A Comprehensive Guide to Set, Get, and Delete Cookies in WordPress


Cookies play a crucial role in WordPress web development, enabling WordPress sites to store and retrieve information on a user’s browser. In WordPress, most developers use cookies to enhance user experience, track user preferences, and manage sessions. This comprehensive guide will delve into the intricacies of setting, getting, and deleting cookies in a WordPress environment.

1. Understanding Cookies in WordPress Website

Before delving into the practical aspects, it’s essential to understand what browser cookies are and how they function within the context of WordPress.

 What Are Cookies?

Cookies are small pieces of data stored on the user’s browser by websites they visit. They serve various purposes, such as remembering user preferences, tracking user behavior, and maintaining session information.

Cookies serve various practical purposes for website owners, such as

  • managing user login details
  • temporarily storing session information
  • retaining shopping cart items during an eCommerce visit
  • and tracking user activity to deliver a personalized experience

While cookies are invaluable tools for enhancing website functionality, it’s important to note that recent trends in email marketing, growth hacking, and online marketing have introduced practices that leverage cookies as beacons. These cookies can not only store user activity but also share it across different websites, contributing to both the utility and potential invasiveness of these web tracking mechanisms.

Types of Cookies

  1. Session Cookies: Temporary cookies that expire when the user closes the browser.
  2. Persistent Cookies: Cookies with a set expiration date, persisting until that date or until manually deleted.
  3. First-party Cookies: Set by the website domain the user is visiting.
  4. Third-party Cookies: Set by domains other than the one the user is visiting.


2. Setting Cookies in WordPress

Setting cookies in WordPress involves using PHP functions to define cookie parameters and values. Below is a step-by-step guide on how to set cookies in a WordPress environment.

A. Use the setcookie() Function

The setcookie() function is used to set a cookie in WordPress. Its syntax is as follows:

setcookie(name, value, expire, path, domain, secure, httponly);

  1. name: The name of the cookie.
  2. value: The value of the cookie.
  3. expire: Expiration time of the cookie.
  4. path: The path for which the cookie is valid.
  5. domain: The domain for which the cookie is valid.
  6. secure: Indicates if the cookie should only be sent over secure connections.
  7. httponly: If set to true, the cookie will be accessible only through HTTP.

B. Example of Setting a Cookie in WordPress

function set_custom_cookie()
$cookie_name = "user_preference";
$cookie_value = "dark_mode";
$expiry = time() + (86400 * 30); // Cookie expires in 30 days
$path = "/";
setcookie($cookie_name, $cookie_value, $expiry, $path);
add_action('init', 'set_custom_cookie');

3. Getting Cookies in WordPress

Retrieving cookies in WordPress involves using PHP to access and use the stored cookie values. Here’s how you can do it:

A. Use the $_COOKIE Superglobal

The $_COOKIE superglobal is an associative array containing all cookies sent by the client’s browser.

$cookie_value = $_COOKIE['user_preference'];

B. Check if a Cookie Exists

It’s essential to check if a cookie exists before attempting to retrieve its value to avoid errors.

if (isset($_COOKIE['user_preference']))
$cookie_value = $_COOKIE['user_preference']; // Use the cookie value as needed
{ // Handle the case where the cookie is not set }

4. Deleting Cookies in WordPress

Deleting cookies in WordPress is crucial for maintaining user privacy and managing stored data. The setcookie() function is also used for this purpose.

A. Expire the Cookie

To delete a cookie, you can set its expiration time to a past date, making it immediately invalid.

function delete_custom_cookie()
$cookie_name = "user_preference";
$expiry = time() - 3600; // Set expiration time to the past (1 hour ago)
$path = "/";
setcookie($cookie_name, "", $expiry, $path);
add_action('init', 'delete_custom_cookie');

B. Ensure Cookie Deletion

It’s good practice to verify that the cookie has been deleted by checking if the cookie value is empty or non-existent.

if (empty($_COOKIE['user_preference']))
// Cookie has been successfully deleted
else {
// Handle the case where the cookie deletion was unsuccessful }

5. Best Practices for Working with Cookies in WordPress

  • Always Sanitize and Validate Data

Sanitizing and validating cookie data is crucial for preventing security vulnerabilities. Here’s an example of how you can sanitize and validate cookie values using PHP:

function sanitize_and_validate_cookie($value)
{ // Sanitize the cookie value to remove potentially harmful characters
$sanitized_value = filter_var($value, FILTER_SANITIZE_STRING);
// Validate the sanitized value based on specific criteria
if (strlen($sanitized_value) > 0 && strlen($sanitized_value) <= 50)
{ // The value meets the criteria, and it's safe to use return $sanitized_value;
{ // Handle the case where the value doesn't meet the criteria // You might log an error, set a default value, or take appropriate action
return "default_value";
// Example of using the sanitize_and_validate_cookie
function $raw_cookie_value = $_COOKIE['user_preference']; // Assuming 'user_preference' is the cookie name
$validated_cookie_value = sanitize_and_validate_cookie($raw_cookie_value); // Now you can use $validated_cookie_value safely in your application

In this example:

  1. The filter_var function with the FILTER_SANITIZE_STRING filter is used to remove any potentially harmful characters from the cookie value.
  2. The sanitized value is then validated based on specific criteria. In this case, the criteria include checking that the length of the sanitized value is greater than 0 and less than or equal to 50 characters.
  3. If the value meets the criteria, it is considered safe and can be used in your application. If not, you can take appropriate action, such as logging an error, setting a default value, or notifying the user.

Remember to adjust the validation criteria based on the specific requirements and context of your application. The goal is to ensure that the cookie data is both sanitized and conforms to expected standards, minimizing the risk of security vulnerabilities.

  • Provide Clear Cookie Policies

Inform users about the use of cookies on your website through a privacy policy and obtain their consent if necessary. Another easiest way would be adding a Cookie Popup with Cookie Notice (Easiest). This can be done through installing a Plugin Cookie Notice & Compliance for GDPR / CCPA.

  • Keep Sensitive Information Secure

Storing sensitive information in cookies poses a security risk, as cookies are stored on the user’s device and can potentially be accessed or tampered with. If it’s necessary to store sensitive information, it’s recommended to use encryption methods to enhance security. Below is an example using PHP to encrypt and decrypt sensitive information before storing it in a cookie:

<?php // Encryption key - ensure it is kept secret
$encryption_key = 'your_secret_key';
// Function to encrypt sensitive data
function encrypt_data($data, $key)
$cipher = 'AES-256-CBC';
$iv_length = openssl_cipher_iv_length($cipher);
$iv = openssl_random_pseudo_bytes($iv_length);
$encrypted_data = openssl_encrypt($data, $cipher, $key, 0, $iv);
// Combine the IV and encrypted data for storage
$encrypted_data_with_iv = base64_encode($iv . $encrypted_data);
return $encrypted_data_with_iv;

// Function to decrypt sensitive data
function decrypt_data($data, $key)
$cipher = 'AES-256-CBC';
// Split the IV and encrypted data
$data = base64_decode($data);
$iv_length = openssl_cipher_iv_length($cipher);
$iv = substr($data, 0, $iv_length);
$encrypted_data = substr($data, $iv_length);
// Decrypt the data
$decrypted_data = openssl_decrypt($encrypted_data, $cipher, $key, 0, $iv);
return $decrypted_data;

// Example of storing sensitive information in a cookie
$sensitive_data = 'ThisIsSensitiveInformation';
$encrypted_data = encrypt_data($sensitive_data, $encryption_key);
// Set the cookie with the encrypted data
setcookie('encrypted_sensitive_data', $encrypted_data, time() + 3600, '/');

// Example of retrieving and decrypting sensitive information from the cookie
if (isset($_COOKIE['encrypted_sensitive_data']))
$encrypted_cookie_data = $_COOKIE['encrypted_sensitive_data'];
$decrypted_data = decrypt_data($encrypted_cookie_data, $encryption_key);
// Use the decrypted data as needed
echo "Decrypted Sensitive Data: " . $decrypted_data;
{ echo "Cookie not set or expired";

In this example:

  1. The encrypt_data function uses the OpenSSL library to encrypt sensitive data with AES-256-CBC encryption.
  2. The decrypt_data function decrypts the data using the same encryption key.
  3. Before storing or using the sensitive information, it is encrypted, and when retrieved, it is decrypted for use.

Remember to keep the encryption key secure and change it regularly. Additionally, adapt the encryption methods based on your specific security requirements and considerations.

  • Regularly Review and Update Cookie Policies

Stay informed about privacy regulations and update your cookie policies accordingly to comply with legal standards.


Cookies are integral to enhancing user experience and functionality in WordPress. This guide has provided a detailed exploration of setting, getting, and deleting cookies in a WordPress environment. By understanding the principles and following best practices, developers can harness the power of cookies responsibly while prioritizing user privacy and security.

Recent Posts