WordPress.org

• Home Page
• WordPress Lessons
• Getting Started
• Working with WordPress
• Design and Layout
• Advanced Topics
• Troubleshooting
• Developer Docs
• About WordPress

Codex Resources

• Community portal
• Current events
• Recent changes
• Random page
• Help

WordPress Cookies

Contents 1 Users 2 Commenters 3 References

WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.

Users

Users are those people who have registered an account with the WordPress blog in question.

When you log into WordPress from http://example.com/wp-login.php, WordPress stores the following two cookies:

• Your user name
• A double-hashed copy of your password

Please note: This changed in WordPress 2.5. A single cookie is now set containing all the required data. This page will (hopefully) be updated in due course. I don't fully understand the new system, otherwise I'd update it now! chmac 09:33, 2 May 2008 (UTC)

The cookies are set to expire one year from the time they are set.

The actual cookies contain hashed data, so you don't have to worry about someone gleaning your username and password by reading the cookie data. A hash is the result of a specific mathematical formula applied to some input data (in this case your user name and password, respectively). It's quite hard to reverse a hash (bordering on practical infeasibility with today's computers). This means it is very difficult to take a hash and "unhash" it to find the original input data.

WordPress uses the two cookies to bypass the password entry portion of wp-login.php. If WordPress recognizes that you have valid, non-expired cookies, you go directly to the WordPress Administration interface. If you don't have the cookies, or they're expired, or in some other way invalid (like you edited them manually for some reason), WordPress will require you to log in again, in order to obtain new cookies.

The functions to set and remove cookies are currently defined in /wp-includes/pluggable-functions.php.

wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '') 

This function sets the cookie.

wp_clearcookie() 

This function will delete the cookie from the client browser. This happens when the user clicks on the Logout link in the Administration interface.

The following function also utilizes the cookies:

auth_redirect() 

Checks whether the cookie is present on the client browser. If it is not, the user is sent to the wp-login.php login screen. After logging in, the user is sent back to the page he or she attempted to access.

Commenters

When visitors comment on your blog, they too get cookies stored on their computer. This is purely a convenience, so that the visitor won't need to re-type all their information again when they want to leave another comment. Three cookies are set for commenters:

• comment_author
• comment_author_email
• comment_author_url

Again, all the data in the cookies is stored hashed. When the visitor returns to your blog, WordPress checks for the existence of their cookie, and then tries to compare their hashed data with the values stored in the WordPress database.

The commenter cookies are set to expire a little under one year from the time they're set.

References

• Wikipedia: Cookies
• Netscape cookie specification
• RFC2965
• PHP cookie documentation