In a Nutshell
Server-Side Blocking
Prevents tracking scripts from loading at the PHP level – not just hiding them after they’ve fired.
Google Consent Mode v2
Native support for GA4, Google Ads, and GTM with data redaction and URL passthrough.
Audit-Ready Logs
Server-side consent logging with CSV export for legal proof of compliance.
100% Self-Hosted
No SaaS, no external APIs, no monthly fees. One-time purchase, full ownership.
Who this is for: WordPress site owners, agencies, and developers who need genuine compliance – not just a cosmetic banner.
Running a WordPress site today means navigating a complex landscape of cookies, tracking scripts, and strict privacy laws like GDPR, CCPA, and LGPD. The TayIT GDPR & Consent Plugin is built for site owners, agencies, and developers who need more than just a cosmetic “cookie banner” – they need a robust, self-hosted compliance engine they can actually rely on.
The Problem: "Banner-Only" Compliance Is Broken
Too many WordPress cookie plugins are, in practice, just "banner plugins":
- They show a pop-up and store a consent choice, but don't actually enforce that choice on the server.
- They rely on JavaScript to scan cookies after the page has already loaded, which means some tracking happens before the banner is even visible.
- They give the illusion of compliance while leaving real technical gaps between "what we promise visitors" and "what actually happens on the server".
For example, a visitor clicks “Reject all” – but:
- PHP session cookies are still set before consent is given.
- WordPress.com stats or Jetpack tracking (
stats.wp.com,pixel.wp.com) continue to collect data from visitors and even admins. - WooCommerce Order Attribution (Sourcebuster) drops multiple cookies on every visitor by default, even when they try to reject analytics.
- Third-party scripts (analytics, pixels, GTM) are still fired in the page source, then "hidden" with CSS or JavaScript.
- Cookies from lead-gen forms or ad scripts leak into the user's browser anyway.
That's not compliance. That's a cosmetic exercise that exposes site owners to legal risk, not protection from it.
Key takeaway: If your “cookie consent” plugin only hides scripts after they’ve loaded, you don’t have consent – you have a legal liability.
Why Cosmetic Consent Fails Legally
1. Regulations Require Prior Consent (Not Just a Banner)
GDPR (Europe), CCPA (California), and LGPD (Brazil) all follow the same core principle: non-essential data processing must happen only after a user has given explicit, informed consent.
"Prior consent" means:
- No cookies are set until the user has seen a clear notice and has actively chosen to enable categories.
- No tracking scripts connect to third-party servers until consent is granted.
If your plugin only "hides" or "disables" scripts after they've already loaded, the data exchange has already happened. That's a violation of prior consent, not compliance.
2. "Implied Consent" Is No Longer a Safe Legal Strategy
In many jurisdictions, it's no longer enough to assume consent just because someone continued browsing your site. Regulators expect:
- Unchecked categories by default.
- Explicit, affirmative action (e.g., clicking "Accept" for each category).
- Proof that the user could have rejected everything and still used the site.
Most “banner-only” plugins fail this. They use cookie walls, pre-ticked checkboxes, or “disabling” scripts instead of true blocking – leaving site owners with weak legal defences.
3. Cookie Walls Are Not a Legal Loophole
Many plugins try to force consent by making site access depend on accepting cookies. But this is not compliant with GDPR and similar laws. You must allow users to browse the site (with only strictly necessary cookies) even if they reject all non-essential tracking.
A real compliance tool must:
- Allow users to reject all marketing/tracking cookies and still use the site.
- Only load non-essential scripts when consent is given.
4. Server-Side Cookies Are Often Missed
Most cookie scanners only run in the browser after page load. This means they miss:
- PHP session cookies created server-side.
- Cookies from WordPress core, WooCommerce, login systems, and other plugins.
- WooCommerce Order Attribution (Sourcebuster) cookies that are injected automatically to track marketing sources.
- Non-essential cookies that are sent to the browser before the consent banner even appears.
In a typical WooCommerce store, this means that detailed marketing attribution data is being collected via Sourcebuster cookies whether or not a visitor accepts analytics cookies. TayIT blocks those Sourcebuster scripts at the server level by default, so WooCommerce Order Attribution cannot set its cookies unless you explicitly choose to allow it in the plugin's advanced settings.
If your cookie policy falsely claims to list “all cookies” but misses server-side ones, that policy is factually incorrect – another compliance red flag.
The Real Solution: A Server-Side Compliance Engine
The TayIT GDPR & Consent Plugin is built from the ground up as a privacy gatekeeper that runs at the server level, not just in the browser. Rather than relying on JavaScript hooks and front-end tricks, TayIT moves the compliance logic to PHP, where it can actually enforce user choices before any data is sent.
How TayIT Works: True Prior Blocking
On page load, TayIT's engine:
- Intercepts tracking scripts that set non-essential cookies (Google Analytics, Facebook Pixel, Woo Order Attribution, etc.) at the PHP level – before they’re sent to the browser. In Strict Mode it can block all external scripts unless you whitelist them.
- Prevents scripts from rendering in the page source until the user consents or you explicitly allow them.
- Replaces media embeds (YouTube, Google Maps, etc.) with placeholders that only load when the user clicks to accept.
That’s not “hiding” scripts. That’s actually preventing them from running at all until consent is given – which is what GDPR and LGPD expect.
Client-Side vs. Server-Side Blocking
| Feature | Client-Side (Typical Free Plugin) | Server-Side (TayIT) |
|---|---|---|
| Scripts blocked before loading | No | Yes |
| PHP session cookies detected | No | Yes |
| WooCommerce Sourcebuster blocked | No | Yes (default) |
| Consent logged server-side | Usually not | Yes |
| Audit-ready CSV export | Rarely | Yes |
Server-Side Cookie Detection: No More Hidden Cookies
Unlike browser-only scanners, TayIT uses a server-side cookie scanner to detect:
- PHP session cookies and other server-set cookies.
- Cookies from WordPress core, plugins, and themes.
- Third-party cookies that are injected before the page is fully built.
Because it runs at the server level, TayIT can build a more accurate, complete cookie list than any purely client-side tool. This makes it possible to accurately describe your cookie usage in your policy, not just guess and hope.
Google Consent Mode v2, Not IAB TCF
For most business sites, the practical requirement is not the publisher-focused IAB TCF framework, but Google's modern Consent Mode v2.
TayIT supports Consent Mode v2 natively, so you can:
- Ensure GA4, Google Ads, and GTM adjust their behaviour correctly when consent is denied.
- Strip personal data from ad clicks when marketing cookies are denied (data redaction).
- Pass ad click information via URL parameters instead of cookies when consent is denied (URL passthrough).
- Push clear consent events into the GTM data layer to trigger or block tags.
This lets you respect user privacy while still maintaining valuable analytics and conversion insights, without the complexity and external dependencies of TCF.
Protecting More Than Just Visitors: Admin Shield
Privacy concerns don't stop at the front-end. Many WordPress plugins quietly install trackers in the admin dashboard that send data about your site, plugins, and usage to third-party servers (e.g., stats.wp.com, pixel.wp.com).
TayIT includes a unique feature: Admin Shield. It:
- Identifies and blocks specific backend trackers in the WordPress admin area, currently focusing on
stats.wp.comandpixel.wp.comwhen they are injected without Jetpack. - Replaces the tracking script with a comment like
<!-- TayIT GDPR: Blocked Admin Tracker (stats.wp.com) -->so you can verify it's working. - Respects an explicit Jetpack installation by leaving its admin tracking intact on the assumption that you chose to enable those features.
Other consent plugins only protect visitors. TayIT protects your entire site, including your own workspace as an admin.
Real Proof of Compliance, Not Just a Cookie
Getting consent is only half the battle. GDPR, CCPA, and LGPD all require you to be able to prove that consent was obtained, recorded, and can be exported for audit.
Secure, Auditable Consent Logs
TayIT logs every consent event server-side:
- Each consent choice: accept, reject, category update.
- Timestamp, IP address, and user agent.
- Full consent state (which categories were granted or denied).
You can:
- View recent logs directly in the WordPress dashboard.
- Click "View Details" to see the full JSON data for each event.
- Export the full log history as a CSV for legal or internal audit purposes.
This is audit-level evidence, not just a browser cookie that can be deleted.
Handling Data Subject Requests (DSR) in WordPress
Privacy laws give users the right to access, export, and delete their personal data. TayIT makes this manageable with a built-in DSR system:
- Add a simple shortcode
[tayit_gdpr_request_form]to create a DSR request page. - Visitors can submit data access or deletion requests and verify their email (double opt-in).
- Requests are then viewable in the admin panel, so you can process them within your normal workflow.
This turns a complex legal obligation into a simple, integrated process, not something you have to handle through email or external tools.
Accessibility, Flexibility, and Ownership
Compliance should never come at the cost of usability or control.
Accessibility (WCAG 2.1 AA)
The TayIT consent banner and preference center are designed to be:
- Fully keyboard-navigable, with proper focus management.
- Screen-reader friendly, with correct ARIA labels and landmarks.
- Compliant with WCAG 2.1 AA, so you're not creating an accessibility barrier while chasing privacy compliance.
Full Customisation
The plugin is built to match your brand and site design:
- Choose layout: top, bottom, or floating box.
- Customise colours, fonts, and button styles.
- Adjust cookie expiry (default 365 days for accepted, 1 day for rejected).
- Publish a live preview so you can see changes before going live.
Self-Hosted, No SaaS, No External Dependencies
TayIT is 100% self-hosted:
- No external consent server or CMP API.
- No data is sent to third-party systems.
- License is permanently bound to your domain for security and simplicity.
- No monthly subscriptions or pageview limits.
You keep ownership, control, and all data on your own server.
Pricing and Licensing
TayIT uses a simple one-time pricing model. There are no monthly fees, no traffic-based limits, and no external SaaS bills.
Frequently Asked Questions
Why are free cookie banners not GDPR compliant?
Free cookie banners typically only hide tracking scripts using CSS or JavaScript after they've already loaded. They don't actually block cookies at the server level, meaning tracking happens before consent is given. True GDPR compliance requires prior consent with server-side blocking, which free plugins rarely provide.
What is server-side cookie blocking and why does it matter?
Server-side cookie blocking intercepts tracking scripts at the PHP level before they're sent to the browser. This ensures cookies are never set until explicit consent is given, unlike client-side blocking which only hides scripts after they've already loaded. This is the only method that truly satisfies GDPR's "prior consent" requirement.
What is Google Consent Mode v2?
Google Consent Mode v2 is a framework that allows Google Analytics, Google Ads, and Google Tag Manager to adjust their behavior based on user consent choices. It enables data redaction when marketing cookies are denied and URL passthrough for ad attribution without cookies. TayIT supports Consent Mode v2 natively.
Does TayIT handle Data Subject Requests (DSR)?
Yes, TayIT includes a built-in DSR portal. Visitors can submit data access or deletion requests using a simple shortcode, verify via double opt-in email, and requests appear in the WordPress admin panel for processing. This helps you comply with GDPR Article 17 (Right to Erasure) and Article 15 (Right of Access).
Is TayIT a SaaS or subscription-based service?
No. TayIT is 100% self-hosted WordPress plugin with no external consent servers, no SaaS dependencies, and no monthly fees. You make a one-time purchase for a license that includes 1 year of updates and support. The plugin continues to work even if you don't renew.
What is the Admin Shield feature?
Admin Shield is a unique TayIT feature that blocks backend trackers like stats.wp.com and pixel.wp.com in the WordPress admin area when they're injected without Jetpack. Other consent plugins only protect visitors; TayIT protects your entire site including your own workspace as an admin.
Important Legal Note
TayIT is a technical tool that gives you the controls regulators expect:
- Blocking non-essential cookies and scripts before consent.
- Server-level scanning and accurate cookie lists.
- Secure consent logging and audit trails.
- DSR and admin privacy features.
However:
- No plugin can guarantee legal compliance on its own.
- GDPR, CCPA, and LGPD also require accurate privacy policies, cookie policies, contracts with data processors, and internal procedures.
- TayIT is designed to be a strong technical foundation, but it should be used as part of a wider compliance programme and, where appropriate, with professional legal advice.
Ready to Build a WordPress Site That's Truly Compliant?
Tired of "banner-only" plugins that give you a pretty notice while hiding the real risks?
- Blocks key tracking scripts at the server level - cookies are never set without consent
- Scans for server-side and plugin cookies that other tools miss
- Google Consent Mode v2 support without the complexity of IAB TCF
- Admin Shield and DSR portal protect your dashboard and handle user requests
- Real, exportable audit logs - proof of compliance, not just theory