Automattic

Automattic

Automated WordPress.com hosting platform and parent company of brands including WooCommerce, Jetpack, and Tumblr. The Jetpack script (widely used on self-hosted WordPress sites) adds site statistics, related posts, and security features. Also loads sharing buttons and embeds that may set tracking cookies.

Back to Vendor Library

Overview

Automattic is the company behind WordPress.com, WooCommerce, Jetpack, Tumblr, Akismet, and Day One. Its most significant presence on third-party websites is through Jetpack, a plugin installed on tens of millions of self-hosted WordPress sites that bundles analytics, security, performance, and content features into a single package.

What This Script Does

Jetpack's behavior varies by which modules are enabled. Each module has distinct tracking, data collection, and cookie behavior.

Jetpack Site Stats Module

  • A 1x1 tracking pixel loaded from pixel.wp.com fires on every page view.
  • The pixel passes: blog ID, page URL, referrer, and a visitor hash derived from IP and user agent.
  • Data is processed on WordPress.com servers and displayed in the Jetpack stats dashboard.
  • Sets tk_or cookie — Tracks whether the visitor is a referral from WordPress.com. Persists for 1 year.
  • Sets tk_ai cookie — Anonymized visitor identifier used for unique visitor counting. Persists for 6 months.

Jetpack Related Posts

  • Script: jetpack.js loaded from c0.wp.com CDN.
  • Makes an API call to public-api.wordpress.com/rest/v1/sites/{id}/posts/{id}/related/ to fetch related post recommendations.
  • No additional cookies set beyond site stats.

Social Sharing and Embeds

  • When social sharing buttons are enabled, Jetpack loads social platform scripts (Twitter/X, Facebook, LinkedIn) which set their own third-party cookies.
  • WordPress embeds (oEmbed) load content from external WordPress.com posts, which may set third-party cookies.

Jetpack Security Module (Protect)

  • Monitors failed login attempts and blocks suspicious IP ranges.
  • API calls to api.akismet.com for spam detection on comments.
  • No client-side cookies set by the security module.

Akismet (Comment Spam)

  • Akismet collects comment content and submits it to rest.akismet.com for spam classification.
  • Comment content, IP, email, and user agent are sent with each classification request.

WooCommerce Scripts

  • woocommerce.js manages cart state, checkout flows, and product page interactions.
  • Sets woocommerce_cart_hash, woocommerce_items_in_cart — Session cookies for cart state. Expire on browser close or session end.
  • Sets wp_woocommerce_session_* — Session data cookie. Expires in 2 days.

Domains Contacted

  • pixel.wp.com — Stats tracking pixel
  • c0.wp.com, s0.wp.com, s1.wp.com, s2.wp.com — WordPress.com CDNs
  • public-api.wordpress.com — Related posts API
  • api.akismet.com, rest.akismet.com — Spam filtering
  • jetpack.wordpress.com — Jetpack activation and licensing

Consent & Compliance

Consent category: Analytics / Functional (split by module)

  • GDPR/ePrivacy: The Jetpack Stats pixel and visitor tracking cookies (tk_or, tk_ai) require consent under ePrivacy as they track user behavior. Social sharing buttons that load third-party scripts (Facebook, Twitter) require consent for those platforms' cookies. Security and spam filtering modules can operate under legitimate interest. WooCommerce session cookies are strictly necessary for e-commerce functionality.
  • CCPA/CPRA: Visitor tracking via stats pixel and visitor ID cookies constitutes collection of personal information. Social embed tracking represents data sharing with social platforms.
  • Automattic Privacy Policy: Automattic is a US company headquartered in San Francisco. It participates in the EU-US Data Privacy Framework and offers SCCs. Automattic's GDPR commitments are documented in their privacy policy and DPA.

Should You Block This Without Consent?

Conditional. Jetpack's security modules (Protect, Akismet) can load without consent as they serve legitimate security interests. The stats module and social sharing scripts should be blocked until analytics consent is granted. WooCommerce session cookies are strictly necessary for e-commerce and exempt from consent. Configure Jetpack to disable the stats module server-side until consent is obtained.

Visit website

Consent Categories

Analytics
Functional

Also Known As

JetpackWordPress.comWooCommerceAkismetAutomatticJetpack statsWordPress tracking

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (3)

wp.comAnalytics
gravatar.comEssential
wordpress.comEssential

Frequently Asked Questions

Do I need consent to use Automattic on my website?

Conditional. Jetpack's security and spam modules run under legitimate interest. The stats module and social sharing scripts require analytics consent. WooCommerce session cookies are strictly necessary for e-commerce. Each Jetpack module should be evaluated independently based on its consent category.

What cookies does Automattic set?

Jetpack Stats sets tk_or (referral tracking, 1 year) and tk_ai (anonymized visitor ID, 6 months) via a pixel.wp.com pixel. WooCommerce sets woocommerce_cart_hash, woocommerce_items_in_cart (session), and wp_woocommerce_session_* (2 days). Social sharing buttons load Facebook and Twitter scripts that set their own third-party cookies.

How does ConsentStack handle Automattic?

ConsentStack detects Automattic through the pixel.wp.com tracking pixel and jetpack.js from c0.wp.com CDN. The stats module is classified as analytics and blocked until consent is granted. WooCommerce session cookies are marked essential. ConsentStack evaluates each Jetpack module separately based on its data collection behavior.

Related Vendors

Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Microsoft
Microsoft
Runs Clarity (session recording and heatmaps), the Microsoft Advertising UET tag (conversion tracking), and Bing's remarketing pixel. Clarity injects a recording script that captures mouse movements, clicks, and rage clicks. The UET tag fires conversion events to tie ad clicks to on-site actions across Microsoft's ad network.
Microsoft Dynamics 365
Microsoft Dynamics 365
Microsoft Dynamics 365 is a suite of CRM and ERP applications that integrates with websites through tracking scripts and embedded forms. Web tracking code captures visitor behavior, page views, and form submissions to build customer profiles and score leads. Sets cookies to identify returning visitors and attribute marketing touchpoints across sessions.
LinkedIn Insight Tag
LinkedIn Insight Tag
LinkedIn Insight Tag is a JavaScript tracking pixel for LinkedIn's advertising and analytics platform. The tag fires on every page view to collect URL, referrer, IP address, and device data for conversion tracking, website demographics reporting, and retargeting audience building. Sets cookies to identify LinkedIn members across advertiser websites.

Manage consent for Automattic

ConsentStack automatically detects and manages Automattic trackers so your site stays compliant with global privacy regulations.

Get started free