=== CAPI Suite: Meta, Pinterest, TikTok, GTM === Contributors: suhanduman Tags: facebook conversions api, meta pixel, tiktok pixel, pinterest tag, woocommerce Requires at least: 6.0 Tested up to: 7.0 Stable tag: 3.7.2 Requires PHP: 7.4 WC requires at least: 8.0 WC tested up to: 10.8 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Free multi-platform server-side CAPI for Meta, Pinterest, TikTok + GTM dataLayer. Cache-safe, theme-agnostic, no cloud server needed. == Description == **Stop paying $30–150/month for a GTM Server Container.** Send Conversions API events to Meta, Pinterest, and TikTok directly from your WordPress server. No premium tier, no SaaS subscription. **Three CAPI integrations in one install.** Most plugins ship Meta only, or sell Pinterest and TikTok as paid add-ons. This one runs server-side dispatch to all three plus a bundled GTM template for GA4 + Google Ads (Enhanced Conversions, Conversion Linker, click-ID recovery for iOS Safari post-ITP). The same `event_id` flows browser-side and server-side so each platform deduplicates instead of double-counting. **Aggressive bot filtering, no false-positives on real customers.** Layered detection (behavioral signals + ~9,500-CIDR datacenter list + AI-crawler classification for GPTBot / PerplexityBot / ClaudeBot / Google-Extended / Bytespider / etc.) blocks Lighthouse audits, scrapers, and ad-fraud bots. Multi-layered customer bypass — Apple iCloud Private Relay whitelist, ad-click ID recognition (`fbclid` / `gclid` / `ttclid`), logged-in customers, prior-visit `_fbp` / `_ga` cookies, Cloudflare Bot Management validation — keeps real shoppers visible. Purchase events are never blocked; pre-Purchase events held by the filter are replayed on eventual checkout so Meta sees the complete funnel. * **Server-side CAPI to Meta, Pinterest, TikTok** — every checkout & cart event, classic + block-based checkout, HPOS compatible. Per-platform retry isolates transient failures. * **GTM template for browser-side tags** — GA4 + Meta Pixel + Pinterest Tag + TikTok Pixel + Google Ads (Enhanced Conversions enabled, Conversion Linker auto-attached). * **Event Log with By-IP view** — paginated audit log, customer-protection badges prevent excluding real buyers, one-click exclude for confirmed bots, per-provider breakdown. * **GDPR / CCPA modes** — honors CMP opt-out signals, strict server-side consent strips PII when consent is denied (browser↔CAPI dedup still works on `event_id`). * **Cache-safe** — works with LiteSpeed, WP Rocket, Varnish, Cloudflare full-page cache. Click IDs captured into 1st-party cookies client-side; landing pages stay cacheable. * **WP Dashboard widget** — queue health at a glance: backlog, oldest pending, last successful dispatch, datacenter exclusions today. If it helps your store, please [leave a review](https://wordpress.org/support/plugin/easy-meta-capi/reviews/#new-post) — it genuinely helps other merchants find this plugin. == Frequently Asked Questions == = Does this plugin replace the Meta Pixel? = No, it works alongside it. The plugin sends server-side (CAPI) events, while GTM handles the browser-side Pixel. Both use the same `event_id`, so Meta merges them automatically without counting anything twice. = What is the difference between this and a GTM Server Container? = A GTM Server Container runs on Google Cloud and costs money every month. This plugin does the same job directly from your WordPress server — no extra infrastructure, no extra bill. = Does it work with page caching plugins (WP Rocket, LiteSpeed, etc.)? = Yes. PageView and ViewCategory events fire from JavaScript, so they work even on fully cached pages. Cart, checkout, and purchase pages are not cached by default. = What plugins are required? = WooCommerce. That's it. If you use other GTM plugins (like Google Site Kit), disable their e-commerce features to avoid conflicts. = Is there a pro version? = No. Everything is included. = My events aren't showing in Meta Events Manager. = Open the **Event Log** tab. If events appear there with "Success (Meta)", the plugin is sending — anything missing on Meta's end is a Pixel ID / Access Token mismatch. If the log is empty, your JS optimizer is likely deferring the inline scripts (see next answer) or your CMP auto-blocker converted them to `type="text/plain"` (see the CMP question below). = JS optimizer (LiteSpeed / WP Rocket / Autoptimize) — what do I configure? = Add these four IDs to your optimizer's "exclude from defer / combine" list: `mcapi-pageview-init`, `mcapi-viewcontent-events`, `mcapi-viewcategory-events`, `mcapi-frontend-events`. Cloudflare Rocket Loader is handled automatically via `data-cfasync="false"`. = Does it work with a block-based theme (Twenty Twenty-Five etc.)? = Yes. = GTM Preview shows my browser tags firing, but the plugin's Event Log is empty. = Your CMP's auto-blocker is converting the plugin's inline scripts to `type="text/plain"`. The plugin already carries opt-out attributes for Cookiebot, CookieYes, and Complianz; less common CMPs (OneTrust etc.) need the `mcapi_inline_script_attrs` filter — see **CMP Auto-Blocking** in Advanced Configuration. = I sell subscriptions — Meta is over-attributing renewals to old ads. = The plugin auto-detects WooCommerce Subscriptions and offers four behavior modes (Default / Skip / Tag / Subscribe + SubscriptionRenewal). Pick Skip or the dedicated-events mode to keep `Purchase` clean. See **WooCommerce Subscriptions** in Advanced Configuration. = EU traffic — does the plugin respect cookie-banner consent for CAPI? = Not by default — server-side CAPI fires from PHP, doesn't see your `gtag('consent', ...)` signals. The Privacy & Consent section has a **Strict server-side consent mode** toggle: when consent is denied, hashed PII is stripped from the CAPI payload but the event still ships with its `event_id`, so Meta's browser↔CAPI dedup keeps working without identifying data. Recommended ON for EU stores. See **Strict server-side consent mode** in Advanced Configuration. = Will the datacenter IP filter block my real VPN customers? = Rarely. Visitors with click IDs (fbclid / gclid / ttclid), Apple Private Relay IPs, logged-in customers, or prior-visit `_fbp` / `_ga` cookies all bypass the filter. Purchase events are never blocked. A brand-new VPN visitor with no cookies has their first PageView held; if they purchase, the full funnel is replayed so Meta sees the complete journey. Every blocked request is auditable in the **Excluded Traffic** tab. = Why does the Excluded Traffic tab show IPs as `192.168.1.x`? = GDPR-friendly auditing — the last octet is masked at record-time, so wp-admin and DB exports never reveal raw visitor IPs. == External Services == This plugin connects your website to external services to send event data. * **Service Used:** Meta Conversion API (graph.facebook.com) * **Purpose:** To send user interaction and e-commerce event data from your server to Meta's servers for ad performance measurement, optimization, and audience building. * **Data Sent:** Event details (product ID, price) and user parameters (IP address, user agent, hashed email/name/phone, Facebook cookies) are sent when a user performs a key action. * **Service Used:** TikTok Events API (business-api.tiktok.com) * **Purpose:** Same as Meta CAPI, providing server-side conversion tracking for TikTok Ads optimization and attribution. * **Data Sent:** Event details (product ID, price, currency) and user parameters (IP address, user agent, hashed email/phone/external_id, ttp / ttclid cookies) are sent upon user action. Optional under the merchant's TikTok credentials — the plugin only sends to TikTok if the credentials are configured. * **Service Used:** Pinterest Conversions API (api.pinterest.com) * **Purpose:** Same as the Meta CAPI, providing reliable tracking for ad performance and audience building on Pinterest. * **Data Sent:** Event details and hashed user parameters are sent upon user action. * **Service Used:** Google Tag Manager (googletagmanager.com) * **Purpose:** To load a JavaScript container from Google's servers that allows you to manage and deploy marketing and analytics tags. * **Data Sent:** The plugin provides your GTM Container ID to Google to fetch the correct script. GTM itself may collect data based on how you configure your tags. * **Service Used:** Cloud-provider IP range list — `raw.githubusercontent.com/rezmoss/cloud-provider-ip-addresses` * **Purpose:** Used by the optional **Datacenter IP filter** to keep the bot blocklist current. Daily background fetch downloads CIDR ranges for AWS, Google Cloud, Azure, Cloudflare, DigitalOcean, Linode, Vultr, Oracle Cloud, and Fastly so events from those ranges can be filtered out before reaching Meta / Pinterest / TikTok. * **Data Sent:** None. The plugin only downloads public IP-range manifests; no visitor data is sent to GitHub. * **License:** Source repository is CC0-licensed. * **Service Used:** Apple iCloud Private Relay egress IP list — same `raw.githubusercontent.com/rezmoss/cloud-provider-ip-addresses` source (folder `apple_private_relay/`) * **Purpose:** Used by the optional **Datacenter IP filter** to whitelist real Apple visitors who exit through Apple's relay infrastructure. Daily background fetch downloads the merged CIDR list so iOS Safari users on Private Relay aren't mistaken for datacenter bots. * **Data Sent:** None. The plugin only downloads the public manifest; no visitor data is sent. **Shared hosting note.** Some restrictive shared hosts block outbound HTTPS by default. If event delivery silently fails after install, ask your host to whitelist the following domains for outgoing connections: `graph.facebook.com`, `business-api.tiktok.com`, `api.pinterest.com`, and `raw.githubusercontent.com` (only needed if you keep "Auto-fetched" enabled on the Blocked Traffic tab — covers both the datacenter blocklist and the Apple Private Relay whitelist). == Installation == ### Quick start (3 steps) 1. Install and activate the plugin. WooCommerce must already be active. 2. Open **CAPI Suite → Main Settings** and paste your **Meta Pixel ID + Access Token**. Add **TikTok** and/or **Pinterest** credentials if you use them. Empty fields for platforms you don't use are fine. 3. *(If you use GTM)* Download the bundled `gtm-template.json` from the **GTM Container ID** box, import it into your GTM container in **Merge** mode, set the pixel-code constants to your real IDs, and publish. Server-side events start flowing on the next page view. Send a test from **Event Management → Test Modes** to verify credentials before going live. ### Recommended GTM dedup configuration To prevent duplicate browser+server events: 1. In **Meta Events Manager → your Pixel → Settings → Event Setup**, turn **off** "Track Events Automatically Without Code". This plugin handles all event sending. 2. In your GTM container, pause or delete any auto-created tags starting with `FB_`. The bundled GTM template ships GA4 + Meta tags pre-wired to the GA4 ecommerce dataLayer, plus TikTok tags that read from a `CONST - TikTok Pixel Code` variable. Pinterest tags are added manually because the Community Template can fail to import inside container exports. If you cannot import the JSON template (locked container, workspace permissions) or want to set up GTM manually, the full step-by-step walkthrough ships with the plugin at `wp-content/plugins/easy-meta-capi/docs/GTM-MANUAL-SETUP.txt`. ### Verify Open **CAPI Suite → Event Log** after browsing your store. Successful dispatches show as "Success (Meta)" / "Success (TikTok)" / "Success (Pinterest)". The Dashboard widget shows queue health at a glance. If the log stays empty, a JS optimizer is probably deferring the plugin's inline scripts — see the cache-plugin FAQ. Detailed GTM setup, Google Ads Enhanced Conversions, and other platform tags live in `docs/GTM-MANUAL-SETUP.txt`. Consent Mode v2, Strict server-side consent, CMP auto-block, and WC Subscriptions are documented under **Advanced Configuration** below. == Advanced Configuration == Setup details for Consent Mode v2, the strict server-side consent mode (GDPR PII gating), CMP auto-block compatibility, and the WooCommerce Subscriptions integration. None of these are required for a basic CAPI setup — turn them on as your store needs them. ### Consent Mode v2 Setup (GDPR / EU Compliance) If you serve EU visitors, GA4 and Meta browser tags don't fire when consent is denied — typically losing **20–50% of measured event volume**. Google Consent Mode v2 recovers this: when consent is denied, GA4 / Meta tags switch to **cookieless pings** (anonymous beacons carrying event name, value, currency, timestamp but no client identifier). Google's ML models the conversions from these pings and shows them mixed with observed ones in your reports. A single CMP integration repairs both GA4 and Meta attribution because the Meta Pixel template reads the same consent signals. **How to enable.** Popular CMP plugins (Cookiebot, CookieYes, Complianz, Iubenda, Termly, OneTrust) all have a native Consent Mode v2 toggle in their settings — find and enable it. The CMP then calls `gtag('consent', 'default', {denied})` before GTM loads and `gtag('consent', 'update', {granted})` after the visitor accepts. The bundled GTM template includes a paused **"Consent Defaults (Pre-CMP)"** tag. Enable it only if your CMP doesn't set `gtag('consent', 'default', ...)` on its own (rare with modern CMPs). ### Strict server-side consent mode (PII gating for CAPI) Consent Mode v2 only controls **browser** tags. Server-side CAPI fires from PHP, never sees `gtag('consent', ...)` signals — so it transmits hashed PII regardless of cookie-banner choice. Fine outside the EU; a GDPR concern inside it. The **Privacy & Consent (Server-side)** section has a Strict server-side consent toggle (default OFF). When enabled and the visitor has denied marketing consent in your CMP, identifying PII (`em`, `ph`, `fn`, `ln`, address, `fbp`, `fbc` …) is stripped from the CAPI payload. The event still ships with `event_id`, `value`, `currency`, `contents` — Cookiebot, CookieYes, and Complianz cookies are read automatically; other CMPs supply state via the `mcapi_marketing_consent_granted` filter. **Why this matters alongside Consent Mode v2.** Denied-consent browser pixels switch to cookieless pings — modeled, not observed. With Strict server-side consent ON, your server-side CAPI ships alongside that ping carrying the same `event_id`. Meta dedupes by `event_id` and now has an **observed** server signal feeding the same conversion record the cookieless ping created — cleaner Event Match Quality than browser-only or naïve "send everything" CAPI, and GDPR-defensible because no identifying data leaves your server. Default OFF preserves match quality for existing non-EU setups. Recommended ON once Consent Mode v2 is configured in your CMP. ### CMP Auto-Blocking and the Plugin's Inline Scripts CMPs with "auto-blocking" (Cookiebot, CookieYes, others) scan every `