Overview
Simple Post Like supports likes from non-logged-in visitors. Guest likes are opt-in — disabled by default on fresh installs, and controlled from Settings → Simple Post Like → Allow Guest Likes.
When enabled, guests can like and unlike posts just like logged-in users. Their likes persist across page loads and browser sessions using a hashed identifier — no cookies, no accounts, no raw personal data stored.
How Guest Tracking Works
When a guest likes a post, Simple Post Like generates a SHA-256 hash from two pieces of data:
php
hash( 'sha256', $ip_address . NONCE_SALT )$ip_address— the visitor’s IP address, retrieved server-sideNONCE_SALT— a secret string unique to your WordPress installation, defined inwp-config.php
The resulting hash is a 64-character hexadecimal string. This hash — never the raw IP — is what gets stored in the database alongside the post ID.
Why This Approach
No raw IP addresses stored. The hash is one-way — you cannot reverse it to recover the original IP. Even if your database were exposed, no personal data would be revealed.
Site-specific. The hash includes your site’s NONCE_SALT, so the same visitor produces a different hash on every WordPress site. Hashes from one site cannot be correlated with hashes from another.
No cookies required. Unlike many like plugins that set a frontend cookie to track guest likes, Simple Post Like tracks entirely server-side. This means likes persist even when a visitor clears their cookies, uses a different browser, or has cookies disabled — as long as their IP address remains the same.
No personal data stored. Because the hash is non-reversible and site-specific, it does not qualify as personal data under GDPR. No consent banner or data processing disclosure is required for this feature specifically — though you should always consult your own legal advice for your specific situation.
Database Storage
Guest likes are stored in the {prefix}_spl_likes table alongside logged-in user likes. The table schema is:
| Column | Type | Description |
|---|---|---|
id | BIGINT | Auto-increment primary key |
post_id | BIGINT | The liked post ID |
user_id | BIGINT | WordPress user ID — 0 for guests |
user_ip_hash | VARCHAR(64) | SHA-256 hash — empty string for logged-in users |
liked_at | DATETIME | Timestamp of the like |
For logged-in users, user_id is set and user_ip_hash is empty. For guests, user_id is 0 and user_ip_hash holds the SHA-256 hash.
Disabling Guest Likes
When Allow Guest Likes is disabled:
- Guest visitors see the like button and the current like count
- Clicking the button has no effect — the AJAX handler returns early
- No guest data is written to the database
- Existing guest likes already in the database are preserved and still counted
Only logged-in users can like posts when this setting is disabled.
Logged-in Users vs Guests
| Behavior | Logged-in User | Guest |
|---|---|---|
| Can like posts | Always | Only if guest likes enabled |
| Tracked by | WordPress user ID | SHA-256 hashed IP |
| Persists across sessions | Yes | Yes (same IP) |
| Persists across devices | Yes | No |
| Like removed if account deleted | Yes | No |
Next Steps
- Shortcode Reference — manual placement with full attribute reference
- Statistics & Analytics — view and interpret your like data
- For Developers — hooks and filters for extending guest like behavior