Skip to content

fabiodalez-dev/FAZ-Cookie-Manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

169 Commits
.githooks
.githooks
 
 
.github/workflows
.github/workflows
 
 
admin
admin
 
 
assets/screenshots
assets/screenshots
 
 
frontend
frontend
 
 
includes
includes
 
 
integrations
integrations
 
 
languages
languages
 
 
public
public
 
 
tests/e2e
tests/e2e
 
 
.env.e2e.example
.env.e2e.example
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
class-autoloader.php
class-autoloader.php
 
 
composer.json
composer.json
 
 
composer.lock
composer.lock
 
 
cookie-banner-compliance-checklist.md
cookie-banner-compliance-checklist.md
 
 
eslint.config.mjs
eslint.config.mjs
 
 
faz-cookie-manager.php
faz-cookie-manager.php
 
 
index.php
index.php
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
readme.txt
readme.txt
 
 
revisit.svg
revisit.svg
 
 
social-preview.png
social-preview.png
 
 
uninstall.php
uninstall.php
 
 
wpml-config.xml
wpml-config.xml
 
 

Repository files navigation

FAZ Cookie Manager

The only cookie consent plugin you need. 100% free, zero cloud dependencies, no subscriptions.

Tired of cookie consent plugins that lock essential features behind paywalls, require cloud accounts, or send your visitors' data to third-party servers?

FAZ Cookie Manager is a WordPress plugin that gives you everything you need to make your site compliant with international privacy regulations -- completely free, with no strings attached.

No account to create. No cloud service to connect. No "premium" plan to unlock basic features like consent logging or geo-targeting. Everything runs on your own server, and you own all your data.

Why FAZ Cookie Manager?

Most cookie consent plugins follow the same pattern: a free version with crippled features, and a paid tier starting at $10-50/month that unlocks what you actually need. FAZ Cookie Manager breaks that model:

Feature Others (free) Others (paid) FAZ Cookie Manager
Cookie banner Limited Full Full
Cookie scanner No Yes Yes
Consent logging + CSV export No Yes Yes
Google Consent Mode v2 No Yes Yes
IAB TCF v2.3 + GVL No Yes Yes
Geo-targeting No Yes Yes
Multi-language (180+) No Yes Yes
Cloud dependency No Yes No
Price Free $10-50/mo Free forever

A note on IAB TCF v2.3: The plugin includes a fully functional IAB TCF v2.3 CMP implementation -- TC String encoding, GVL integration, vendor consent UI, and all required __tcfapi() commands work correctly. However, for the TC String to be recognized by the ad-tech supply chain, the CMP must be registered with IAB Europe (which requires an annual fee). CMP registration is on the roadmap. If you'd like to help make it happen, consider supporting the project:

Buy Me A Coffee

Screenshots

Cookie Consent Banner

GDPR-compliant banner with Customize, Reject All, and Accept All buttons. Appears on first visit, fully responsive and keyboard accessible.

Cookie consent banner

Dashboard

Analytics overview with pageviews chart, consent distribution (accept/reject rates), and quick links to all plugin sections.

Dashboard

Cookie Banner Editor

Customize layout (box, bar, popup), position, theme (light/dark), and regulation type (GDPR/CCPA/both) with a live preview. Includes tabs for Content, Colours, Buttons, Preference Center, and Advanced settings.

Cookie Banner editor

Cookies Management

View all detected cookies organized by category (Necessary, Functional, Analytics, Performance, Advertisement). Edit, delete, or add cookies manually. Integrated with the Open Cookie Database (2,242 definitions) for automatic categorization.

Cookies management

Cookie Scanner

Built-in browser-based scanner with multiple scan depths: Quick (10 pages), Standard (100), Deep (1,000), or Full scan. Runs locally -- no external service, no API limits.

Cookie scanner

Consent Logs

Complete audit trail of every visitor's consent decision. Shows consent ID, status, categories chosen, anonymized IP, and page URL. Search, filter, and export to CSV for GDPR accountability.

Consent Logs

Google Consent Mode v2

Configure all 7 consent signal types with default and granted states. Includes Google Additional Consent Mode (GACM) for ad technology provider IDs.

Google Consent Mode

Languages

Select from 180+ available languages. The banner text adapts automatically to the visitor's browser language.

Languages

Settings

Global controls: enable/disable banner, exclude pages, consent log retention, scanner limits, Microsoft UET/Clarity consent APIs, and IAB TCF v2.3 toggle with CMP ID and Purpose One Treatment options.

Settings

Compliance

Standard Status Details
GDPR (EU) Compliant Opt-in model, granular consent, right to withdraw
ePrivacy Directive Compliant No cookies before consent, script blocking
CCPA / CPRA (California) Supported "Do Not Sell" opt-out, GPC signal detection
Garante Privacy LG 2021 (Italy) Compliant Equal-weight buttons, no scroll-as-consent, 6-month max expiry
EDPB Guidelines Compliant Scroll != consent, no pre-checked categories, equal button prominence
IAB TCF v2.3 Compliant Full __tcfapi() CMP, GVL integration, real vendor consent, DisclosedVendors segment
Google Consent Mode v2 Compliant Default-denied signals, consent update on interaction
LGPD (Brazil) Supported Consent-based model
POPIA (South Africa) Supported Opt-in consent
WCAG 2.1 AA Partial Keyboard navigation, focus indicators, ARIA labels
WP Consent API Compliant Registered via wp_consent_api_registered_ filter

Legal Disclaimer: Compliance status depends on correct plugin configuration for your specific use case and does not constitute a legal guarantee. This table is for informational purposes only and is not legal advice. Consult a qualified legal professional for your jurisdiction.

Automated Compliance Tests

175 Playwright tests verify compliance at runtime:

  • TF01-TF18: Full functional test suite covering banner display, cookie blocking, consent flow, mobile, accessibility, revocation, logging, GCM signals, and cookie declarations
  • P05: No ambiguous button labels (dark pattern check)
  • G07: Non-technical toggles OFF by default
  • I08: Technical cookies non-disableable
  • T01-T03: IAB TCF __tcfapi CMP stub, TC String format, cross-frame messaging
  • GCM01-GCM05: Google Consent Mode default-denied, granted on accept, revocation
  • CD01-CD03: Cookie declarations, descriptions, categories
  • VIS01-VIS09: Visual integrity checks across banner types and preference centers
  • IAB01-IAB39: IAB Settings page, GVL admin page, vendor selection, TC String validation

Test suite includes 175 automated compliance checks.

Installation

  1. Download the latest release from GitHub Releases
  2. Upload the faz-cookie-manager folder to /wp-content/plugins/
  3. Activate in WordPress admin > Plugins
  4. Go to FAZ Cookie in the admin sidebar
  5. Click Scan Site on the Cookies page to detect cookies
  6. Customize banner design, text, and regulation type

Requirements

  • WordPress 5.0+
  • PHP 7.4+
  • MySQL/MariaDB
  • No external services required (except optional: GitHub for cookie database updates, ip-api.com for geolocation fallback)

Features (detailed)

Cookie Banner

  • Three banner types: Classic (bar), Popup (modal), Box (widget)
  • Configurable position: Top, bottom, or any corner
  • Three legislation modes: GDPR (opt-in), CCPA (opt-out), Info-only
  • Preference center: Granular per-category toggles with cookie audit tables
  • Full color customization: Background, text, button colors via color pickers
  • Theme presets: Light and dark themes
  • Brand logo: Upload custom logo via WordPress Media Library
  • Live preview: Real-time banner preview in admin as you edit
  • Responsive: Adapts to mobile viewports, tested on 375px width
  • RTL support: Arabic, Hebrew, Persian, Urdu, and other RTL languages
  • Consent expiry: Capped at 180 days per Garante Privacy requirements
  • Revisit widget: Floating button to reopen preferences after consent
  • Video placeholder: Blocks YouTube/Vimeo embeds until consent
  • Page exclusions: Skip banner on specific pages (supports wildcards)
  • Subdomain sharing: Share consent across subdomains
  • Reload on accept: Optional page reload after consent

Buttons

  • Accept All -- grants consent to all categories
  • Reject All -- denies all non-necessary categories (equal visual weight as Accept)
  • Customize / Settings -- opens preference center for granular control
  • Read More -- links to privacy policy (configurable: button or link, nofollow, new tab)
  • Do Not Sell -- CCPA opt-out button (only in CCPA mode)

Cookie Management

  • Cookie list: Full CRUD for cookies -- name, domain, duration, description, category, URL pattern
  • Cookie categories: Necessary, Functional, Analytics, Performance, Advertisement, Uncategorized
  • Per-category prior consent: Each category has a configurable prior_consent flag. Set to OFF for first-party analytics cookies that meet the Garante Privacy exemption (first-party only, aggregated data, anonymized IP, no cross-referencing)
  • Audit table: Per-category cookie listing embedded in the preference center
  • Multilingual descriptions: Cookie description and duration stored per-language

Cookie Scanner

A fully local browser-based cookie crawler -- no external scanning service.

  • Discovers pages via sitemap.xml parsing + homepage link extraction
  • Scans pages in iframes to detect all cookies
  • Configurable scan depth: Quick (10), Standard (100), Deep (1000), Full
  • Deduplicates -- never overwrites existing cookie entries
  • Scan history with results

Open Cookie Database

Integrates the Open Cookie Database (Apache-2.0) for automatic cookie identification.

  • 2,200+ cookie definitions from major platforms (Google, Facebook, Microsoft, Stripe, etc.)
  • Auto-download on first activation
  • Manual update via admin UI button
  • Exact + wildcard matching: e.g., _gat_ prefix matches _gat_UA-12345
  • Auto-categorize: One-click bulk categorization

Google Consent Mode v2

Full GCM v2 integration with all required consent signals:

  • ad_storage, analytics_storage, functionality_storage, personalization_storage, security_storage
  • ad_user_data, ad_personalization (v2 additions)
  • Default: all denied -- updates to granted on consent
  • Wait for update -- configurable delay (ms) for slow-loading CMPs
  • URL passthrough -- pass ad click info even when consent denied
  • Ads data redaction -- redact ad data when consent denied

Google Additional Consent Mode (GACM)

  • Enable/disable toggle
  • Configure ATP (Authorized Technology Provider) IDs
  • Generates Additional Consent string format: 1~id.id.id...

IAB TCF v2.3 CMP with Global Vendor List

Full __tcfapi() implementation compliant with the IAB Transparency & Consent Framework v2.3:

  • Commands: ping, getTCData, addEventListener, removeEventListener, getVendorList
  • Global Vendor List (GVL): Server-side download and caching of the IAB GVL v3 (1,100+ vendors). Weekly auto-update via WP-Cron, manual update from admin UI
  • GVL Admin Page: Browse, search, and filter all IAB-registered vendors. Select which vendors your site uses. Paginated table with purpose/feature details
  • Real Vendor Consent: TC Strings encode actual vendor consent and legitimate interest bits based on user choices and vendor purpose declarations
  • Special Feature Opt-ins: TCF v2.3 Special Features (precise geolocation, device scanning) mapped from user category consent
  • DisclosedVendors Segment: Mandatory segment listing all vendors the CMP discloses to users
  • Vendor Legitimate Interest: Honors user's Right to Object -- LI bits are only set when the user hasn't objected to the corresponding purposes
  • Vendor Consent UI: Per-vendor toggles in the preference center, with vendor name, purposes, privacy policy link, and cookie retention info
  • TC String: Full base64url encoding with core segment + DisclosedVendors segment, euconsent-v2 cookie
  • Cross-frame messaging: __tcfapiLocator iframe + postMessage bridge
  • Command queue: Processes pre-load __tcfapi.a queue
  • CMP Stub: Inline stub responds to ping before main script loads (cmpStatus: 'stub')
  • Dynamic config: ConsentLanguage, publisherCC, gdprApplies, CMP ID, Purpose One Treatment -- all configured from server-side settings
  • GVL file storage: Cached at wp-content/uploads/faz-cookie-manager/gvl/vendor-list.json for frontend access

CMP ID and IAB Registration

FAZ Cookie Manager works in two modes:

Mode CMP ID What works What doesn't
Self-hosted (default) 0 Banner, cookie blocking, Google Consent Mode v2, consent logging, all admin features Ad-tech vendors ignore the TC String (unrecognized CMP)
IAB-registered Your ID Everything above plus full TCF vendor chain -- SSPs, DSPs, and ad exchanges read and honor the TC String Requires IAB CMP registration (annual fee)

When do you need a registered CMP ID?

  • If you run programmatic advertising (header bidding, ad exchanges) and need the buy-side to respect granular vendor consent via the TC String
  • If your DPA or legal counsel requires a registered CMP for TCF compliance

When is self-hosted (CMP ID = 0) sufficient?

  • You only need GDPR/ePrivacy-compliant cookie consent (banner + script blocking)
  • You use Google Consent Mode v2 (GCM uses its own consent signal channel, independent of TCF)
  • You don't participate in the IAB programmatic advertising supply chain

To set your CMP ID: Settings > IAB TCF v2.3 > CMP ID

Microsoft Consent Integration

  • UET Consent Mode: Sets ad_storage/analytics_storage defaults to denied, updates on consent
  • Clarity Consent API: Calls window.clarity('consent') when analytics accepted

Consent Logging

Stores proof of consent in a local database table for GDPR accountability:

  • Consent ID: Unique per-visitor identifier
  • Status: accepted, rejected, or partial
  • Categories: JSON map of which categories were accepted/rejected
  • IP hash: SHA256 hash (privacy-preserving, no raw IPs stored)
  • Pagination and search in admin UI
  • CSV export with date-stamped filename
  • Retention period: Configurable (default: 12 months)

Pageview Analytics

Built-in analytics dashboard -- no Google Analytics needed for basic metrics:

  • Events tracked: pageview, banner_view, banner_accept, banner_reject, banner_settings
  • Dashboard charts: Daily pageview trend, accept/reject rates

Geolocation

Detects visitor country for geo-targeted banner display:

  • Detection chain: Cloudflare > Apache mod_geoip > PHP GeoIP extension > ip-api.com
  • Geo-targeting modes: ALL (everyone), EU (EU/EEA + UK), US only, Custom country list
  • Proxy-aware: Reads CF-Connecting-IP, X-Forwarded-For, X-Real-IP headers
  • Cached: 1-hour WordPress transient per IP

Multilingual Support

  • 10 bundled languages: English, German, French, Italian, Spanish, Polish, Portuguese (PT + BR), Hungarian, Finnish
  • 180+ selectable languages in the admin configuration
  • Browser language detection: Parses Accept-Language header with quality factor sorting
  • Plugin integration: Polylang and WPML auto-detected
  • Per-language banner content: Separate title, description, button text per language
  • RTL auto-detection: Arabic, Hebrew, Persian, Kurdish, Urdu

Shortcodes

Shortcode Description
[faz_cookie_table] Responsive cookie table grouped by category for policy pages
[cookie_audit] Backward-compatible alias

Attributes: columns, category, heading

REST API

All endpoints under faz/v1. Admin endpoints require authentication (WordPress nonce).

Settings

Method Endpoint Description
GET /settings Get all plugin settings
POST /settings Update settings (merge)
POST /settings/reinstall Recreate missing DB tables
POST /settings/apply_filter Apply WP Internal filter changes
POST /settings/geolite2/update Download/update GeoLite2 database
GET /settings/geolite2/status GeoLite2 database status

Google Consent Mode

Method Endpoint Description
GET /gcm Get GCM settings
POST /gcm Update GCM settings

Cookies

Method Endpoint Description
GET /cookies List cookies (filter by category)
POST /cookies Create a cookie
GET/PUT/DELETE /cookies/{id} Read/update/delete a cookie
POST /cookies/bulk-update Bulk update cookies
POST /cookies/bulk-delete Bulk delete cookies
POST /cookies/scrape Lookup names against Open Cookie Database
GET /cookies/definitions Get cookie definitions status
POST /cookies/definitions/update Download/refresh definitions from GitHub

Scanner

Method Endpoint Description
GET /scans Scan history
POST /scans Start a new scan
GET /scans/{id} Scan details
GET /scans/info Scanner configuration
POST /scans/discover Discover site pages
POST /scans/import Import scan results

Consent Logs

Method Endpoint Description
GET /consent_logs List logs (paginated, searchable)
GET /consent_logs/statistics Aggregate statistics
GET /consent_logs/export CSV export
GET /consent_logs/{consent_id} Single consent record

Pageviews

Method Endpoint Description
POST /pageviews Record event (public)
GET /pageviews/chart Pageview chart data
GET /pageviews/banner-stats Banner interaction stats
GET /pageviews/daily Daily pageview breakdown

Banners

Method Endpoint Description
GET /banners List banners
POST /banners Create a banner
GET/PUT/DELETE /banners/{id} Read/update/delete a banner
POST /banners/bulk Bulk operations
GET /banners/preview Banner preview HTML
GET /banners/presets Theme presets
GET /banners/configs Banner configuration

Global Vendor List (GVL)

Method Endpoint Description
GET /gvl GVL status (version, vendor count, purposes)
GET /gvl/vendors List vendors (paginated, searchable, filterable)
GET /gvl/vendors/{id} Single vendor details
POST /gvl/update Download/refresh GVL from IAB
GET /gvl/selected Get selected vendor IDs
POST /gvl/selected Save selected vendor IDs

Languages

Method Endpoint Description
GET/POST /languages Get/update language configuration

Database

Five custom tables (created on activation):

Table Purpose
wp_faz_banners Banner configuration and per-language content
wp_faz_cookies Cookie definitions (name, category, description, domain, pattern)
wp_faz_cookie_categories Cookie categories (necessary, functional, analytics, etc.)
wp_faz_consent_logs Visitor consent records with IP hash
wp_faz_pageviews Pageview and banner interaction events

Frontend Events

JavaScript events fired on the document for third-party integration:

Event When Detail
fazcookie_consent_update User accepts/rejects/saves { accepted: ['slug', ...], rejected: ['slug', ...] }
fazcookie_banner_loaded Banner is displayed --

Consent Cookie Format

Cookie name: fazcookie-consent

Value format: consentid:{base64},consent:yes,action:yes,necessary:yes,functional:no,analytics:no,marketing:no,performance:no

WordPress Hooks

Filters

Filter Description
faz_cookie_domain Override the consent cookie domain
faz_allowed_html Customize allowed HTML tags in banner
faz_current_language Override detected language
faz_language_map Add language code normalization mappings
faz_registered_admin_menus Register additional admin menu items

Actions

Action Description
faz_after_activate After plugin activation/upgrade
faz_after_update_settings After settings are saved
faz_after_update_cookie After cookies are bulk-updated
faz_reinstall_tables Trigger table recreation
faz_clear_cache Trigger cache flush

Changelog

1.5.2

  • Security & mixed-content fixes — auto-repair cached banner template on HTTPS, sanitise inline CSS values, harden URL parsing
  • Migration safety — guard $wpdb->update()/$wpdb->delete() return values in category rename
  • Plugin lifecycle E2E tests — upgrade and fresh-install paths with full category verification

1.5.1

  • Link color fix — link colour picker now applies to all visible links including Cookie Policy/Read More link
  • Brand logo 404 — moved cookie.png to frontend/images/ and added DB migration to fix stored URLs

1.5.0

  • Link text colour picker — new colour control in Banner Colours tab for customising link colours
  • E2E test suite for banner settings — 21 Playwright tests covering all banner tabs
  • TinyMCE re-render fix — limited to the activated tab's editor only

1.4.0

  • Comprehensive script blocking — 5-layer system: WP hook filters, HTML content filters, output buffer, client-side interceptors (createElement, XHR, fetch, sendBeacon), and cookie shredding
  • Known Providers database — 147+ services with 500+ URL/script patterns for automatic categorization
  • Video embed placeholders — YouTube/Vimeo iframes replaced with consent-required placeholder showing video thumbnail
  • Social embed blocking — Facebook, Instagram, Twitter/X embeds blocked until consent
  • Iframe placeholders — Visual placeholder with consent button for blocked third-party iframes
  • Custom blocking rules — Admin UI for user-defined script/iframe blocking patterns per category
  • Network interception — XHR, fetch, sendBeacon requests to blocked providers silently dropped
  • Cookie shredding — Automatic cleanup of cookies from revoked categories
  • Revocation reload — Forces page reload when a previously accepted category is revoked
  • Security — URL scheme validation, SRI/CSP-safe script cloning, word-boundary-safe regex

1.3.0

  • Incremental cookie scans — only re-scans pages modified since the last run
  • Page discovery from DB — discovers URLs from wp_posts and taxonomy archives
  • Scan progress UI — real-time progress bar with page count, cookie count, and ETA
  • advertisement category renamed to marketing across the entire plugin
  • Boundary-aware provider hostname matching, CSS transient cache key includes version
  • Security: inline-safe URL handling, hardened admin URLs, HTML injection prevention

1.2.1

  • CSV export produces valid CSV (no JSON encoding)
  • Consent log correctly records "rejected" status on Reject All
  • Security: prototype pollution guard, DOM XSS prevention, CSV export hardening
  • Composer/Packagist support

1.2.0

  • Proxy header trust filter and dual-guardrail consent throttle
  • Necessary category toggle uses active blue color with right-aligned label
  • Playwright E2E test suite (11 tests)

1.1.0

  • IAB TCF v2.3 with Global Vendor List — full GVL v3 integration, vendor consent UI, TC String encoding
  • GVL Admin Page — browse, search, filter 1,100+ IAB-registered vendors
  • CMP Stub — inline __tcfapi stub responds to ping before main script loads
  • Security Hardening — cookie overflow protection, iframe URL validation, atomic GVL file writes
  • Dead Code Cleanup — removed ~4.3 MB of unused modules, legacy routes, and cloud stubs
  • 175 automated compliance tests

1.0.5

  • Unified text domain and plugin slug to faz-cookie-manager
  • WordPress.com Marketplace compliance

1.0.4

  • Full uninstall/reinstall support with clean data removal

1.0.3

  • Browser-based cookie scanner with iframe detection
  • Local consent log storage with CSV export

1.0.2

  • Unlocked all premium features, removed cloud dependencies

1.0.1

  • Complete de-branding (renamed all prefixes, namespaces, CSS classes)

1.0.0

  • Initial release — fork of CookieYes v3.4.0
  • GDPR, CCPA, ePrivacy compliance, Google Consent Mode v2, IAB TCF v2.2

Translations

FAZ Cookie Manager is fully translatable. All admin and frontend strings use WordPress i18n functions (__(), _e(), esc_html__()) with the faz-cookie-manager text domain.

How to translate:

  1. Use the included .pot file at languages/faz-cookie-manager.pot as a template
  2. Create a .po file for your language (e.g., faz-cookie-manager-it_IT.po) using Poedit or any gettext editor
  3. Compile it to .mo and place both files in the languages/ folder
  4. WordPress will automatically load the translation matching your site language

The banner content (title, description, button labels) is configured separately in the admin UI under Banner → Content and supports per-language customisation via the Languages module.

Author

Fabio D'Alessandro -- fabiodalez.it

Support the Project

If FAZ Cookie Manager is useful to you, consider buying me a coffee. Your support helps fund IAB CMP registration and continued development.

Buy Me A Coffee

License

GPL-3.0-or-later. See LICENSE for full text.

Cookie definitions powered by Open Cookie Database (Apache-2.0).

About

Free, open-source WordPress cookie consent plugin (GPL-3.0). Cloud-free fork with browser-based cookie scanner, GDPR/ePrivacy compliance, GCM v2, IAB TCF v2.3.

Topics

open-source php wordpress wordpress-plugin privacy self-hosted cookie-consent gdpr gpl3 cookie-banner eprivacy gpl-3 ccpa iab-tcf cookie-compliance google-consent-mode

Resources

Readme

License

GPL-3.0 license
Activity

Stars

55 stars

Watchers

2 watching

Forks

8 forks
Report repository

Releases 13

v1.5.2 — Security hardening and mixed-content fixes Latest
Mar 12, 2026
+ 12 releases

Packages

 
 
 

Contributors

Languages