Title: CAPI Suite: Meta, Pinterest, TikTok, GTM
Author: shan
Published: <strong>ސެޕްޓެމްބަރ 5, 2025</strong>
Last modified: މެއި 31, 2026

---

Search plugins

![](https://ps.w.org/easy-meta-capi/assets/banner-772x250.png?rev=3528853)

![](https://ps.w.org/easy-meta-capi/assets/icon-256x256.png?rev=3528853)

# CAPI Suite: Meta, Pinterest, TikTok, GTM

 By [shan](https://profiles.wordpress.org/suhanduman/)

[Download](https://downloads.wordpress.org/plugin/easy-meta-capi.3.7.1.zip)

 * [Details](https://dv.wordpress.org/plugins/easy-meta-capi/#description)
 * [Reviews](https://dv.wordpress.org/plugins/easy-meta-capi/#reviews)
 *  [Installation](https://dv.wordpress.org/plugins/easy-meta-capi/#installation)
 * [Development](https://dv.wordpress.org/plugins/easy-meta-capi/#developers)

 [Support](https://wordpress.org/support/plugin/easy-meta-capi/)

## Description

**Stop paying $30–150/month for a GTM Server Container.** Send Conversions API events
to Meta, Pinterest, and TikTok directly from your WordPress server. Free, no premium
tier, no SaaS subscription.

**Three CAPI platforms + Google Ads in one plugin.** Most competitors handle Meta
only, or sell Pinterest and TikTok as separate add-ons. This one ships Meta + Pinterest
+ TikTok server-side dispatch + Google Ads Enhanced Conversions + a clean GTM dataLayer
in a single install. The same `event_id` flows everywhere, so each platform deduplicates
browser + server events instead of double-counting.

**Real customers aren’t filtered as bots.** Behavioral bot detection + ~9,500-CIDR
datacenter IP filter + AI-crawler classification (GPTBot, PerplexityBot, ClaudeBot,
Google-Extended, etc.) keeps Lighthouse audits, scrapers, and ad-fraud bots out 
of your Events Manager — without blocking VPN shoppers, Apple iCloud Private Relay
users, logged-in customers, or paid-ad clickers. Purchase events are never blocked.
Pre-Purchase events that do get filtered are replayed on eventual purchase, preserving
the full funnel.

**What it does**

 * **Meta + Pinterest + TikTok CAPI** — 14 event types, classic + block checkout,
   HPOS compatible. Per-platform retry: only the failing side is retried.
 * **Google Ads Enhanced Conversions** — GTM template ships Conversion Linker + 
   Purchase Conversion tag (EC enabled). Captures `gclid`/`gbraid`/`wbraid` — recovers
   iOS Safari attribution post-ITP.
 * **GTM dataLayer** — Pushes for GA4, Meta Pixel, Pinterest Tag, TikTok Pixel, 
   Google Ads.
 * **Datacenter IP filter + Excluded Traffic tab** — Paginated audit log (IP masked
   to /24), per-provider breakdown, one-click exclude on Event Log rows. By-IP grouped
   view surfaces worst-offender IPs at a glance; customer-protection badges prevent
   excluding real buyers by mistake.
 * **CCPA / Limited Data Use** — Honors CMP opt-out signals; tags Meta + TikTok 
   payloads with LDU. Optional GDPR strict mode strips PII when consent is denied.
 * **Cache-safe** — Works with LiteSpeed, WP Rocket, Varnish, Cloudflare full-page
   cache. Click IDs captured client-side into 1st-party cookies; landing pages stay
   fully cacheable.
 * **Debug log + Dashboard widget** — Per-event delivery status, date/type filters,
   retention 1–90 days.

This plugin is free. Not “free with limits” — just free. Every feature works, no
pro version behind a paywall.

If it helps your store, please [leave a review](https://wordpress.org/support/plugin/easy-meta-capi/reviews/#new-post)—
it genuinely helps other merchants find this plugin.

### External Services

This plugin connects your website to external services to send event data.

 * **Service Used:** Meta Conversion API (graph.facebook.com)
    - **Purpose:** To send user interaction and e-commerce event data from your 
      server to Meta’s servers for ad performance measurement, optimization, and
      audience building.
    - **Data Sent:** Event details (product ID, price) and user parameters (IP address,
      user agent, hashed email/name/phone, Facebook cookies) are sent when a user
      performs a key action.
 * **Service Used:** TikTok Events API (business-api.tiktok.com)
    - **Purpose:** Same as Meta CAPI, providing server-side conversion tracking 
      for TikTok Ads optimization and attribution.
    - **Data Sent:** Event details (product ID, price, currency) and user parameters(
      IP address, user agent, hashed email/phone/external_id, ttp / ttclid cookies)
      are sent upon user action. Optional under the merchant’s TikTok credentials—
      the plugin only sends to TikTok if the credentials are configured.
 * **Service Used:** Pinterest Conversions API (api.pinterest.com)
    - **Purpose:** Same as the Meta CAPI, providing reliable tracking for ad performance
      and audience building on Pinterest.
    - **Data Sent:** Event details and hashed user parameters are sent upon user
      action.
 * **Service Used:** Google Tag Manager (googletagmanager.com)
    - **Purpose:** To load a JavaScript container from Google’s servers that allows
      you to manage and deploy marketing and analytics tags.
    - **Data Sent:** The plugin provides your GTM Container ID to Google to fetch
      the correct script. GTM itself may collect data based on how you configure
      your tags.
 * **Service Used:** Cloud-provider IP range list — `raw.githubusercontent.com/rezmoss/
   cloud-provider-ip-addresses`
    - **Purpose:** Used by the optional **Datacenter IP filter** to keep the bot
      blocklist current. Daily background fetch downloads CIDR ranges for AWS, Google
      Cloud, Azure, Cloudflare, DigitalOcean, Linode, Vultr, Oracle Cloud, and Fastly
      so events from those ranges can be filtered out before reaching Meta / Pinterest/
      TikTok.
    - **Data Sent:** None. The plugin only downloads public IP-range manifests; 
      no visitor data is sent to GitHub.
    - **License:** Source repository is CC0-licensed.
 * **Service Used:** Apple iCloud Private Relay egress IP list — same `raw.githubusercontent.
   com/rezmoss/cloud-provider-ip-addresses` source (folder `apple_private_relay/`)
    - **Purpose:** Used by the optional **Datacenter IP filter** to whitelist real
      Apple visitors who exit through Apple’s relay infrastructure. Daily background
      fetch downloads the merged CIDR list so iOS Safari users on Private Relay 
      aren’t mistaken for datacenter bots.
    - **Data Sent:** None. The plugin only downloads the public manifest; no visitor
      data is sent.

**Shared hosting note.** Some restrictive shared hosts block outbound HTTPS by default.
If event delivery silently fails after install, ask your host to whitelist the following
domains for outgoing connections: `graph.facebook.com`, `business-api.tiktok.com`,`
api.pinterest.com`, and `raw.githubusercontent.com` (only needed if you keep “Auto-
fetched” enabled on the Blocked Traffic tab — covers both the datacenter blocklist
and the Apple Private Relay whitelist).

### Advanced Configuration

Setup details for Consent Mode v2, the strict server-side consent mode (GDPR PII
gating), CMP auto-block compatibility, and the WooCommerce Subscriptions integration.
None of these are required for a basic CAPI setup — turn them on as your store needs
them.

### Consent Mode v2 Setup (GDPR / EU Compliance)

If you serve EU visitors, GA4 and Meta browser tags don’t fire when consent is denied—
typically losing **20–50% of measured event volume**. Google Consent Mode v2 recovers
this: when consent is denied, GA4 / Meta tags switch to **cookieless pings** (anonymous
beacons carrying event name, value, currency, timestamp but no client identifier).
Google’s ML models the conversions from these pings and shows them mixed with observed
ones in your reports. A single CMP integration repairs both GA4 and Meta attribution
because the Meta Pixel template reads the same consent signals.

**How to enable.** Popular CMP plugins (Cookiebot, CookieYes, Complianz, Iubenda,
Termly, OneTrust) all have a native Consent Mode v2 toggle in their settings — find
and enable it. The CMP then calls `gtag('consent', 'default', {denied})` before 
GTM loads and `gtag('consent', 'update', {granted})` after the visitor accepts.

The bundled GTM template includes a paused **“Consent Defaults (Pre-CMP)”** tag.
Enable it only if your CMP doesn’t set `gtag('consent', 'default', ...)` on its 
own (rare with modern CMPs).

### Strict server-side consent mode (PII gating for CAPI)

Consent Mode v2 only controls **browser** tags. Server-side CAPI fires from PHP,
never sees `gtag('consent', ...)` signals — so it transmits hashed PII regardless
of cookie-banner choice. Fine outside the EU; a GDPR concern inside it.

The **Privacy & Consent (Server-side)** section has a Strict server-side consent
toggle (default OFF). When enabled and the visitor has denied marketing consent 
in your CMP, identifying PII (`em`, `ph`, `fn`, `ln`, address, `fbp`, `fbc` …) is
stripped from the CAPI payload. The event still ships with `event_id`, `value`, `
currency`, `contents` — Cookiebot, CookieYes, and Complianz cookies are read automatically;
other CMPs supply state via the `mcapi_marketing_consent_granted` filter.

**Why this matters alongside Consent Mode v2.** Denied-consent browser pixels switch
to cookieless pings — modeled, not observed. With Strict server-side consent ON,
your server-side CAPI ships alongside that ping carrying the same `event_id`. Meta
dedupes by `event_id` and now has an **observed** server signal feeding the same
conversion record the cookieless ping created — cleaner Event Match Quality than
browser-only or naïve “send everything” CAPI, and GDPR-defensible because no identifying
data leaves your server.

Default OFF preserves match quality for existing non-EU setups. Recommended ON once
Consent Mode v2 is configured in your CMP.

### CMP Auto-Blocking and the Plugin’s Inline Scripts

CMPs with “auto-blocking” (Cookiebot, CookieYes, others) scan every `<script>` tag
on load and convert anything they suspect of tracking to `type="text/plain"` until
consent. The plugin’s inline scripts only POST first-party events to your own REST
endpoint — but a generic auto-blocker can’t tell. To avoid a silent break, every
plugin-rendered inline script ships with opt-out attributes for Cookiebot (`data-
cookieconsent="ignore"`), CookieYes (`data-cookieyes="cookieyes-necessary"`), and
Complianz (`data-cmplz-no-cookielaw="1"`). For other CMPs (OneTrust, Quantcast, 
in-house), append your own attribute via the `mcapi_inline_script_attrs` filter.

### WooCommerce Subscriptions Integration

By default, every WooCommerce Subscriptions auto-renewal sends a fresh `Purchase`
to Meta CAPI — credited to the original acquisition ad. Reported ROAS keeps climbing
month after month from the same conversion, polluting optimization signals.

The plugin auto-detects WooCommerce Subscriptions and exposes:

**Subscription Renewal Behavior** (radio):

 * **Default** — renewals send as regular `Purchase`. Existing setups unchanged.
 * **Skip** — renewals not sent. Cleanest ROAS hygiene; you forfeit Meta’s LTV signal
   from renewals.
 * **Tag** — renewals still send `Purchase` but with `custom_data.customer_status
   = "subscription_renewal"` so you can filter them in Events Manager.
 * **Subscribe / SubscriptionRenewal events** — Meta’s standard `Subscribe` for 
   sign-ups + a `SubscriptionRenewal` custom event for renewals. `Purchase` stays
   clean, advertisers using LTV-bidding can opt into both.

**Tag every Purchase with customer_status** (checkbox): adds `custom_data.customer_status`(`
new_customer` / `returning_customer` / `subscription_renewal`) to every `Purchase`
so Meta Advantage+ can bid acquisition vs. retention differently. Guest checkouts
fall back to billing-email lookup.

### Disclaimer

This plugin is an independent, community-driven implementation of server-side Conversions
API protocols. It is not affiliated with, endorsed by, or sponsored by Meta Platforms,
Inc., TikTok Ltd., Pinterest, Inc., Google LLC, Automattic Inc., or any other trademark
holder referenced herein.

“Meta”, “Facebook”, and the Meta Pixel are trademarks of Meta Platforms, Inc. “TikTok”
is a trademark of TikTok Ltd. “Pinterest” is a trademark of Pinterest, Inc. “Google
Tag Manager”, “Google Ads”, and “GA4” are trademarks of Google LLC. “WooCommerce”
is a trademark of Automattic Inc. All trademark references are used solely for descriptive
interoperability purposes — to indicate which platforms this plugin can transmit
data to under the merchant’s own configured credentials.

No user data is transmitted to any external service until the merchant explicitly
configures their own platform credentials in the plugin settings. The plugin does
not “phone home” or contact any developer-controlled server. The only outbound HTTP
calls are: (1) merchant-configured CAPI endpoints, (2) the public CIDR manifests
at raw.githubusercontent.com used by the optional Datacenter IP filter — no visitor
data is sent in those manifest fetches.

## Installation

### Quick start (3 steps)

 1. Install and activate the plugin. WooCommerce must already be active.
 2. Open **CAPI Suite  Main Settings** and paste your **Meta Pixel ID + Access Token**.
    Add **TikTok** and/or **Pinterest** credentials if you use them. Empty fields for
    platforms you don’t use are fine.
 3. _(If you use GTM)_ Download the bundled `gtm-template.json` from the **GTM Container
    ID** box, import it into your GTM container in **Merge** mode, set the pixel-code
    constants to your real IDs, and publish.

Server-side events start flowing on the next page view. Send a test from **Event
Management  Test Modes** to verify credentials before going live.

### Recommended GTM dedup configuration

To prevent duplicate browser+server events:

 1. In **Meta Events Manager  your Pixel  Settings  Event Setup**, turn **off** “Track
    Events Automatically Without Code”. This plugin handles all event sending.
 2. In your GTM container, pause or delete any auto-created tags starting with `FB_`.

The bundled GTM template ships GA4 + Meta tags pre-wired to the GA4 ecommerce dataLayer,
plus TikTok tags that read from a `CONST - TikTok Pixel Code` variable. Pinterest
tags are added manually because the Community Template can fail to import inside
container exports.

If you cannot import the JSON template (locked container, workspace permissions)
or want to set up GTM manually, the full step-by-step walkthrough ships with the
plugin at `wp-content/plugins/easy-meta-capi/docs/GTM-MANUAL-SETUP.txt`.

### Verify

Open **CAPI Suite  Event Log** after browsing your store. Successful dispatches 
show as “Success (Meta)” / “Success (TikTok)” / “Success (Pinterest)”. The Dashboard
widget shows queue health at a glance.

If the log stays empty, a JS optimizer is probably deferring the plugin’s inline
scripts — see the cache-plugin FAQ. Detailed GTM setup, Google Ads Enhanced Conversions,
and other platform tags live in `docs/GTM-MANUAL-SETUP.txt`. Consent Mode v2, Strict
server-side consent, CMP auto-block, and WC Subscriptions are documented under **
Advanced Configuration** below.

## FAQ

### Does this plugin replace the Meta Pixel?

No, it works alongside it. The plugin sends server-side (CAPI) events, while GTM
handles the browser-side Pixel. Both use the same `event_id`, so Meta merges them
automatically without counting anything twice.

### What is the difference between this and a GTM Server Container?

A GTM Server Container runs on Google Cloud and costs money every month. This plugin
does the same job directly from your WordPress server — no extra infrastructure,
no extra bill.

### Does it work with page caching plugins (WP Rocket, LiteSpeed, etc.)?

Yes. PageView and ViewCategory events fire from JavaScript, so they work even on
fully cached pages. Cart, checkout, and purchase pages are not cached by default.

### What plugins are required?

WooCommerce. That’s it. If you use other GTM plugins (like Google Site Kit), disable
their e-commerce features to avoid conflicts.

### Is there a pro version?

No. Everything is included.

### My events aren’t showing in Meta Events Manager.

Open the **Event Log** tab. If events appear there with “Success (Meta)”, the plugin
is sending — anything missing on Meta’s end is a Pixel ID / Access Token mismatch.
If the log is empty, your JS optimizer is likely deferring the inline scripts (see
next answer) or your CMP auto-blocker converted them to `type="text/plain"` (see
the CMP question below).

### JS optimizer (LiteSpeed / WP Rocket / Autoptimize) — what do I configure?

Add these four IDs to your optimizer’s “exclude from defer / combine” list: `mcapi-
pageview-init`, `mcapi-viewcontent-events`, `mcapi-viewcategory-events`, `mcapi-
frontend-events`. Cloudflare Rocket Loader is handled automatically via `data-cfasync
="false"`.

### Does it work with a block-based theme (Twenty Twenty-Five etc.)?

Yes.

### GTM Preview shows my browser tags firing, but the plugin’s Event Log is empty.

Your CMP’s auto-blocker is converting the plugin’s inline scripts to `type="text/
plain"`. The plugin already carries opt-out attributes for Cookiebot, CookieYes,
and Complianz; less common CMPs (OneTrust etc.) need the `mcapi_inline_script_attrs`
filter — see **CMP Auto-Blocking** in Advanced Configuration.

### I sell subscriptions — Meta is over-attributing renewals to old ads.

The plugin auto-detects WooCommerce Subscriptions and offers four behavior modes(
Default / Skip / Tag / Subscribe + SubscriptionRenewal). Pick Skip or the dedicated-
events mode to keep `Purchase` clean. See **WooCommerce Subscriptions** in Advanced
Configuration.

### EU traffic — does the plugin respect cookie-banner consent for CAPI?

Not by default — server-side CAPI fires from PHP, doesn’t see your `gtag('consent',...)`
signals. The Privacy & Consent section has a **Strict server-side consent mode**
toggle: when consent is denied, hashed PII is stripped from the CAPI payload but
the event still ships with its `event_id`, so Meta’s browserCAPI dedup keeps working
without identifying data. Recommended ON for EU stores. See **Strict server-side
consent mode** in Advanced Configuration.

### Will the datacenter IP filter block my real VPN customers?

Rarely. Visitors with click IDs (fbclid / gclid / ttclid), Apple Private Relay IPs,
logged-in customers, or prior-visit `_fbp` / `_ga` cookies all bypass the filter.
Purchase events are never blocked. A brand-new VPN visitor with no cookies has their
first PageView held; if they purchase, the full funnel is replayed so Meta sees 
the complete journey. Every blocked request is auditable in the **Excluded Traffic**
tab.

### Why does the Excluded Traffic tab show IPs as `192.168.1.x`?

GDPR-friendly auditing — the last octet is masked at record-time, so wp-admin and
DB exports never reveal raw visitor IPs.

## Reviews

![](https://secure.gravatar.com/avatar/e5149bef1958007b581835b3d89e61e25b32e9a7f30e9deaac20ba4e8a756742?
s=60&d=retro&r=g)

### 󠀁[Very effective addon better than others](https://wordpress.org/support/topic/very-effective-addon-better-than-others/)󠁿

 [cenkcagdas](https://profiles.wordpress.org/cenkcagdas/) އޮކްޓޯބަރ 23, 2025

The plugin acts as a reliable data source by sending conversions both via GTM and
directly to Meta. It’s more effective than other Capi plugins I’ve tried.

 [ Read all 1 review ](https://wordpress.org/support/plugin/easy-meta-capi/reviews/)

## Contributors & Developers

“CAPI Suite: Meta, Pinterest, TikTok, GTM” is open source software. The following
people have contributed to this plugin.

Contributors

 *   [ shan ](https://profiles.wordpress.org/suhanduman/)

[Translate “CAPI Suite: Meta, Pinterest, TikTok, GTM” into your language.](https://translate.wordpress.org/projects/wp-plugins/easy-meta-capi)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/easy-meta-capi/), check
out the [SVN repository](https://plugins.svn.wordpress.org/easy-meta-capi/), or 
subscribe to the [development log](https://plugins.trac.wordpress.org/log/easy-meta-capi/)
by [RSS](https://plugins.trac.wordpress.org/log/easy-meta-capi/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 3.7.1

 * **AddToCart dataLayer push fix.** On themes that don’t render a WooCommerce cart
   widget on every page (custom themes, headless setups, some page builders), the
   browser-side `add_to_cart` event was silently lost because WC’s `$(selector).
   replaceWith()` is a no-op when no matching DOM element exists. The handler now
   reads the payload from the `fragments` argument WC passes to the `added_to_cart`
   event — works regardless of DOM state. Adds a shared `window.__mcapi_atc_pushed`
   dedup map so any custom GTM Custom HTML tag using the same name (a known forum
   workaround pattern) no longer causes double-pushes. Server-side CAPI dispatch
   was working in all cases and is unchanged.
 * **Behavioral bot filter — burst protection tightened.** A pacing check (`mcapi_min_event_gap`
   filter, default 3 seconds average gap between events) now gates soft-trust promotion.
   Previously an IP firing exactly 3, 4, or 5 events in under a minute slipped through
   both the burst-protection floor (which only triggered above 5 events) and into
   trusted state. Borderline-fast clickers fall through to defer (not block) and
   re-evaluate as they accumulate more events.
 * **By-IP transient cache invalidated on Refresh Log.** The “Refresh Log” button
   now also clears the `mcapi_logs_byip_*` transients introduced in 3.7.0; previously
   stale by-IP data could persist for the full 60-second TTL after refresh. Per-
   insert cache invalidation also updated so by-IP view refreshes immediately on
   new events.
 * **Admin hygiene:** the one-time GTM-3.5.0 notice flag no longer autoloads on 
   every request.

#### 3.7.0

 * **Event Log: By-IP grouped view.** New toggle on the Event Log tab switches between
   detail rows and a per-IP aggregate (`IP | Events | User Agent | Event types |
   Action`) sorted by hit count descending. Repeat-offender IPs surface immediately—
   bulk-exclude with one click instead of scrolling through hundreds of individual
   rows. Filter form preserves the active view + page anchor on submit.
 * **Customer-protection badges in the Event Log.** Before excluding an IP, the 
   plugin checks for real-visitor signals: Purchase events (financial transaction—
   bots can’t complete a real checkout), checkout-flow events (InitiateCheckout /
   AddShippingInfo / AddPaymentInfo), behavioral filter graduation, and funnel-event
   diversity. Multi-signal scoring: a Purchase alone qualifies, otherwise 2+ signals
   are required. Real buyers show a 🛒 Customer badge and the Exclude button is 
   suppressed; if a customer was previously excluded by mistake, a ⚠🛒 warning appears
   so you can undo it.
 * **AI-crawler classification (separate from generic bots).** GPTBot, ChatGPT-User,
   OAI-SearchBot, PerplexityBot, ClaudeBot, anthropic-ai, Google-Extended, GoogleOther,
   Applebot-Extended, FacebookBot, Amazonbot, CCBot, Bytespider, and other LLM training/
   answer-engine crawlers are now classified as `ai_agent` instead of `bot`. Requests
   to `/.well-known/` discovery endpoints (UCP / llms.txt / ai-plugin.json) are 
   also treated as AI agents. They are skipped from CAPI dispatch like bots, but
   tracked in a separate daily counter on the Dashboard widget so you can see how
   much LLM-driven traffic reaches your store. Never added to the IP exclusion list.
   Extendable via the `mcapi_ai_agent_user_agents` filter.
 * **“Block”  “Exclude” UI rename.** The Blocked Traffic tab is now Excluded Traffic,
   the exclusion-list buttons are clearer, and a banner at the top of the tab spells
   out that this is a CAPI-event-level exclusion, not a firewall — your site stays
   accessible to everyone, only the plugin’s analytics dispatch is filtered for 
   those IPs. Manage-list rows use Disable / Enable toggles instead of Exclude /
   Re-include (less terminology collision). Internal hook names and DB option keys
   unchanged — backward compatible.
 * **Flagged-IP indicator.** IPs that tripped the behavioral filter (honeypot, abnormal
   velocity, or no engagement after observation) now show a 🚩 indicator on the 
   Exclude button with a confidence-aware tooltip. Mostly catches bots that disguised
   their User Agent to slip past the upstream filter.
 * **EU consent admin notice.** When a CMP plugin is detected (CookieYes / Cookiebot/
   Complianz / Iubenda / Termly) and Strict server-side consent mode is OFF, the
   settings page now shows a one-time dismissable prompt explaining the GDPR posture
   and pointing to the toggle.
 * **Trademark disclaimer.** Added a Disclaimer section to the readme covering independent/
   not-affiliated status for Meta, TikTok, Pinterest, Google, and Automattic — descriptive
   interoperability use only.
 * **Schema migration: `mcapi_logs.ip_hash`.** New salted-SHA256 column (matches`
   mcapi_ip_state.ip_hash`) lets the Event Log JOIN against the behavioral-state
   table for real-time customer / flagged classification. Legacy rows have `ip_hash
   =''` and fall back to event-based signals. Single dbDelta ALTER TABLE on upgrade—
   instant DDL on InnoDB 5.7+ / MariaDB 10.3+.
 * **Readme cleanup.** Cookie-plugin setup, CMP auto-block, Strict consent, and 
   WC Subscriptions sections de-duplicated and condensed. Two-thirds shorter without
   losing any why-this-matters context.
 * **Google Ads Enhanced Conversions.** Bundled GTM template now includes a Google
   Ads Conversion Linker tag (All Pages) and a Google Ads Purchase Conversion tag(
   CE – Purchase trigger) with Enhanced Conversions enabled in AUTO mode. The plugin
   captures `gclid`, `gbraid`, and `wbraid` from ad-click URLs into 1st-party cookies(`
   _mcapi_gclid` etc.) at landing; the Conversion Linker transfers these to `_gcl_aw`
   for Google Ads attribution. Recovers conversions that iOS Safari ITP would otherwise
   drop. Edit two new CONST variables in GTM after importing (`Google Ads Conversion
   ID`, `Google Ads Purchase Label`) — see `docs/GTM-MANUAL-SETUP.txt` for full 
   setup.
 * **Pinterest EMQ improvements.** Now captures both Pinterest’s persistent `_epik`
   cookie (set by Pinterest’s tag.js on real visitors) and the `epik` URL parameter.
   Improves Event Match Quality on Pinterest tag installs running the current (2024
   +) version, where the legacy `pina_id` flow is being phased out.
 * **Stronger real-user signals in datacenter bypass.** Beyond `_fbp` and `_ga`,
   the IP filter now also accepts `_epik` (Pinterest tag), `__cf_bm` (Cloudflare
   Bot Management actively-validated browsers), `_gcl_au` (gtag.js ran), and `_ttp`(
   TikTok Pixel) as proof of human browsing. Reduces false-positive blocking of 
   VPN/Apple-Relay shoppers who already have one of these tag cookies set.
 * **Improved bot / human differentiation.** Behavioral signals (mousemove, scroll,
   checkout-form interaction) are now gated against the most common scripted-automation
   patterns. Combined with the existing datacenter IP filter and funnel-event history,
   this reduces false-positive bot scores from real shoppers and false-negative 
   human scores from low-effort scrapers. Not a 100% bot block — it raises the cost
   for an attacker to look human, not eliminates the possibility — but it filters
   out the bulk of the cheap traffic that pollutes Events Manager.
 * **gbraid / wbraid capture.** Google Ads iOS Safari click variants are now captured
   into 1st-party cookies alongside `gclid`. Without this, post-ITP iOS Safari ad
   clicks lose attribution within minutes.
 * **GTM template re-import recommended.** The bundled template now includes Google
   Ads tags. Re-download `gtm-template.json` from Main Settings and re-import in
   Merge mode.

#### 3.6.0

 * **TikTok CAPI integration.** Server-side dispatch alongside Meta and Pinterest.
   Pixel Code, Access Token, Advertiser ID, and a dedicated TikTok Test Mode. Re-
   import the GTM template to get TikTok Pixel tags.
 * **Behavioral bot detection.** Datacenter IP visitors are briefly observed before
   forwarding events. Real-browser activity (mouse/scroll, _fbp cookie, click IDs,
   Apple Private Relay, logged-in customers) graduates the visitor instantly; confirmed
   bots are dropped. Purchase events are never blocked.
 * **Blocklist redesign.** Pre-bundled ~9,500 cloud-provider CIDR ranges with daily
   auto-refresh. IPv4 + IPv6 support, O(log N) lookup via binary index seek. New
   Blocked Traffic admin tab with per-source toggle (bundled / auto-fetched / custom),
   paginated table, and one-click “Block this CIDR” on Event Log rows.
 * **Funnel-chain recovery.** Held pre-Purchase events are replayed on the next 
   Purchase from the same visitor (PageView  ViewContent  AddToCart  InitiateCheckout),
   so Meta sees the full attribution path instead of a lone Purchase.
 * **Apple Private Relay whitelist.** Daily-fetched egress IPs bypass the datacenter
   filter, preserving iOS shopper events.
 * **CCPA / Limited Data Use** toggle. Honors visitor opt-out via cookie or filter.
 * **Synchronous / Asynchronous sending modes.** Synchronous (3-second per-platform
   timeout) for shared hosts where cron is unreliable.
 * **WP Dashboard widget.** Queue health at a glance: size, oldest pending age, 
   last successful dispatch, datacenter blocks today.
 * **Per-platform retry.** When Meta succeeds but Pinterest or TikTok transiently
   fails, only the failing platform is retried next cron tick.
 * **Critical fix:** queue processor no longer leaks rows when an event’s `send_to`
   targets a platform with no credentials configured. Previously such rows could
   accumulate indefinitely (tens of thousands over days). Now correctly dropped 
   on the first cycle.
 * **Security:** REST endpoint requires an HMAC-rotated token with a 25-hour tolerance
   window covering HTML page caches. Checkout-funnel honeypot rejects empty-cart
   fake POSTs. IP hashes salted with `wp_salt('auth')` for GDPR/KVKK compliance.
   Proxy headers trusted only when REMOTE_ADDR is in a known proxy range.
 * **Performance:** chunked DELETE for log/queue cleanup. Composite B-tree index
   for binary blocklist seek. Negative cache on visitor lookups. REST rate limiter
   skipped on installs without a persistent object cache. Ad-click landing pages
   no longer force-create a WooCommerce session.
 * **Plugin renamed** to “CAPI Suite: Meta, Pinterest, TikTok, GTM”. Settings UI
   reorganized: Sending Method + Test Modes moved to Event Management tab.
 * **GTM template** updated to modern API schema with TikTok Pixel tags. Re-import
   required.

#### 3.5.3

 * Fix: spurious AJAX `add_to_cart` events from WooCommerce sessionStorage fragment
   replay.
 * Fix: per-platform retry tracking — when one platform transiently fails, only 
   the failing side retries.
 * New: Event Log captures User Agent, supports date-range filtering, and retention
   is configurable (1–90 days, default 15).
 * Hardening: third-party autoloader protection extended to all `class_exists()`
   calls.

#### 3.5.2

 * Critical: GTM template re-import required. Full migration to modern GTM API schema(
   older templates rejected with “File format invalid” / “Unknown entity type” in
   fresh workspaces). Plugin runtime unchanged.

#### 3.5.1

 * Critical hotfix: CMP detection helper triggered third-party autoloader fatals(
   CookieYes / Cookie Law Info). All detection `class_exists()` calls now pass `
   false` to suppress autoload.

#### 3.5.0

 * Fix: GTM container template imports cleanly (was rejected with “Unrecognized 
   value [customEvent]”).
 * New: Consent Mode v2 support, CMP auto-block exemption (CookieYes / Cookiebot/
   Complianz), and a CMP detection admin notice.
 * New: Strict server-side consent mode — strips hashed PII when consent denied;
   still ships `event_id` + non-PII context for dedup.
 * New: WooCommerce Subscriptions integration — Subscription Renewal Behavior + 
   customer_status tagging keep Purchase ROAS clean for subscription stores.
 * Fix: `_fbp` / `_fbc` cookie domain strips leading `www.` to match Pixel JS.

#### 3.4.2

 * Fix: GTM template adds two CJS variables converting GA4-schema dataLayer into
   the `contents[]` shape Meta Pixel and Pinterest Tag expect.
 * Fix: Pinterest event-name typos in manual setup; correct catalog `content_ids`
   parameter.

#### 3.4.1

 * Fix: dataLayer items include `item_id` alongside `id` so GA4’s Items report no
   longer shows “(not set)” for products.

#### 3.4.0

 * Fix: Event log timestamps stable across hosts with mismatched PHP/WordPress timezones(
   stored UTC, displayed via `wp_date()`).
 * Fix: GTM template no longer fails import with “Unrecognized value [EVENT]”.
 * New: bot/crawler UA filter before queue insert. Purchase events exempt. Filterable
   via `mcapi_is_bot_request`.
 * New: Action Scheduler used for recurring tasks when available — more reliable
   than WP-Cron on low-traffic sites.

#### 3.3.0

 * New: REST API endpoint `/wp-json/mcapi/v1/event` for cache-safe browser tracking—
   no nonce needed (works behind 7-day page caches). Secured by same-origin, per-
   IP rate limit, body cap, event whitelist.
 * Improvement: reliable retries on transient API failures (5xx, 429, network).
 * Improvement: real client IP via `CF-Connecting-IP` / `X-Forwarded-For` / `X-Real-
   IP` (sites behind Cloudflare / LB no longer hit rate limits prematurely).
 * Improvement: Safari ITP bypass — `_fbp` / `_fbc` cookies rewritten server-side
   with 90-day TTL.
 * Improvement: phone numbers normalized to E.164 using billing country; `external_id`
   SHA-256 hashed; cron lock on queue processor; guest external_id is a cookie-backed
   UUID.

For older versions (3.2.x and below), see the SVN repository history at https://
plugins.svn.wordpress.org/easy-meta-capi/tags/.

## Meta

 *  Version **3.7.1**
 *  Last updated **4 days ago**
 *  Active installations **40+**
 *  WordPress version ** 6.0 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/easy-meta-capi/)
 * Tags
 * [Facebook Conversions API](https://dv.wordpress.org/plugins/tags/facebook-conversions-api/)
   [Meta Pixel](https://dv.wordpress.org/plugins/tags/meta-pixel/)[Pinterest tag](https://dv.wordpress.org/plugins/tags/pinterest-tag/)
   [Tiktok Pixel](https://dv.wordpress.org/plugins/tags/tiktok-pixel/)[woocommerce](https://dv.wordpress.org/plugins/tags/woocommerce/)
 *  [Advanced View](https://dv.wordpress.org/plugins/easy-meta-capi/advanced/)

## Ratings

 5 out of 5 stars.

 *  [  1 5-star review     ](https://wordpress.org/support/plugin/easy-meta-capi/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/easy-meta-capi/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/easy-meta-capi/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/easy-meta-capi/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/easy-meta-capi/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/easy-meta-capi/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/easy-meta-capi/reviews/)

## Contributors

 *   [ shan ](https://profiles.wordpress.org/suhanduman/)

## Support

Issues resolved in last two months:

     6 out of 6

 [View support forum](https://wordpress.org/support/plugin/easy-meta-capi/)