Cookie Scanner

The Cookie Scanner is an admin-triggered scan that discovers cookies and tracking scripts on your site so you can categorize them. You start each scan yourself; CookieRay then crawls a bounded set of pages on your own domain and reports what it finds.

How the scan works

CookieRay uses the WordPress HTTP API (wp_remote_get) to fetch public URLs on the same site domain. The sources it pulls from include:

• Your homepage
• Published posts
• WooCommerce pages
• Sitemap entries

Cookie names found during the scan are merged into your inventory for categorization. To help classify them, CookieRay uses its bundled tracking-cookie reference data, which is local to the plugin — no external calls are made for this reference data.

Script discovery

Beyond cookies, a deeper script-discovery pass analyzes the HTML from a bounded set of up to 50 URLs on the same domain. CookieRay chooses these URLs from:

• The XML sitemap, when one is available, or
• The home page plus recent posts and pages

This pass helps surface tracking scripts present on your pages.

No automatic scans

There are no recurring or scheduled automatic scans. Every scan is started by a user. Once you start it, background processing finishes the run.

Coverage and limitations

The scanner only sees what an unauthenticated crawler can reach on your own domain. Coverage depends on:

• Caches
• Auth-only flows (content behind login)
• What the unauthenticated crawler can actually reach

Because of these factors, a scan reflects the publicly reachable surface of your site rather than every possible page state.

Running a scan

1. Open the Cookie Scanner in the admin.
2. Start the scan.
3. Let background processing complete the run.
4. Review newly discovered cookies in your Cookie Inventory and categorize them.