CAPI Suite: Meta, Pinterest, TikTok, GTM

3.7.0

• Event Log: By-IP grouped view. New toggle on the Event Log tab switches between detail rows and a per-IP aggregate (IP | Events | User Agent | Event types | Action) sorted by hit count descending. Repeat-offender IPs surface immediately — bulk-exclude with one click instead of scrolling through hundreds of individual rows. Filter form preserves the active view + page anchor on submit.
• Customer-protection badges in the Event Log. Before excluding an IP, the plugin checks for real-visitor signals: Purchase events (financial transaction — bots can’t complete a real checkout), checkout-flow events (InitiateCheckout / AddShippingInfo / AddPaymentInfo), behavioral filter graduation, and funnel-event diversity. Multi-signal scoring: a Purchase alone qualifies, otherwise 2+ signals are required. Real buyers show a 🛒 Customer badge and the Exclude button is suppressed; if a customer was previously excluded by mistake, a ⚠🛒 warning appears so you can undo it.
• AI-crawler classification (separate from generic bots). GPTBot, ChatGPT-User, OAI-SearchBot, PerplexityBot, ClaudeBot, anthropic-ai, Google-Extended, GoogleOther, Applebot-Extended, FacebookBot, Amazonbot, CCBot, Bytespider, and other LLM training / answer-engine crawlers are now classified as ai_agent instead of bot. Requests to /.well-known/ discovery endpoints (UCP / llms.txt / ai-plugin.json) are also treated as AI agents. They are skipped from CAPI dispatch like bots, but tracked in a separate daily counter on the Dashboard widget so you can see how much LLM-driven traffic reaches your store. Never added to the IP exclusion list. Extendable via the mcapi_ai_agent_user_agents filter.
• “Block” → “Exclude” UI rename. The Blocked Traffic tab is now Excluded Traffic, the exclusion-list buttons are clearer, and a banner at the top of the tab spells out that this is a CAPI-event-level exclusion, not a firewall — your site stays accessible to everyone, only the plugin’s analytics dispatch is filtered for those IPs. Manage-list rows use Disable / Enable toggles instead of Exclude / Re-include (less terminology collision). Internal hook names and DB option keys unchanged — backward compatible.
• Flagged-IP indicator. IPs that tripped the behavioral filter (honeypot, abnormal velocity, or no engagement after observation) now show a 🚩 indicator on the Exclude button with a confidence-aware tooltip. Mostly catches bots that disguised their User Agent to slip past the upstream filter.
• EU consent admin notice. When a CMP plugin is detected (CookieYes / Cookiebot / Complianz / Iubenda / Termly) and Strict server-side consent mode is OFF, the settings page now shows a one-time dismissable prompt explaining the GDPR posture and pointing to the toggle.
• Trademark disclaimer. Added a Disclaimer section to the readme covering independent / not-affiliated status for Meta, TikTok, Pinterest, Google, and Automattic — descriptive interoperability use only.
• Schema migration: mcapi_logs.ip_hash. New salted-SHA256 column (matches mcapi_ip_state.ip_hash) lets the Event Log JOIN against the behavioral-state table for real-time customer / flagged classification. Legacy rows have ip_hash=” and fall back to event-based signals. Single dbDelta ALTER TABLE on upgrade — instant DDL on InnoDB 5.7+ / MariaDB 10.3+.
• Readme cleanup. Cookie-plugin setup, CMP auto-block, Strict consent, and WC Subscriptions sections de-duplicated and condensed. Two-thirds shorter without losing any why-this-matters context.
• Google Ads Enhanced Conversions. Bundled GTM template now includes a Google Ads Conversion Linker tag (All Pages) and a Google Ads Purchase Conversion tag (CE – Purchase trigger) with Enhanced Conversions enabled in AUTO mode. The plugin captures gclid, gbraid, and wbraid from ad-click URLs into 1st-party cookies (_mcapi_gclid etc.) at landing; the Conversion Linker transfers these to _gcl_aw for Google Ads attribution. Recovers conversions that iOS Safari ITP would otherwise drop. Edit two new CONST variables in GTM after importing (Google Ads Conversion ID, Google Ads Purchase Label) — see docs/GTM-MANUAL-SETUP.txt for full setup.
• Pinterest EMQ improvements. Now captures both Pinterest’s persistent _epik cookie (set by Pinterest’s tag.js on real visitors) and the epik URL parameter. Improves Event Match Quality on Pinterest tag installs running the current (2024+) version, where the legacy pina_id flow is being phased out.
• Stronger real-user signals in datacenter bypass. Beyond _fbp and _ga, the IP filter now also accepts _epik (Pinterest tag), __cf_bm (Cloudflare Bot Management actively-validated browsers), _gcl_au (gtag.js ran), and _ttp (TikTok Pixel) as proof of human browsing. Reduces false-positive blocking of VPN/Apple-Relay shoppers who already have one of these tag cookies set.
• Improved bot / human differentiation. Behavioral signals (mousemove, scroll, checkout-form interaction) are now gated against the most common scripted-automation patterns. Combined with the existing datacenter IP filter and funnel-event history, this reduces false-positive bot scores from real shoppers and false-negative human scores from low-effort scrapers. Not a 100% bot block — it raises the cost for an attacker to look human, not eliminates the possibility — but it filters out the bulk of the cheap traffic that pollutes Events Manager.
• gbraid / wbraid capture. Google Ads iOS Safari click variants are now captured into 1st-party cookies alongside gclid. Without this, post-ITP iOS Safari ad clicks lose attribution within minutes.
• GTM template re-import recommended. The bundled template now includes Google Ads tags. Re-download gtm-template.json from Main Settings and re-import in Merge mode.

3.6.0

• TikTok CAPI integration. Server-side dispatch alongside Meta and Pinterest. Pixel Code, Access Token, Advertiser ID, and a dedicated TikTok Test Mode. Re-import the GTM template to get TikTok Pixel tags.
• Behavioral bot detection. Datacenter IP visitors are briefly observed before forwarding events. Real-browser activity (mouse/scroll, _fbp cookie, click IDs, Apple Private Relay, logged-in customers) graduates the visitor instantly; confirmed bots are dropped. Purchase events are never blocked.
• Blocklist redesign. Pre-bundled ~9,500 cloud-provider CIDR ranges with daily auto-refresh. IPv4 + IPv6 support, O(log N) lookup via binary index seek. New Blocked Traffic admin tab with per-source toggle (bundled / auto-fetched / custom), paginated table, and one-click “Block this CIDR” on Event Log rows.
• Funnel-chain recovery. Held pre-Purchase events are replayed on the next Purchase from the same visitor (PageView → ViewContent → AddToCart → InitiateCheckout), so Meta sees the full attribution path instead of a lone Purchase.
• Apple Private Relay whitelist. Daily-fetched egress IPs bypass the datacenter filter, preserving iOS shopper events.
• CCPA / Limited Data Use toggle. Honors visitor opt-out via cookie or filter.
• Synchronous / Asynchronous sending modes. Synchronous (3-second per-platform timeout) for shared hosts where cron is unreliable.
• WP Dashboard widget. Queue health at a glance: size, oldest pending age, last successful dispatch, datacenter blocks today.
• Per-platform retry. When Meta succeeds but Pinterest or TikTok transiently fails, only the failing platform is retried next cron tick.
• Critical fix: queue processor no longer leaks rows when an event’s send_to targets a platform with no credentials configured. Previously such rows could accumulate indefinitely (tens of thousands over days). Now correctly dropped on the first cycle.
• Security: REST endpoint requires an HMAC-rotated token with a 25-hour tolerance window covering HTML page caches. Checkout-funnel honeypot rejects empty-cart fake POSTs. IP hashes salted with wp_salt(‘auth’) for GDPR/KVKK compliance. Proxy headers trusted only when REMOTE_ADDR is in a known proxy range.
• Performance: chunked DELETE for log/queue cleanup. Composite B-tree index for binary blocklist seek. Negative cache on visitor lookups. REST rate limiter skipped on installs without a persistent object cache. Ad-click landing pages no longer force-create a WooCommerce session.
• Plugin renamed to “CAPI Suite: Meta, Pinterest, TikTok, GTM”. Settings UI reorganized: Sending Method + Test Modes moved to Event Management tab.
• GTM template updated to modern API schema with TikTok Pixel tags. Re-import required.

3.5.3

• Fix: spurious AJAX add_to_cart events from WooCommerce sessionStorage fragment replay.
• Fix: per-platform retry tracking — when one platform transiently fails, only the failing side retries.
• New: Event Log captures User Agent, supports date-range filtering, and retention is configurable (1–90 days, default 15).
• Hardening: third-party autoloader protection extended to all class_exists() calls.

3.5.2

• Critical: GTM template re-import required. Full migration to modern GTM API schema (older templates rejected with “File format invalid” / “Unknown entity type” in fresh workspaces). Plugin runtime unchanged.

3.5.1

• Critical hotfix: CMP detection helper triggered third-party autoloader fatals (CookieYes / Cookie Law Info). All detection class_exists() calls now pass false to suppress autoload.

3.5.0

• Fix: GTM container template imports cleanly (was rejected with “Unrecognized value [customEvent]”).
• New: Consent Mode v2 support, CMP auto-block exemption (CookieYes / Cookiebot / Complianz), and a CMP detection admin notice.
• New: Strict server-side consent mode — strips hashed PII when consent denied; still ships event_id + non-PII context for dedup.
• New: WooCommerce Subscriptions integration — Subscription Renewal Behavior + customer_status tagging keep Purchase ROAS clean for subscription stores.
• Fix: _fbp / _fbc cookie domain strips leading www. to match Pixel JS.

3.4.2

• Fix: GTM template adds two CJS variables converting GA4-schema dataLayer into the contents[] shape Meta Pixel and Pinterest Tag expect.
• Fix: Pinterest event-name typos in manual setup; correct catalog content_ids parameter.

3.4.1

• Fix: dataLayer items include item_id alongside id so GA4’s Items report no longer shows “(not set)” for products.

3.4.0

• Fix: Event log timestamps stable across hosts with mismatched PHP/WordPress timezones (stored UTC, displayed via wp_date()).
• Fix: GTM template no longer fails import with “Unrecognized value [EVENT]”.
• New: bot/crawler UA filter before queue insert. Purchase events exempt. Filterable via mcapi_is_bot_request.
• New: Action Scheduler used for recurring tasks when available — more reliable than WP-Cron on low-traffic sites.

3.3.0

• New: REST API endpoint /wp-json/mcapi/v1/event for cache-safe browser tracking — no nonce needed (works behind 7-day page caches). Secured by same-origin, per-IP rate limit, body cap, event whitelist.
• Improvement: reliable retries on transient API failures (5xx, 429, network).
• Improvement: real client IP via CF-Connecting-IP / X-Forwarded-For / X-Real-IP (sites behind Cloudflare / LB no longer hit rate limits prematurely).
• Improvement: Safari ITP bypass — _fbp / _fbc cookies rewritten server-side with 90-day TTL.
• Improvement: phone numbers normalized to E.164 using billing country; external_id SHA-256 hashed; cron lock on queue processor; guest external_id is a cookie-backed UUID.

For older versions (3.2.x and below), see the SVN repository history at https://plugins.svn.wordpress.org/easy-meta-capi/tags/.