These first-party cookies are used to manage user logins and certain other administrative functions of the WordPress content management system, e.g., post editing. These cookies are necessary for the site's administrative users (who wouldn't even be able to log in without them), but if you are not an administrative user, these cookies aren't normally be placed on your device at all unless you somehow access the login area, which is off-limits to non-administrators.
Accessing the login page sets the wordpress_test_cookie, a session cookie that tests whether the user's browser (or other user agent) will allow the cookies needed to log in to the administrative dashboard; this cookie normally expires when the user closes their browser (or other user agent). The iThemes Security plugin may also set the itsec-hb-login-xx cookie, which helps to protect the site against "brute force" hacking attempts; that cookie normally expires in about one hour. In certain cases, multiple iterations of either or both of these cookies may be set.
Logging in sets the wordpress_logged_in_xx, wordpress_sec_xx, and/or wordpress_xx cookies, which store the user's login credentials to allow access to the administrative dashboard and other administrative functions; there may be multiple iterations of each cookie. These cookies expire in about 15 days if the user clicks "Remember Me" when logging in; if not, the cookies normally expire when the user closes their browser (or other user agent), or, failing that, within about two days. If we have enabled multi-factor authentication (which requires an authentication code as well as a password to log into the administrative dashboard), the iThemes Security plugin may also set the itsec_interstitial_browser cookie during the login process. This is a session cookie that verifies that the user has entered valid user credentials pending receipt of the correct authentication code; the cookie normally expires when the user closes their browser (or other user agent).
After logging in, the wp-settings-UID cookies store the logged-in user's configuration settings, while the wp-settings-time-UID cookies record the time those configuration settings were last set; again, there may be multiple iterations of each of these cookies, which normally expire after about one year. One or more wp-saving-post cookies may be set while creating and/or editing posts or pages, to help manage version control and the autosave feature; these cookies normally expire after about 24 hours. The wp-donottrack_feed cookie, which controls a blog feed, was set by accessing the dashboard menu for the WP DoNotTrack plugin (which we do not currently use on this website); this cookie normally expires in about one year.
For all the administrative and login cookies described here, "xx" will be a cryptographic hash while "UID" will be the administrative user's user ID number in this website's WordPress database. (WordPress and the WordPress logos are registered trademarks of the WordPress Foundation in the United States and other countries. iThemes is one of the Liquid Web family of brands; iThemes and Liquid Web are trademarks of Liquid Web, LLC.)