All-in-one CAPI for Meta & Pinterest + GTM

Ændringslog

3.3.0

• New: REST API endpoint /wp-json/mcapi/v1/event for cache-safe browser-side tracking. No nonce required, so events continue to fire on pages served from a 7-day LiteSpeed/Varnish/Cloudflare cache. Secured by strict same-origin check, per-IP rate limit (50/min), global rate limit (1000/min), 16 KB body cap, and event-name whitelist.
• New: Inline bootstrap helper printed at top of <head> (priority 1). All three inline tracking scripts (PageView, ViewContent, ViewCategory) share one code path that tries REST first, falls back to admin-ajax.php with a hard-coded fallback nonce if REST is blocked by a WAF.
• Improvement: Reliable retries — transient API failures (HTTP 5xx, 429, network timeouts) no longer drop events from the queue. They stay queued and retry on the next cron tick. Permanent failures (4xx) still drop to avoid infinite retries. Queue retention extended to 24 hours to cover longer API outages.
• Improvement: ViewCart and ViewCategory events now respect the per-event enable checkboxes in settings. They were previously always-on.
• Improvement: external_id is now SHA-256 hashed when sent to Meta (was sent plain, which hurt Event Match Quality).
• Improvement: REST handler respects per-event enable checkboxes — prevents cached pages from sending events the merchant has turned off.
• Improvement: Description rewritten to highlight cache compatibility, REST/AJAX dual path, and retry semantics.
• Fix: Nested <form> in admin UI — “Refresh Log” button now actually submits (was silently dropped by browsers).
• Fix: double-hash on Pinterest external_id (since it’s now hashed upstream) — passed through as-is.
• Fix: REST rate limiter now reads the real client IP via CF-Connecting-IP / X-Forwarded-For / X-Real-IP headers. Previously, sites behind Cloudflare or a load balancer saw every visitor as the proxy’s IP and hit the per-IP 429 limit within seconds.
• Fix: Phone numbers now normalized toward E.164 using the billing country (leading “0” stripped, country dial code prepended). A Turkish shopper typing “0532…” now correctly matches against Meta’s hashed phone index instead of being sent as an unmatched local-format number.
• Improvement: Cron lock on the queue processor — prevents two overlapping cron ticks from re-processing the same batch (which would have caused duplicate events on slow API responses).
• Improvement: Batch size is now filterable via mcapi_queue_batch_size — high-traffic stores can raise the 100-per-tick ceiling.
• Improvement: AJAX handler emits nocache_headers() so Cloudflare and other upstream caches do not cache the POST response.
• Improvement: Uninstall cleanup now removes all plugin transients (stats, log caches, rate-limit counters) and the optimizer-notice dismissal user meta.
• Improvement: Safari ITP bypass — _fbp and _fbc cookies are re-written server-side on every request with a 90-day TTL, which iOS/macOS Safari does NOT cap to 7 days (only JS-written cookies are capped). Long-window attribution for iOS shoppers is restored; often the single biggest EMQ lift for stores with heavy iOS traffic.
• Improvement: Guest external_id is now the cookie-backed UUID (not billing email) when an order is processed. Keeps the Meta user journey consistent across PageView → AddToCart → Purchase. Email is still sent separately in the em field, so Meta’s matching is unchanged.
• Improvement: mcapi_guest_external_id cookie now HTTP-only, Secure (on HTTPS), SameSite=Lax, 1-year TTL.

3.2.6

• Improvement: Added data-no-defer="1" and data-no-minify="1" attributes to inline scripts so LiteSpeed Cache and other aggressive optimizers don’t wrap them in type="litespeed/javascript" (which prevented the scripts from running).
• Improvement: Plugin now detects LiteSpeed Cache, WP Rocket, Autoptimize, WP Fastest Cache, and W3 Total Cache, and shows a one-time admin notice on the settings page with exact exclude-list instructions.
• Improvement: Full compatibility guide in the FAQ for cache/optimizer plugins.

3.2.5

• Fix: PageView event_id now includes browser-generated random component + timestamp. Previously the event_id was a path hash only, so every visitor to a full-page-cached URL sent the same event_id to Meta — which deduplicated them into a single event and dropped 95%+ of PageViews on LiteSpeed/WP Rocket/Varnish/Cloudflare sites.
• Fix: All JS-driven CAPI events (PageView, ViewContent, ViewCategory, SelectItem, AddShippingInfo, AddPaymentInfo) now send the real page URL as event_source_url instead of /wp-admin/admin-ajax.php. This was lowering Meta Event Match Quality (EMQ) scores and breaking attribution.
• Fix: ViewContent now captures product data on woocommerce_before_single_product (before related-products/upsells render) instead of reading global $product in wp_footer (where it was often overwritten by the last related product in the loop). Meta was receiving wrong product IDs on product pages with related/upsell sections.
• Fix: SelectItem click tracker no longer fires on unrelated clicks (menu, logo, footer, cart drawer). The DOM walk is now constrained to the clicked link’s product container, using theme-agnostic selectors that cover Astra, Flatsome, Divi, Elementor, Bricks, and the block theme Products block.
• Fix: Removed the duplicate product-marker hook registration that injected 2 hidden spans per product in every shop loop. The SelectItem tracker now reuses the data-mcapi-product-data attribute already present on the add-to-cart button (no extra HTML output).
• Fix: Rejected attempts to spoof event_source_url from cross-origin values — server now validates that the POST’ed URL matches the site’s host.
• Improvement: Added data-cfasync="false" and data-no-optimize="1" attributes to all plugin inline scripts. These signal Cloudflare Rocket Loader, LiteSpeed Cache, WP Rocket, and Autoptimize not to defer or combine the scripts — helps events fire on sites with aggressive JS optimizers.
• Improvement: Better block theme compatibility — events are tracked correctly on Twenty Twenty-Five and other FSE (block-based) themes that use the WooCommerce Products block.

3.2.4

• Fix: ViewContent event moved to JavaScript/AJAX to survive full-page cache (Varnish, WP Rocket, LiteSpeed, Cloudflare). Previously, cached product pages would fire the event only once when the cache was generated — every subsequent visitor produced zero CAPI calls and duplicate event_ids.
• Fix: AddToCart event_id now includes uniqid() alongside cart_item_key. Adding the same product twice no longer gets silently deduplicated by Meta (WooCommerce reuses cart_item_key when incrementing quantity on an existing cart item).
• Improvement: SelectItem click detection is now theme-agnostic. Works with Flatsome, Divi, Elementor, Bricks, Astra, Oxygen, and any custom theme/page builder. The plugin injects a hidden product marker via woocommerce_before_shop_loop_item_title, and the JS walks up the DOM from the clicked link to find it — no hard-coded CSS class dependencies.

3.2.3

• Architecture: AddToCart CAPI is now fired server-side from the woocommerce_add_to_cart hook for all flows (classic page-reload AND AJAX cart), instead of relying on frontend JS. This is what CAPI was designed for — reliable tracking immune to adblockers, tracker blockers, and theme incompatibilities. Maximum theme coverage.
• Improvement: Browser-side dataLayer push for AJAX add-to-cart is now delivered via woocommerce_add_to_cart_fragments filter, which injects the push script into the AJAX response. Works on any theme that uses WooCommerce’s standard AJAX cart.
• Improvement: Shared event_id between server-side CAPI and browser-side dataLayer push (based on cart_item_key), guaranteeing Meta deduplication.
• Performance: All AJAX event handler calls now go through the batch queue instead of direct synchronous HTTP calls. Admin-ajax.php response times are no longer tied to Meta/Pinterest API latency.
• Cleanup: Removed the legacy mcapi_ajax_fired_* session flag and DOING_AJAX skip logic that was causing events to be lost when JS AJAX was blocked.
• Event Match Quality: Every woocommerce_add_to_cart trigger now reaches Meta/Pinterest, regardless of browser-side interference.

3.2.2

• Fix: GTM template – Meta tags now correctly use eventName: "standard" + standardEventName parameters. Previously all browser-side events were sent as PageView because the Facebook Pixel community template requires a radio button selector, not a direct event name.
• Fix: GTM template – Pixel ID now uses a shared constant variable (CONST - Meta Pixel ID) instead of referencing a tag name, which GTM cannot resolve.
• Improvement: GTM template setup simplified — users only need to update one variable for all Meta tags.

3.2.1

• Fix: PageView event now fires correctly on first page load — dataLayer push no longer blocked by deferred script loaders (WP Rocket, LiteSpeed, etc.). Meta Pixel Helper will detect the pixel immediately.
• Fix: GA4 product price field renamed from item_price to price to match GA4 standard. Fixes zero revenue in GA4 Item Revenue reports.
• Fix: Real client IP detection for sites behind Cloudflare, AWS CloudFront, or Nginx reverse proxy. Improves Meta Event Match Quality (EMQ) scores.
• Fix: Resolved plugin check warnings for unescaped DB parameters and missing translators comments.

3.2.0

• Improvement: Updated Meta Graph API from v21.0 to v25.0 for continued compatibility.
• Improvement: Meta API access token now sent via Authorization header instead of URL parameter (security best practice).
• Fix: Fixed Pinterest CAPI event mapping – ViewContent now correctly maps to view_content instead of page_visit.
• Fix: Fixed Pinterest CAPI ViewCategory event – now uses native view_category event instead of search.
• Fix: Fixed Pinterest CAPI custom_data field names to match official API spec (contents instead of line_items, correct sub-field names).
• Fix: Added Pinterest CAPI mappings for add_payment_info and view_category events.
• Fix: Fixed GTM container template (broken JSON due to trailing comma and 10 malformed GA4 variable references). Template import now works correctly.
• Security: Fixed all output escaping issues flagged by WordPress Plugin Check.
• Security: Improved input sanitization and wp_unslash handling for cookies and POST data.
• Security: Restructured admin request handlers to verify nonces before accessing POST data.
• Standards: Renamed global functions to use the mcapi_ prefix per WordPress naming conventions.
• Standards: Added translators comments for all translatable strings with placeholders.
• Standards: Added proper phpcs:ignore annotations for legitimate direct database operations.
• Standards: Added version parameter to enqueued scripts.
• Standards: Fixed uninstall.php with ABSPATH check and prefixed global variables.
• Performance: CAPI events are now queued in a database table and sent in batches every 60 seconds. A single HTTP request can carry up to 100 events, reducing server load by ~98% on high-traffic sites. Falls back to synchronous if the queue table is unavailable.
• Improvement: Added block checkout compatibility for AddShippingInfo and AddPaymentInfo events. These now fire correctly on both classic and block-based WooCommerce checkout.
• Improvement: Block checkout user data capture (billing info) now works for improved Event Match Quality.
• Improvement: Added WooCommerce HPOS (High-Performance Order Storage) compatibility declaration.
• Improvement: Enhanced event log – failures now show platform name (Meta/Pinterest) and all event types are filterable.
• Improvement: Event statistics table now includes PageView and Search metrics.
• Improvement: Added jQuery as explicit script dependency for frontend events.
• Improvement: Removed review and donation prompts from the admin panel for a cleaner UI.
• Improvement: Added WooCommerce version headers to readme.txt.
• Improvement: Dataset quality report now dynamically uses the current plugin version.
• Fix: PageView and ViewCategory CAPI events now fire via JavaScript AJAX, making them compatible with full-page cache (Varnish, Redis, Cloudflare).
• Fix: Sanitization function now preserves numeric data types (float/int) instead of converting to strings, preventing API event rejections.
• Fix: Added WooCommerce dependency check – shows admin notice instead of fatal error if WooCommerce is deactivated.
• Fix: Log clearing now uses DELETE instead of TRUNCATE for compatibility with restricted database permissions on shared hosts.
• Fix: Added composite database index (event_name, event_time) for faster log queries on high-traffic sites.

3.1.1

• Fix: Minor bug fixes and stability improvements.

3.1.0

• Major Feature: Added detailed tracking for checkout funnel steps: ‘Add Shipping Info’ and ‘Add Payment Info’ events for deeper analysis of cart abandonment.
• Major Feature: Added ‘Select Item’ event tracking for analyzing product clicks from category and shop pages.
• Major Feature: Added a new admin setting to choose the Product Identifier for events (SKU with fallback to ID, or ID Only), making the plugin flexible for stores without SKUs.
• Improvement: Significantly enriched Pinterest CAPI user data to improve match rates, mirroring the data sent to Meta.
• Improvement: Corrected Pinterest CAPI event mapping for ‘InitiateCheckout’ to improve funnel accuracy.

3.0.0

• Major Improvement: Enriched the ‘view_item_list’ (Category View) event for GA4, now including the full list of products displayed on the page for advanced analytics.
• New Feature: Added comprehensive tracking for the ‘remove_from_cart’ event, providing deeper insights into cart abandonment.
• New Feature: Added tracking for the ‘login’ event to the dataLayer for GA4 and CAPI.
• Improvement: Enriched the ‘Purchase’ event dataLayer with coupon codes, payment method, and shipping method details.
• Improvement: Enhanced the Pinterest CAPI ‘add_to_cart’ event to include detailed product line items, improving data quality.
• Security: Hardened the AJAX event handler with recursive sanitization for all incoming data, improving overall security.

2.9.0

• Improvement: View Category and GA4 settings

2.8.0

• Fix: Pinterest external_id and click_id.

2.7.0

• Fix: Duplicate pageview fix.

2.6.0

• Fix: Pinterest line_items fix.

2.5.0

• Fix: AddToCart fix.

2.4.0

• Fix: Pinterest data format fix.

2.3.0

• Major Feature: Full Pinterest Conversions API (CAPI) and Pixel integration.
• Improvement: Added a robust AJAX-based tracking method for the ‘AddToCart’ event to ensure it fires correctly with all themes and caching systems.
• Improvement: Enhanced ‘PageView’ event tracking with a dedicated dataLayer push to ensure perfect deduplication between browser and server events.
• Improvement: Redesigned the admin panel by merging Meta and Pinterest settings into a unified tab.
• Improvement: Enhanced the event log to display the platform (Meta/Pinterest) for each successful event.
• Improvement: Added a manual “Refresh Log” button to the admin panel to bypass caching and view real-time event data.
• Housekeeping: General code refinements and WordPress standards alignment for repository submission.

2.2.0

• Improvement: Developments for improved Event Match Quality.

2.1.0

• Security: Added nonce checks for admin forms to prevent CSRF vulnerabilities.
• Security: Implemented late escaping for all echoed variables in the admin panel to prevent XSS.
• Security: Hardened database queries by ensuring all parts of the query are properly prepared.
• Security: Sanitized all $_SERVER superglobal inputs to prevent potential injection issues.
• Documentation: Added a required “External Services” section to the readme.txt to disclose the use of the Meta Conversion API.
• Housekeeping: Bumped version number.

2.0.0

• Major Feature: Added Google Tag Manager (GTM) container script injection. The plugin is now an all-in-one solution.
• Major Feature: Unified Data Layer for both CAPI and GTM to enable flawless event deduplication.
• Improvement: Added a GTM Container ID field to the admin settings.
• Housekeeping: Updated plugin name and description to reflect new GTM capabilities.

1.8.0

• Feature: Added first name, last name, and phone hashing (fn, ln, ph) for improved Event Match Quality.

1.7.0

• Improvement: Enhanced overall security.

1.6.0

• Improvement: Updated admin panel UI/UX for better usability.

1.5.0

• Feature: Added Dataset Quality API report submission on Pixel ID change.

1.4.0

• Feature: Added server-side PageView event tracking.

1.3.0

• Improvement: Optimized performance of event tracking hooks.

1.2.0

• Security: Hardened database queries and improved input sanitization.
• Standardization: Added full translation support and aligned code with WordPress.org best practices.

1.1.0

• Feature: Added dashboard with event statistics.

1.0.0

• Initial public release.