CAPI Suite: Meta, Pinterest, TikTok, GTM

Stop paying $30–150/month for a GTM Server Container. Send Conversions API events to Meta, Pinterest, and TikTok directly from your WordPress server. Free, no premium tier, no SaaS subscription.

Three CAPI platforms + Google Ads in one plugin. Most competitors handle Meta only, or sell Pinterest and TikTok as separate add-ons. This one ships Meta + Pinterest + TikTok server-side dispatch + Google Ads Enhanced Conversions + a clean GTM dataLayer in a single install. The same event_id flows everywhere, so each platform deduplicates browser + server events instead of double-counting.

Real customers aren’t filtered as bots. Behavioral bot detection + ~9,500-CIDR datacenter IP filter + AI-crawler classification (GPTBot, PerplexityBot, ClaudeBot, Google-Extended, etc.) keeps Lighthouse audits, scrapers, and ad-fraud bots out of your Events Manager — without blocking VPN shoppers, Apple iCloud Private Relay users, logged-in customers, or paid-ad clickers. Purchase events are never blocked. Pre-Purchase events that do get filtered are replayed on eventual purchase, preserving the full funnel.

What it does

• Meta + Pinterest + TikTok CAPI — 14 event types, classic + block checkout, HPOS compatible. Per-platform retry: only the failing side is retried.
• Google Ads Enhanced Conversions — GTM template ships Conversion Linker + Purchase Conversion tag (EC enabled). Captures gclid/gbraid/wbraid — recovers iOS Safari attribution post-ITP.
• GTM dataLayer — Pushes for GA4, Meta Pixel, Pinterest Tag, TikTok Pixel, Google Ads.
• Datacenter IP filter + Excluded Traffic tab — Paginated audit log (IP masked to /24), per-provider breakdown, one-click exclude on Event Log rows. By-IP grouped view surfaces worst-offender IPs at a glance; customer-protection badges prevent excluding real buyers by mistake.
• CCPA / Limited Data Use — Honors CMP opt-out signals; tags Meta + TikTok payloads with LDU. Optional GDPR strict mode strips PII when consent is denied.
• Cache-safe — Works with LiteSpeed, WP Rocket, Varnish, Cloudflare full-page cache. Click IDs captured client-side into 1st-party cookies; landing pages stay fully cacheable.
• Debug log + Dashboard widget — Per-event delivery status, date/type filters, retention 1–90 days.

This plugin is free. Not “free with limits” — just free. Every feature works, no pro version behind a paywall.

If it helps your store, please leave a review — it genuinely helps other merchants find this plugin.

External Services

This plugin connects your website to external services to send event data.

• Service Used: Meta Conversion API (graph.facebook.com)
  • Purpose: To send user interaction and e-commerce event data from your server to Meta’s servers for ad performance measurement, optimization, and audience building.
  • Data Sent: Event details (product ID, price) and user parameters (IP address, user agent, hashed email/name/phone, Facebook cookies) are sent when a user performs a key action.
• Service Used: TikTok Events API (business-api.tiktok.com)
  • Purpose: Same as Meta CAPI, providing server-side conversion tracking for TikTok Ads optimization and attribution.
  • Data Sent: Event details (product ID, price, currency) and user parameters (IP address, user agent, hashed email/phone/external_id, ttp / ttclid cookies) are sent upon user action. Optional under the merchant’s TikTok credentials — the plugin only sends to TikTok if the credentials are configured.
• Service Used: Pinterest Conversions API (api.pinterest.com)
  • Purpose: Same as the Meta CAPI, providing reliable tracking for ad performance and audience building on Pinterest.
  • Data Sent: Event details and hashed user parameters are sent upon user action.
• Service Used: Google Tag Manager (googletagmanager.com)
  • Purpose: To load a JavaScript container from Google’s servers that allows you to manage and deploy marketing and analytics tags.
  • Data Sent: The plugin provides your GTM Container ID to Google to fetch the correct script. GTM itself may collect data based on how you configure your tags.
• Service Used: Cloud-provider IP range list — raw.githubusercontent.com/rezmoss/cloud-provider-ip-addresses
  • Purpose: Used by the optional Datacenter IP filter to keep the bot blocklist current. Daily background fetch downloads CIDR ranges for AWS, Google Cloud, Azure, Cloudflare, DigitalOcean, Linode, Vultr, Oracle Cloud, and Fastly so events from those ranges can be filtered out before reaching Meta / Pinterest / TikTok.
  • Data Sent: None. The plugin only downloads public IP-range manifests; no visitor data is sent to GitHub.
  • License: Source repository is CC0-licensed.
• Service Used: Apple iCloud Private Relay egress IP list — same raw.githubusercontent.com/rezmoss/cloud-provider-ip-addresses source (folder apple_private_relay/)
  • Purpose: Used by the optional Datacenter IP filter to whitelist real Apple visitors who exit through Apple’s relay infrastructure. Daily background fetch downloads the merged CIDR list so iOS Safari users on Private Relay aren’t mistaken for datacenter bots.
  • Data Sent: None. The plugin only downloads the public manifest; no visitor data is sent.

Shared hosting note. Some restrictive shared hosts block outbound HTTPS by default. If event delivery silently fails after install, ask your host to whitelist the following domains for outgoing connections: graph.facebook.com, business-api.tiktok.com, api.pinterest.com, and raw.githubusercontent.com (only needed if you keep “Auto-fetched” enabled on the Blocked Traffic tab — covers both the datacenter blocklist and the Apple Private Relay whitelist).

Advanced Configuration

Setup details for Consent Mode v2, the strict server-side consent mode (GDPR PII gating), CMP auto-block compatibility, and the WooCommerce Subscriptions integration. None of these are required for a basic CAPI setup — turn them on as your store needs them.

Consent Mode v2 Setup (GDPR / EU Compliance)

If you serve EU visitors, GA4 and Meta browser tags don’t fire when consent is denied — typically losing 20–50% of measured event volume. Google Consent Mode v2 recovers this: when consent is denied, GA4 / Meta tags switch to cookieless pings (anonymous beacons carrying event name, value, currency, timestamp but no client identifier). Google’s ML models the conversions from these pings and shows them mixed with observed ones in your reports. A single CMP integration repairs both GA4 and Meta attribution because the Meta Pixel template reads the same consent signals.

How to enable. Popular CMP plugins (Cookiebot, CookieYes, Complianz, Iubenda, Termly, OneTrust) all have a native Consent Mode v2 toggle in their settings — find and enable it. The CMP then calls gtag('consent', 'default', {denied}) before GTM loads and gtag('consent', 'update', {granted}) after the visitor accepts.

The bundled GTM template includes a paused “Consent Defaults (Pre-CMP)” tag. Enable it only if your CMP doesn’t set gtag('consent', 'default', ...) on its own (rare with modern CMPs).

Strict server-side consent mode (PII gating for CAPI)

Consent Mode v2 only controls browser tags. Server-side CAPI fires from PHP, never sees gtag('consent', ...) signals — so it transmits hashed PII regardless of cookie-banner choice. Fine outside the EU; a GDPR concern inside it.

The Privacy & Consent (Server-side) section has a Strict server-side consent toggle (default OFF). When enabled and the visitor has denied marketing consent in your CMP, identifying PII (em, ph, fn, ln, address, fbp, fbc …) is stripped from the CAPI payload. The event still ships with event_id, value, currency, contents — Cookiebot, CookieYes, and Complianz cookies are read automatically; other CMPs supply state via the mcapi_marketing_consent_granted filter.

Why this matters alongside Consent Mode v2. Denied-consent browser pixels switch to cookieless pings — modeled, not observed. With Strict server-side consent ON, your server-side CAPI ships alongside that ping carrying the same event_id. Meta dedupes by event_id and now has an observed server signal feeding the same conversion record the cookieless ping created — cleaner Event Match Quality than browser-only or naïve “send everything” CAPI, and GDPR-defensible because no identifying data leaves your server.

Default OFF preserves match quality for existing non-EU setups. Recommended ON once Consent Mode v2 is configured in your CMP.

CMP Auto-Blocking and the Plugin’s Inline Scripts

CMPs with “auto-blocking” (Cookiebot, CookieYes, others) scan every <script> tag on load and convert anything they suspect of tracking to type="text/plain" until consent. The plugin’s inline scripts only POST first-party events to your own REST endpoint — but a generic auto-blocker can’t tell. To avoid a silent break, every plugin-rendered inline script ships with opt-out attributes for Cookiebot (data-cookieconsent="ignore"), CookieYes (data-cookieyes="cookieyes-necessary"), and Complianz (data-cmplz-no-cookielaw="1"). For other CMPs (OneTrust, Quantcast, in-house), append your own attribute via the mcapi_inline_script_attrs filter.

WooCommerce Subscriptions Integration

By default, every WooCommerce Subscriptions auto-renewal sends a fresh Purchase to Meta CAPI — credited to the original acquisition ad. Reported ROAS keeps climbing month after month from the same conversion, polluting optimization signals.

The plugin auto-detects WooCommerce Subscriptions and exposes:

Subscription Renewal Behavior (radio):

• Default — renewals send as regular Purchase. Existing setups unchanged.
• Skip — renewals not sent. Cleanest ROAS hygiene; you forfeit Meta’s LTV signal from renewals.
• Tag — renewals still send Purchase but with custom_data.customer_status = "subscription_renewal" so you can filter them in Events Manager.
• Subscribe / SubscriptionRenewal events — Meta’s standard Subscribe for sign-ups + a SubscriptionRenewal custom event for renewals. Purchase stays clean, advertisers using LTV-bidding can opt into both.

Tag every Purchase with customer_status (checkbox): adds custom_data.customer_status (new_customer / returning_customer / subscription_renewal) to every Purchase so Meta Advantage+ can bid acquisition vs. retention differently. Guest checkouts fall back to billing-email lookup.

Disclaimer

This plugin is an independent, community-driven implementation of server-side Conversions API protocols. It is not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc., TikTok Ltd., Pinterest, Inc., Google LLC, Automattic Inc., or any other trademark holder referenced herein.

“Meta”, “Facebook”, and the Meta Pixel are trademarks of Meta Platforms, Inc. “TikTok” is a trademark of TikTok Ltd. “Pinterest” is a trademark of Pinterest, Inc. “Google Tag Manager”, “Google Ads”, and “GA4” are trademarks of Google LLC. “WooCommerce” is a trademark of Automattic Inc. All trademark references are used solely for descriptive interoperability purposes — to indicate which platforms this plugin can transmit data to under the merchant’s own configured credentials.

No user data is transmitted to any external service until the merchant explicitly configures their own platform credentials in the plugin settings. The plugin does not “phone home” or contact any developer-controlled server. The only outbound HTTP calls are: (1) merchant-configured CAPI endpoints, (2) the public CIDR manifests at raw.githubusercontent.com used by the optional Datacenter IP filter — no visitor data is sent in those manifest fetches.