CAPI Suite: Meta, Pinterest, TikTok, GTM

3.6.0

• TikTok CAPI integration. Server-side dispatch alongside Meta and Pinterest. Pixel Code, Access Token, Advertiser ID, and a dedicated TikTok Test Mode. Re-import the GTM template to get TikTok Pixel tags.
• Behavioral bot detection. Datacenter IP visitors are briefly observed before forwarding events. Real-browser activity (mouse/scroll, _fbp cookie, click IDs, Apple Private Relay, logged-in customers) graduates the visitor instantly; confirmed bots are dropped. Purchase events are never blocked.
• Blocklist redesign. Pre-bundled ~9,500 cloud-provider CIDR ranges with daily auto-refresh. IPv4 + IPv6 support, O(log N) lookup via binary index seek. New Blocked Traffic admin tab with per-source toggle (bundled / auto-fetched / custom), paginated table, and one-click “Block this CIDR” on Event Log rows.
• Funnel-chain recovery. Held pre-Purchase events are replayed on the next Purchase from the same visitor (PageView → ViewContent → AddToCart → InitiateCheckout), so Meta sees the full attribution path instead of a lone Purchase.
• Apple Private Relay whitelist. Daily-fetched egress IPs bypass the datacenter filter, preserving iOS shopper events.
• CCPA / Limited Data Use toggle. Honors visitor opt-out via cookie or filter.
• Synchronous / Asynchronous sending modes. Synchronous (3-second per-platform timeout) for shared hosts where cron is unreliable.
• WP Dashboard widget. Queue health at a glance: size, oldest pending age, last successful dispatch, datacenter blocks today.
• Per-platform retry. When Meta succeeds but Pinterest or TikTok transiently fails, only the failing platform is retried next cron tick.
• Critical fix: queue processor no longer leaks rows when an event’s send_to targets a platform with no credentials configured. Previously such rows could accumulate indefinitely (tens of thousands over days). Now correctly dropped on the first cycle.
• Security: REST endpoint requires an HMAC-rotated token with a 25-hour tolerance window covering HTML page caches. Checkout-funnel honeypot rejects empty-cart fake POSTs. IP hashes salted with wp_salt(‘auth’) for GDPR/KVKK compliance. Proxy headers trusted only when REMOTE_ADDR is in a known proxy range.
• Performance: chunked DELETE for log/queue cleanup. Composite B-tree index for binary blocklist seek. Negative cache on visitor lookups. REST rate limiter skipped on installs without a persistent object cache. Ad-click landing pages no longer force-create a WooCommerce session.
• Plugin renamed to “CAPI Suite: Meta, Pinterest, TikTok, GTM”. Settings UI reorganized: Sending Method + Test Modes moved to Event Management tab.
• GTM template updated to modern API schema with TikTok Pixel tags. Re-import required.

3.5.3

• Fix: spurious AJAX add_to_cart events from WooCommerce sessionStorage fragment replay.
• Fix: per-platform retry tracking — when one platform transiently fails, only the failing side retries.
• New: Event Log captures User Agent, supports date-range filtering, and retention is configurable (1–90 days, default 15).
• Hardening: third-party autoloader protection extended to all class_exists() calls.

3.5.2

• Critical: GTM template re-import required. Full migration to modern GTM API schema (older templates rejected with “File format invalid” / “Unknown entity type” in fresh workspaces). Plugin runtime unchanged.

3.5.1

• Critical hotfix: CMP detection helper triggered third-party autoloader fatals (CookieYes / Cookie Law Info). All detection class_exists() calls now pass false to suppress autoload.

3.5.0

• Fix: GTM container template imports cleanly (was rejected with “Unrecognized value [customEvent]”).
• New: Consent Mode v2 support, CMP auto-block exemption (CookieYes / Cookiebot / Complianz), and a CMP detection admin notice.
• New: Strict server-side consent mode — strips hashed PII when consent denied; still ships event_id + non-PII context for dedup.
• New: WooCommerce Subscriptions integration — Subscription Renewal Behavior + customer_status tagging keep Purchase ROAS clean for subscription stores.
• Fix: _fbp / _fbc cookie domain strips leading www. to match Pixel JS.

3.4.2

• Fix: GTM template adds two CJS variables converting GA4-schema dataLayer into the contents[] shape Meta Pixel and Pinterest Tag expect.
• Fix: Pinterest event-name typos in manual setup; correct catalog content_ids parameter.

3.4.1

• Fix: dataLayer items include item_id alongside id so GA4’s Items report no longer shows “(not set)” for products.

3.4.0

• Fix: Event log timestamps stable across hosts with mismatched PHP/WordPress timezones (stored UTC, displayed via wp_date()).
• Fix: GTM template no longer fails import with “Unrecognized value [EVENT]”.
• New: bot/crawler UA filter before queue insert. Purchase events exempt. Filterable via mcapi_is_bot_request.
• New: Action Scheduler used for recurring tasks when available — more reliable than WP-Cron on low-traffic sites.

3.3.0

• New: REST API endpoint /wp-json/mcapi/v1/event for cache-safe browser tracking — no nonce needed (works behind 7-day page caches). Secured by same-origin, per-IP rate limit, body cap, event whitelist.
• Improvement: reliable retries on transient API failures (5xx, 429, network).
• Improvement: real client IP via CF-Connecting-IP / X-Forwarded-For / X-Real-IP (sites behind Cloudflare / LB no longer hit rate limits prematurely).
• Improvement: Safari ITP bypass — _fbp / _fbc cookies rewritten server-side with 90-day TTL.
• Improvement: phone numbers normalized to E.164 using billing country; external_id SHA-256 hashed; cron lock on queue processor; guest external_id is a cookie-backed UUID.

For older versions (3.2.x and below), see the SVN repository history at https://plugins.svn.wordpress.org/easy-meta-capi/tags/.