Privacy Policy
The banner must include a link to your full Cookie Policy or Privacy Policy. Create a /privacy-policy page if you don't have one — use our free Privacy Policy Generator.
Test and verify
Open your site in an incognito window. Confirm: (a) the banner appears before any non-essential cookies are set, (b) clicking Reject prevents analytics from loading, (c) clicking Accept loads analytics. Run a fixGDPR scan to verify.
Common mistakes to avoid
Many of these mistakes fall into the category of dark patterns — manipulative UI choices that regulators are actively fining. Avoid them.
Pre-ticking "Accept Analytics" box
Consent must be freely given and opt-in. Pre-ticked boxes are explicitly banned by GDPR.
Hiding Reject behind multiple clicks
GDPR requires withdrawal of consent to be as easy as giving it. A buried "Manage Preferences" path fails this test.
Loading Google Analytics before consent
The most common technical failure. Install a script blocker — don't just show the banner and load tracking anyway.
"Closing" the banner counts as consent
Consent must be an affirmative action. Clicking X to close is not a valid consent signal.
Same banner for all countries
Different rules apply in different jurisdictions. The strictest (GDPR) should be your default for EU visitors.
Don't have time to set up a full CMP?
Use our free Cookie Banner Generator to get working HTML, CSS, and JavaScript you can paste directly into your WordPress theme or add via a code snippet plugin.
Open Cookie Banner Generator →Test your WordPress cookie banner — free
Run a GDPR scan on your site to verify your banner, SSL, privacy policy, and more. Takes 30 seconds.
Run a free GDPR scan