Skip to Content

Cookie Consent

Cookie Consent is a fully customizable, GDPR and CCPA compliant cookie consent banner for WordPress. It gives your visitors complete control over which cookies and tracking scripts run on your site, organizes cookies into clear categories, prevents non-essential scripts from loading without approval, and maintains a tamper-evident consent log so you can prove compliance during audits.

The plugin is lightweight, dependency-free on the frontend, ships with a vanilla JavaScript runtime, and integrates with the Polyglot plugin so that banner copy is automatically translated for every language on your site.

Cookie consent dialog preview
Cookie consent dialog preview

Highlights

  • Category-based consent. Cookies are grouped into three categories out of the box: Necessary (always active), Analytical (Google Analytics, Matomo, Hotjar, Mixpanel) and Marketing (Facebook Pixel, LinkedIn Insight, Google Ads).
  • Automatic script blocking. Add URL patterns for scripts that should be blocked until consent is granted. Each pattern is mapped to a category and is unblocked automatically the moment the visitor opts in.
  • Five banner positions. Choose between Bottom Left, Bottom Right, Bottom Center, Top, and a centered Modal.
  • Live appearance editor. Configure primary, background and text colors with a native swatch + hex picker, plus an optional floating settings button. A live preview shows changes before you save.
  • Consent log and statistics. Every consent decision is stored in a dedicated table. A built-in dashboard surfaces total consents, per-category acceptance rates and a paginated daily breakdown.
  • Multilingual editor. Pick the language to edit from a dropdown in the General and Categories tabs and translate every visible string per locale. With the optional Polyglot plugin installed, an AI Translate button auto-fills any target language from the source.
  • Built-in licensing & updates. Enter your license key on the General tab to enable one-click automatic updates from the Slotix update server — no manual ZIP uploads required.
  • Configurable cookie lifetime. The consent cookie can be set to expire anywhere from 1 to 730 days.
  • Developer friendly. PHP and JavaScript APIs plus a ccm:consent-updated DOM event let you integrate with custom themes, plugins and third-party tag managers.

Requirements

ComponentMinimum version
WordPress5.8 (tested up to 7.0)
PHP7.4
MySQL5.7
MariaDB10.3

The plugin works on any modern theme. No additional libraries, build steps or external services are required for the frontend banner to run. Polyglot is optional; install it only if you need multilingual translations of the banner copy.

Installation

  1. Download the latest cookie-consent.zip from the Slotix plugin portal or your purchase receipt.
  2. In WordPress, navigate to Plugins → Add New → Upload Plugin.
  3. Select the ZIP file and click Install Now.
  4. Click Activate Plugin once installation completes.
  5. Open Settings → Cookie Consent to begin configuration. On a fresh install the banner is enabled with sensible defaults, but you should review every tab before going live.

Alternatively, you can upload the unzipped cookie-consent folder to /wp-content/plugins/ over SFTP and activate the plugin from Plugins → Installed Plugins.

Configuration

The settings screen is split into five tabs: General, Appearance, Categories, Script Blocking and Statistics. Work through them in order the first time you set up the plugin.

General

General settings tab
General settings tab

The General tab is split into four cards, top to bottom: License, the Editing language picker, Banner Texts, and Global Settings.

License. Paste the license key you received in your purchase confirmation email — for example PILOT-XXXX-XXXX-XXXX-XXXX. Click Verify & Save; the plugin contacts the Slotix update server, validates the key against your domain, and enables one-click automatic updates from the WordPress Plugins screen. Without a key the plugin keeps working, but you will need to upload new ZIPs manually for every release.

Editing language. A dropdown listing the languages that are currently enabled on the site (English, Italian, Spanish, French and German by default). Every text field below is stored per language — switching the picker swaps the visible values without losing the others. If the optional Polyglot plugin is installed and active, a Translate with AI button appears next to the picker; click it to auto-fill the current target language from the default-language source.

Banner Texts. Wording shown to visitors. Each field is localised per the active editing language.

  • Banner Title — headline shown at the top of the banner; defaults to “We value your privacy”.
  • Banner Description — explanatory paragraph. Mention which cookies you set and link to the full privacy policy. The literal phrase “Privacy Policy” inside the description is auto-converted into a link to the configured Privacy Policy URL.
  • Accept All Button — defaults to “Accept all”. Opts the visitor in to every category.
  • Decline All Button — defaults to “Decline all”. Required by GDPR to be as prominent as Accept All.
  • Cookie Settings Button — defaults to “Cookie settings”. Opens the granular consent modal from the banner.
  • Accept Selected Button — defaults to “Accept selected”. Shown inside the modal; saves whatever the visitor toggled and closes the dialog.

Global Settings. Apply across all languages.

  • Privacy Policy URL — where the inline “Privacy Policy” link in the banner description points to. Accepts a relative path (/privacy-policy) or a full URL. Leave blank to hide the link.
  • Cookie Expiry — how long the consent decision is remembered, in days. Acceptable values: 1 to 730. The GDPR recommendation is 365 days; longer values reduce re-prompts but may be flagged by strict auditors.

Appearance

Appearance settings tab
Appearance settings tab

The Appearance tab is organised into three sections: Layout, Colors and Preview.

Layout.

  • Banner Position — choose Bottom Left, Bottom Right, Bottom Center, Top Bar, or Center Modal. The Center Modal renders a centered dialog with a backdrop that blocks interaction with the page until a decision is made; use it only when strict compliance is required, as it is more intrusive.
  • Floating Button — a checkbox. When enabled, a small icon stays anchored in the corner of the page so visitors can reopen the consent settings at any time. Required in some jurisdictions (notably Italy and France).

Colors. Each row pairs a native color swatch with a hex input — clicking the swatch opens your operating system’s color picker, and the hex value is kept in sync with the swatch in both directions.

  • Primary Color — used for buttons and toggles in the modal. Pick a color that meets WCAG AA contrast against white text.
  • Background Color — the banner and modal background. Defaults to white.
  • Text Color — body text. Defaults to a dark gray.

Preview. A live miniature of the banner sits below the color rows and updates in real time as you change titles, descriptions, button labels and colors elsewhere in the admin — so you can verify the result before saving.

Categories

Categories settings tab
Categories settings tab

Three categories ship with the plugin. You can rename them and edit their descriptions per language. The Necessary category is always active and is shown to visitors with an “Always on” badge instead of a toggle — it cannot be disabled, nor switched off by the visitor.

  • Necessary. Cookies required for the site to function — session, authentication, security tokens, language preference. Always active.
  • Analytical. Statistical cookies that measure how visitors interact with the site. Examples: _ga, _gid, _hjSession, mp_*.
  • Marketing. Cookies used to track visitors across sites for advertising. Examples: _fbp, fr, IDE, li_sugr.

For each non-necessary category you can edit:

  • Name — displayed as the category title in the settings modal. Localised per editing language.
  • Description — shown beneath the title. Explain in plain language which scripts the category controls. Localised per editing language.
  • Enabled by default — when checked, the toggle starts in the ON position when a first-time visitor opens the modal (they can still flip it off before clicking Accept Selected). When unchecked, the toggle starts OFF.

The Categories tab respects the Editing language picker at the top, so you can author Italian descriptions for the Italian banner and English descriptions for the English banner independently. The structural settings (which categories exist, whether they are required, their default state) are global and shared across languages.

Script Blocking

Script blocking settings tab
Script blocking settings tab

This is where compliance happens. Without script blocking the banner is decorative — visitors can decline cookies but third-party scripts will still load.

The tab is split into an Add New Script Pattern form at the top and two tables below, one for the Analytical category and one for Marketing.

The Add form takes three fields:

  • Name — a human-readable label that appears in the admin tables (e.g. “Google Analytics”). Not visible to visitors.
  • URL Pattern — a case-insensitive substring matched against each script’s src attribute and inline body. Examples: google-analytics.com, googletagmanager.com, connect.facebook.net, hotjar.com, linkedin.com/insight.
  • Category — Analytical or Marketing. The script is loaded only after the visitor opts in to that category.

Each row in the Analytical / Marketing tables shows the Name, Pattern, a per-row Status toggle (enable/disable without deleting), and a Delete action. The plugin ships with a starter set of patterns for the most common analytics and ad platforms; review and extend it based on your actual tag manager configuration.

Patterns are matched on every page load. Blocked scripts have their type attribute rewritten to text/plain so the browser does not execute them. When consent is granted, the runtime locates the blocked tags, restores their type to text/javascript and re-injects them so they execute immediately without a page reload.

Statistics

Statistics dashboard
Statistics dashboard

The Statistics tab is read-only and is organised into three KPI tiles at the top and a paginated Daily Breakdown table below.

KPI tiles.

  • Total Consents — every Accept All, Decline All or Accept Selected counts as one record.
  • Analytical Accepted — total visitors who opted in to Analytical, with the acceptance percentage relative to Total Consents.
  • Marketing Accepted — same for Marketing.

Daily Breakdown. A table with one row per calendar day that recorded at least one consent decision, showing Date, Total, Analytical and Marketing acceptance counts. The list is sorted newest-first and is paginated 15 rows per page; use the navigation buttons (« ») or type a page number directly into the input to jump. The top-right corner shows the total day count.

Use these numbers to estimate how much of your analytics traffic you are losing to consent declines and to demonstrate to auditors that consent collection is functioning.

Usage

Once configured, the banner appears automatically on the first visit and after the consent cookie expires. No shortcodes or template tags are required.

Reopening the settings modal

If the floating button is disabled, you can add a link anywhere on your site that lets visitors reopen the settings. Use a regular anchor with a class:

<a href="#" class="ccm-open-settings">Cookie preferences</a>

Any element with the class ccm-open-settings will open the consent modal on click. This is useful for footer links and account pages.

PHP API

Server-side code can branch on consent before emitting markup or enqueuing scripts:

if ( function_exists( 'cookie_consent' ) && cookie_consent()->public->has_consent( 'analytical' ) ) {
    wp_enqueue_script( 'my-analytics', 'https://example.com/analytics.js', array(), null, true );
}

Categories accepted by has_consent() are the slugs from the Categories tab: necessary, analytical, marketing, plus any custom slugs you added.

JavaScript API

The frontend exposes a CookieConsent global with a small, stable API:

// Check whether the visitor has opted in to a specific category.
CookieConsent.hasConsent('marketing'); // → true | false
 
// Read the full consent object.
CookieConsent.getConsent();
// → { necessary: true, analytical: true, marketing: false, ts: 1716000000 }
 
// Programmatically open the settings modal.
CookieConsent.openSettings();
 
// Wipe the stored decision so the banner reappears.
CookieConsent.resetConsent();

The runtime dispatches a DOM event whenever consent is granted, updated or revoked. Listen for it to drive your own integrations — for example, to push a custom dataLayer event into Google Tag Manager:

document.addEventListener('ccm:consent-updated', function (event) {
    const consent = event.detail;
    window.dataLayer = window.dataLayer || [];
    window.dataLayer.push({
        event: 'cookie_consent_update',
        analytical: consent.analytical,
        marketing: consent.marketing,
    });
});

The event payload mirrors the object returned by CookieConsent.getConsent().

Filter hook

PHP developers can modify the settings object passed to the frontend runtime with the ccm_js_settings filter. This is useful for overriding text on a per-language or per-page basis without touching the database:

add_filter( 'ccm_js_settings', function ( $settings ) {
    if ( is_page( 'corporate' ) ) {
        $settings['title'] = __( 'Corporate cookie policy', 'my-theme' );
    }
    return $settings;
} );

Database tables

On activation the plugin creates two tables in the WordPress database:

  • {wp_prefix}ccm_consents — one row per consent decision, with timestamp, hashed IP, user agent and the per-category boolean choices.
  • {wp_prefix}ccm_blocked_scripts — the script blocking patterns configured in the admin.

Both tables are removed by the bundled uninstall.php when the plugin is deleted through the WordPress UI.

Screenshots

The screens below illustrate a complete configuration cycle.

Cookie consent dialog as visitors see it
Cookie consent dialog as visitors see it
General tab with banner copy and cookie expiry
General tab with banner copy and cookie expiry
Appearance tab with live preview
Appearance tab with live preview
Categories tab with the three default groups
Categories tab with the three default groups
Script blocking tab with URL patterns mapped to categories
Script blocking tab with URL patterns mapped to categories
Statistics dashboard with acceptance rates
Statistics dashboard with acceptance rates

FAQ

Is the plugin GDPR compliant out of the box?

The plugin provides all the technical primitives required for GDPR compliance: prior consent, granular categories, an equally prominent reject button, easy withdrawal of consent, and a tamper-evident log. Compliance is a property of how you configure the plugin: you must still register every third-party script in the Script Blocking tab, write an accurate privacy policy, and link to it from the banner.

Does it cover CCPA and other privacy laws?

The same mechanism — granular categories, script blocking and a re-openable settings dialog — satisfies the CCPA “Do Not Sell” requirement, the UK GDPR, Brazil’s LGPD and most other modern privacy laws. For region-specific button text you can use the ccm_js_settings filter together with a geolocation plugin, or rely on Polyglot for language-based variation.

Will it slow down my site?

No. The frontend runtime is a single vanilla JavaScript file (around 12 KB minified, no jQuery, no external dependencies) loaded with defer. The banner is rendered in a single DOM pass and there is no remote call during page load.

Does it work with caching plugins?

Yes. The banner reads its consent state from a first-party cookie and renders entirely client-side, so it is compatible with full page caches (WP Rocket, LiteSpeed Cache, W3 Total Cache, Cloudflare APO). Make sure the consent cookie is not stripped by your caching layer.

How does it integrate with Google Tag Manager?

There are two supported patterns. The simplest is to add googletagmanager.com to the Script Blocking tab and assign it to the Analytical or Marketing category — GTM itself will not load until consent is granted. The more flexible pattern is to let GTM load unconditionally and gate individual tags inside GTM using the ccm:consent-updated event as a trigger.

Can I translate the banner?

Yes. The plugin is fully internationalized; the text domain is cookie-consent and .pot files live in the languages folder. If you have the Polyglot plugin installed, banner strings are picked up automatically and translated for every active language. You can also override text per page via the ccm_js_settings filter.

For the number of days you configure under General → Cookie expiry. The default is 365 days. When the cookie expires the banner reappears and the visitor must consent again.

Does the plugin store personal data?

The consent log stores a SHA-256 hash of the visitor’s IP address (never the raw IP), the user agent string, a timestamp, and the per-category choices. No names, email addresses or full IP addresses are kept. The log is intended to satisfy the GDPR requirement to demonstrate that consent was given.

The log is stored in a standard WordPress table ({wp_prefix}ccm_consents) and can be exported with any database tool — phpMyAdmin, Adminer, wp db export, or a SQL client. A native CSV export from the Statistics tab is planned for a future release.

Troubleshooting

The banner does not appear

The banner is shown automatically only when there is no ccm_consent cookie in the visitor’s browser. If you have already accepted or declined on a previous visit, the decision is remembered for the configured Cookie Expiry — typically 365 days — and the banner stays hidden. To test from scratch, open browser DevTools, delete the ccm_consent cookie under Application → Cookies, and reload. As a non-destructive alternative, click the floating settings button (if enabled) and use Decline all to surface the banner on the next page load, or call CookieConsent.resetConsent() from the browser console.

Scripts still load after rejecting

Verify that every tracking script is listed under Script Blocking and that the URL pattern actually matches. Inline scripts injected by theme or page builders are blocked too, but only when their content contains the configured pattern. Use the browser DevTools Network tab to identify the exact host of any request that slipped through, then add it to the Script Blocking table.

Floating button overlaps other widgets

Disable Show floating button under Appearance and instead add a <a class="ccm-open-settings">Cookie preferences</a> link to your footer. This gives you full control over placement.

Statistics show zero consents

Counters increment only when a visitor clicks a banner button. Page views without a banner interaction are not logged. If you see zero after launch, check that the banner is being rendered and that you are not browsing as a logged-in administrator on a page where the banner has been dismissed previously.

Polyglot must be installed and activated, and the target language must be enabled in Polyglot → Settings. The banner strings are translated on first request after a language is enabled; visit a page in that language once as an administrator to trigger translation.

Settings reset after update

All admin configuration (banner texts, categories, appearance, translations) lives in the single ccm_settings WordPress option. Script blocking patterns live in the {wp_prefix}ccm_blocked_scripts table. Neither is touched during plugin updates. If you see resets, check whether a security or staging-sync plugin is overwriting options — this is rarely the cookie consent plugin itself.

Last updated on